Below the Surface – S1E8
[00:02:17] Hello and welcome to Below the Surface. I am your host, and we have a great show lined up for you today. But before we get started, a quick reminder that you can ask any questions or leave a message in the comments section below. As some of you may be aware, it is Cyber Security Awareness Month this month. So today’s show is in honour of this. Over the month of October, we have seen infosec experts will provide helpful tips and tricks to ensure we are all more cybersecurity aware. So as the wrap up to the month and to share some more advice, I would like to welcome to the show Dennis Dilman. Dennis is the VP of Product Management for Security Awareness of Al Qaeda. In this role, he has been responsible for the rollout of an entirely new training programme for the Fish online platform, and he’s worked with Fortune 100 companies to design and improve their security awareness programmes. Welcome to the show.
[00:03:12] Dennis, thanks. It’s great to be on the show. I appreciate you having me on.
[00:03:18] Thank you for joining us. It’s great having you on so on the theme of Cybersecurity Awareness Month. Can you tell us a little bit about what it is and how did it all start?
[00:03:28] Yeah, so Cyber Security Awareness Month.
[00:03:34] 16 years ago, 17 years ago.
[00:03:45] It actually used to be called National Cybersecurity Awareness Month, but the need for cybersecurity awareness is global, so they just got a national moniker. What else can I share? It’s a joint effort between the Cyber Security Alliance, the National Cyber Security Alliance and the federal government, the Department of Homeland and Security, the Department of Homeland Security in particular. So it’s a joint effort. Private and public sector and the National Cyber Security Alliance is a collection of organisations that put together the materials and the training effort. Back in two thousand and four, it was really tame stuff compared to what they do today. Things like update your virus signatures and change the batteries in your smoke detectors, stuff like that. And now obviously they talk about all sorts of different stuff because the security environment that we all work and live in is so much more complex.
[00:05:06] No, it’s definitely a hot topic, and it’s amazing to see how it has grown and a really great initiative. I mean, cyber security is part of all of our lives. So, you know how important cyber security has become since the launch. It’s really amazing to see. So each Cybersecurity Awareness Month has a theme. Can you tell us a bit about what this year’s theme is?
[00:05:27] So the overarching theme is do your part hashtag be Cybersmart, and it’s Campral, it’s composed of four different weekly topics within the month of October. So at the start of the month, it was if you connect it, protect it, emphasising education around the idea that any device that is connected to the Internet or connected to a device that’s connected to the Internet is a potential source of risk. And that you need to be aware of that. You need to be careful about these things that that you’re putting on the Internet and potentially making available to bad guys. And then there was security devices at home and work, which is week two that was focussed, really motivated by the whole pandemic debt crisis that we’re all facing. There’s always been people who work from home, but now so many more people are working from home so that we focussed on the new risks that people face because they may not have worked at home before or certainly not worked at home as much. So that was week two. And then week three was actually more industry specific. It was securing Internet connected devices in health care. And the reason that they focussed on health care is that. The health care industry has so many devices, you walk into a hospital, right, there’s that monitor the devices that monitor your heart rate, your blood sugar, your you know, your weight, all these things that are constantly plugged in have very sensitive data and they’re connected to Wi-Fi. So Barracuda has a product that’s a firewall for Internet of Things, as if you’ve heard that term Internet of Things. That’s the problem that’s uniquely challenging for health care because of that quantity of devices and the need to get to that data, they’ve all become network accessible. And then finally, this week is the future of connected devices. So what what is in the future for all of these devices, all of our portable computing devices, like your tablets, your cell phones? What does 5G mean for. The devices that you have, what is 5G going to do? Is it going to replace Wi-Fi? Is it going to accelerate data transfer? Is it going to create unique security problems and have all of those forward looking questions about the future state of connected devices?
[00:08:29] I mean, all of them seem like such relevant things, connected devices working from home, which has been such a big thing over the pandemic and obviously the health care. I mean, we’ve all seen the importance of it at this time. So all of that is definitely something to be aware of when we’re thinking of cybersecurity. I mean, you must have seen some changes in cybersecurity and around awareness. How is the concept of security awareness changed throughout the years?
[00:08:55] A lot. So if you go back to the beginning of Cybersecurity Awareness Month. Even even as late as two thousand and four security wasn’t a problem that the employees dealt with. Security was a problem that the IT department dealt with. And so all of the security training to such an extent that there was any was about how to lock down servers, how to put in firewalls, you know, all of these things that the IT department did. And it usually wasn’t something that the. Employees ever did, right? One of my first jobs was a network administrator and employees did whatever they wanted and they didn’t feel like it was their responsibility to be safe. And that has changed dramatically, so this month’s theme is do your part, and it’s focussed at the individual employees. And I think almost all employees recognise that they need to have good behaviour. They may forget they may fall victim to a scam. But if you’re if you ask them in a calm moment, they would they would recognise that they need to they need to do more. They need to be more aware of the risks that the organisation faces and how they can help. So now it’s company wide training is very prevalent. So fast forward from 2004 to 2011, when Fish Online came into existence, we were one of the very first security awareness companies because the market had finally grown to a point where companies were recognising the need to train their employees. But it was still very small, very small market. And our first customers were all fortune. One hundred banks, financial organisations, health care organisations. So they were big, they were well funded and they were high risk. They were being actively targeted by the bad guys. So those were our first customers. But from twenty eleven to now, we have thousands of customers. We have customers that are as small as five employees and customers that have more than five hundred thousand employees. And that that explosion in growth where every company is recognising the need to train their employees is a huge difference. It just wasn’t something that was very common at all when I started. And now is is is very common. And part of the driver of that is increased awareness generally, but also a lot of auditing firms and enforcing various regulatory standards or other standards that have been imposed like PCI payment industry type standards. They all mandate security awareness. So even if you’re a tiny company that takes credit card data, you need to do security awareness training.
[00:12:06] I mean, it’s definitely sounds like a positive shift from where we were in 2004 to where we are today. It’s so great to hear nations are now taking cyber security so seriously. But what is the reverse? What is the consequence of not reinforcing security awareness amongst users?
[00:12:25] Well, the big issue is backsliding. People get exposed to training, maybe your organisation only DDoS training annually or what have you, what have you, and the idea that people forget that people backslide and. Begin to behave in a more risky fashion isn’t a character flaw. All of us have distractions in our life. We have one hundred things to do on any given day in our job. We have pressures from the family and organisations that we volunteer at and everything else, and we have to prioritise those. And so if you don’t keep pushing security to the top of the queue, so to speak. People are going to make it back of mine. They’re going to forget about, oh, yeah, I should be doing this. I should be engaging in this behaviour and your rush to get your job done and everything else, you start taking shortcuts. So that’s the that’s the that’s the risk is that people will begin to forget about security. Good practises. And I’ll give you an example. So we had a mid-sized organisation, one or two thousand users. I don’t remember exactly how many. They had a great story. They they had a 70 percent click rate, right? So clicking on a suspicious URL is a bad thing. And 17 percent of people in one exercise clicked on those those suspicious links. Over the course of two years, they got that number down to, I think, three percent single digits. They got it way down and then they had some budget issues. And the individual who was. Responsible for those exercises left and was not replaced and the position wasn’t replaced for 13 months. So not that long, one year in fact, and the first campaign they run after they got back was twenty one percent quickly. So they had given up all that ground and twenty one versus seventeen. That’s pretty. That’s pretty similar. The point isn’t that it got that much worse because quick rates can be. Not very specific metrics, but this is they went from three to twenty one in the course of a year and they were going to have to work on getting people reacquainted with the good behaviours that they needed to engage in in order to help protect the organisation and. If people are engaging in these risky behaviours. You open yourself up to enormous risks as an organisation, depending on which study you read, the likelihood of a breach is directly related to an email threat of some kind, 70 to 90 percent likely that the breach was caused by some threat brought into your organisation via email. And we saw a great gateway. There’s lots of other great email gateways out there, but they can’t protect against everything, especially since the email doesn’t have to to be obviously dangerous to actually provoke bad behaviour. So Barracuda has analysed billions and billions of of emails and its and its existence. And as a result of that analysis, they’ve been able to create a list of threat types. And we have a fairly extensive materials available for the 13 most common email threat types from relatively harmless at the spam side to very dangerous spear fishing and business email compromise and take over. So we have a lot of good material out there. An official line has training available for each one of these 13 threat types. There are specific like checklists that you can follow in order to protect your organisation against these types. Those are available at Barracuda Dotcom, but that’s what you’re exposing your organisation to. And each year, it’s an exponential growth in the financial damage that these attacks are doing. So it’s not just reputational hard to quantify risks. If real financial damage in the hundreds of millions now that organisations are facing and you read about them every day, this city had a ransomware attack. They paid one hundred and fifty thousand dollars to the to the to the attacker and so forth. You hear about it all the time. So it’s it’s a it’s a real risk. And you want to make sure your employees are participating in the defence against these threats and not simply passive victims of these attacks.
[00:17:46] And I mean, I agree it really is everyday news you hear about business, email, compromise or spearfishing a lot when you’re talking about breaches that happen. But also the challenge between productivity versus security is always that a lot of people just want to get the job done and don’t always naturally think about security first. So talking of that, there’s a lot of buzz around the idea of building a security culture within an organisation.
[00:18:10] I mean, so security, a security culture is a is a culture that puts security at the top of the list of things that organisations worry about on a day to day basis. And it doesn’t mean the IT department. It means all of the employees and specifically the management of the organisations. So from the top down, you have an organisation putting security first. So. The reason you want this, the reason you want the security culture isn’t because, you know, it looks good or whatever, the reason you want a security culture is that it makes your organisation far more resilient to the standard risks and threats that an organisation faces. So. Let’s talk let’s start at the top, then let’s talk about the fact that you need executive management and you need your regular line managers all involved in security. If you see them engaged in bad security behaviour, you’re going to have a hard time convincing your employees that they need to have good security behaviour. Right. So it’s got to be top down. Let me give you an example. Let me anonymize this in my head, so a major Midwest sports franchise that everybody’s heard of was purchased by some very wealthy individuals from out of state. And right after the in the weeks following the purchase, some guy on Yahoo! Yahoo! Email sent an E was able to find the names of the people in the payroll department at the sports organisation and sent them an email that from from like John Smith at Yahoo! Dotcom, there was nothing convincing about this email whatsoever. So he sends the email and he says, I’m being audited, I’m in the office with the auditors right now, you need to send me the W-2 and the ten ninety nine. So everybody be a PDF to this email address as soon as possible. And. When you’re in an organisation where the executive management has no problem breaking security, best practises, you’re more vulnerable to that kind of attack because now you’re thinking, if I don’t deal with this, maybe I’m going to get fired or get in trouble.
[00:20:52] So all of the PDF that that’s every big time athlete and every big time athlete that ever played at that sports complex over the past year. So it was everybody and they got exactly what they were paid and all this information. And again, this was a lousy phished. You know, they signed it with the new owners name, but other than that, it was completely unconvincing. All of the telltale signs of risky, suspicious information was present in the email. It didn’t have a link. Right. There was nothing for an email security programme to detect. It was just it was just angry guy yelling to get something. And if you work in an organisation where angry guys yelling to give something works.
[00:21:45] You’re vulnerable. So a security culture has to be pervasive. It has to affect everybody. And it’s not just bosses, it’s the it’s the leaders of the organisation. Like if you’re at a hospital, the doctors and the surgeons, they need to have good security behaviour if you’re in a law firm. Lawyers need to have good security behaviour because they’re leaders. They may not be your boss, but the leaders. And if they’re not held accountable, well, why should I be held accountable? That’s the kind of the what they mean when they say us a security culture. So no exceptions. Everybody is engaged in good behaviour. Everybody’s holding other people accountable for good security behaviour. And as a result, you’re way more resilient to what might cause what might otherwise cause risk to your company. So, for example, if you’re if you’re migrating from. On-premise exchange to. Microsoft threw sixty five in the Cloud at a lot of companies that would be seen as an IoT problem, right? That’s just the IT department and they need to worry about it. And I’m just going to continue like I always have. But the problem is, is that it’s not just moving physically where the data is located. It’s moving the type of storage structure that the data is located in. It’s in the cloud. It’s not on a physical server somewhere. So the way you get access to the email is different, it’s easier to spoof a Web page of a email Cloud service than it is to spoof the authentication to a data centre server. One of the most common phishing emails that we have on our platform is an email that looks a lot like Microsoft three sixty five login page. Right, you don’t have that login page when you’re using outlook on it in a data centre that’s right next door. So that kind of cultural awareness and where everybody’s asking, what does this mean for me security wise? What kind of training do we need to send to people making them aware of these risks? It makes people ask, how is my data being backed up? There used to be a backup server right next to the email server, but now it’s in the cloud or backup server. Can’t back it up. How do we back it up? Right. Barracuda has Cloud to Cloud back up. That kind of product may not be something that people think of if they’re not kind of in that security culture mindset. So those are just some examples of what I’m talking about. But it’s creating this pervasiveness to security awareness that makes people kind of assess how they do their job, how they interact with their colleagues, how they interact with vendors. That’s what a security culture is all about.
[00:25:06] So, I mean, the security culture is there, and you’ve worked so hard as an organisation to build that up, but then you have something like the pandemic we’re in today and it’s too remote work. How does that affect security when it’s.
[00:25:23] Well, the security culture is still going to help, right, because in these in these frantic meetings back in March when organisations were like, oh, we need to. Get people set up to work from home, at least the question will come up, what does this mean for security? So and what it means? There’s lots of things we could go spend an hour just talking about covid. But that boiling it all down, you got increased access by family members or roommates that have maybe the ability to see sensitive data, increased use of personal devices and personal networks, and most of all, increased levels of distraction. Several conversations I’ve had with some more senior types, more well compensated types, where it’s a bit of a light bulb moment for them, where they say. Oh, you mean not everybody has a dedicated home office that they can go into and shut the door? Though a lot of these people, I mean, they’re crude, is located in Silicon Valley, right, where housing is ridiculously expensive. People are working at their kitchen tables and pets running around. And there’s there’s the family people asking them to do chores in the middle of the day. There’s there’s roommates making a mess. There’s all sorts of distraction and risk. And if you look at the surveys associated with people’s risky behaviour, like we notice that you click on this dangerous link in this last email, why did you do that? The most common response is. I was distracted, followed by I was in a hurry. They’re kind of the same thing. So those are the biggest causes of bad behaviour, even in somebody who’s been properly trained. And making people work from home dramatically increases the rush feeling and the levels of distraction that your employees are facing, you’re going to have a much higher level of overall risk in your organisation. And I’m not even getting into the mechanical security components, like, do you have a good enough home firewall and all these other really technical questions that also need to be answered. But just in the behaviour and the awareness of the employee sitting at their kitchen table with everybody bugging them. That’s the issue, and it’s important for it to be a cultural issue so that you don’t have one person who might be better off than everybody who has a dedicated office and doesn’t understand what the rest of their staff might be going through. This has never come up. It’s like, well, 80 percent of the people go to the office every day. I don’t have to worry about whether or not they’re doing work at their kitchen table. So that’s that’s the kind of thing that covid creates without people being immediately aware that covid is creating this extra risk for the company. So. And if you look at the Cyber Security Awareness Month topics, you can see they’re each one of them is except for maybe the health care Internet of Things. One, they’re all related to that idea of a VMware individually that you might need to change your behaviour because of your new working conditions.
[00:29:07] And I think we can all definitely relate to the destruction of everyone having to go remote, my work and, you know, not just it’s not just you alone working at home. Everyone else is there with you, kids, pets, partners, and trying to balance that all. I think that’s a reality for a lot of us nowadays.
[00:29:27] I was just going to say I’m very lucky, I, I just moved to a different house and luckily in my new house I have a dedicated home office, but in my old house, I came to the office every day specifically because I had a hard time dealing with the distractions. Right. And if I’d still been at that old house, I would have been wrestling with those while trying to do my job. And that’s tough.
[00:29:52] Yeah, Egeria is this tough just to do your job, let them think about security so that we had a comment from someone who said, you know, people don’t really realise about security until they’re hit and you don’t see the importance of it until you’ve actually had that experience. And so we’ve talked about what happens if we don’t take security awareness seriously. Remote working should really raise our game a bit more. We need to be more more aware of what’s going on and understand what employees are going through so that in practise, what does security awareness look like?
[00:30:30] It varies from company to company, and I think the idea that most people have in their mind about what security awareness is, is a security training video. Right. You’ve got to watch a video. You got some guy talks of you or there’s a cute animation or whatever it is. And that’s security awareness. And there’s some great training videos out there, a fish line has three or four dozen different videos on various topics, we try to keep it interesting and short, but it doesn’t really matter how short and engaging the videos are. People resent them and it’s just a fact of life. And part of it is there’s a lot of really bad videos out there, too, and they can go on for literally hours. My background is big financial organisations. That’s where I worked before joining Fish Line and we had a mandatory forty five minute security awareness training video that we had to watch every year. And it was the same video every year, and you couldn’t you couldn’t pause it, you couldn’t fast forward it, you had to watch it. It was it was awful. It wasn’t it. You couldn’t even remember what they were talking about 15 minutes earlier in the video, so the adult learners, especially in this day and age where there’s YouTube and there’s there’s Vine’s and there’s all these other types of videos out there that are really short, really engaging, you know, how do you cut through that noise? So. You know, even like even at their best, people want to avoid videos and there’s another there’s another trap that videos can have when they’re really clever is kind of the Super Bowl or Super Bowl commercial trap. So in the US, you have this big sporting event called the Super Bowl, and a lot of people watch it not for the game, but for the advertisers. And there’s all this discussion after the game is over about the advertisements. And people are like, oh, yeah, that one was really funny where the guy fell off the ladder and whatever. And they’re like, yeah, what product was that for? And they’re like high. No soda. I think maybe. But and the really clever training videos can have that problem to where you’re like, oh yeah, that was actually pretty good. The guy wandering around with a bathrobe and they’re like, well, what what did he tell you not to do? And you’re like, I can’t remember. So saying videos are tough, right? I get it, they’re mandatory, sometimes frequently mandatory. But what I am a fan of is what we call in the moment training. And it’s not a video. You can you can supplement it with a video. But here’s what it is. You send out a social engineering email or an SMS message. And some people click on it and the people who click on it are taken to a landing page that tells them you’ve been fished or whatever. And it has a picture of the email and next to the picture it has, you should have noticed this suspicious URL name. You should have noticed the suspicious email domain. You should have noticed the fact that this was really bad English and probably not professional communication, whatever, whatever it was specific to that email, they would point out. So it’s this little education moment. And believe it or not, the little shot of adrenaline that you experienced when you dodged a bullet you didn’t actually get ransomware on your computer is helpful for retention in all learners, including adult learners. So a little shot of adrenaline. You get a message. It’s informative. And from an organisational perspective, the really positive part is that only the people who need the training get the training, only the people who engaged in the risky behaviour, get the landing page with the instructions that they have to read. And even the people who get the training, you know, they spent 30 seconds and reading it maybe.
[00:34:55] And and it’s very low impact and it allows you to be much more frequent with the training weekly is, I think, the ideal where and at any given time you might get one of these emails and it makes you more vigilant, it makes you more aware. And that’s the whole point of all of this, is to make people more aware of the risks that they face and to be more vigilant about dealing with those risks. So you can make this fancy or simple, if you like. If we pull in real world threats from Barracuda database and we make those available as templates that people can use in their their campaign. So it’s as real as you can get. But I also recommend using some really sloppy looking training and mixing it up so that it’s not a big burden. You don’t have to make it this elaborate Photoshopping exercise. You can just, you know, grab one of our our we have over a thousand templates, grab one of our templates and send it out. And you’re not trying to create an elaborate risk matrix. You’re just trying to get this idea that the organisation is under constant attack, stuck in people’s heads and change that that risky behaviour, eliminate that risky behaviour. One last thing about that. Two more things, I promise. The first is that you can, because you stopped these individuals themselves selected into a group, right. They’ve engaged in risky behaviour. Now you know who they are and they got a little bit of training with that landing page. But you can then follow up with more phishing attempts to see how bad their behaviour is, really repetitive or in the bad moment. You can also send them training now, training videos. Right.
[00:37:04] More clear conscience about the time they spend watching it because they self selected into that group. And you don’t have to waste everybody’s time when they’ve already got good behaviour. You only need to spend time or have those users spend time that engage in the risky behaviour, in which case it’s not a waste of time. And then one other thing on that note is I really recommend avoiding. Any kind of gotcha moment, a wall of shame or any kind of name and shame attempt anything like that, because it. Adult learners in particular do not respond well to negative reinforcement. Right, it breeds resentment, it creates an us versus the security team kind of atmosphere at the organisation, if you’re doing these in the moment training exercises, keep them keep them pure, unless in the process of doing them, you identify people who repeatedly engage in risky behaviour. And if you have the need to engage in disciplinary action, you handle it privately. And it’s completely separate from the general environment that everybody’s working in. You can do positive stuff, but don’t do negative stuff with your employees.
[00:38:30] OK, I mean, that makes total sense and it feels like, I guess a bit like a journey, you’re taking your users on a journey so that they really understand why they need to look out for different types of emails and are those moments that they can get distracted on. So then on the other side, what are some of the common misconceptions about security witness?
[00:38:52] OK, so here are the three things that I deal with almost daily. The the impression that click rate is the only metric that matters, you can’t see my hands, the click rate is the only thing that matters, that yearly training is sufficient and that you have to make the simulations really, really good, really, really hard. You’re going to you’re going to catch a lot of people with your simulations. Rate is valuable, it is a valuable metric for determining organisational risk, but click rate is not the only metric. And if you make it the only metric, you’re going to you’re going to create some perverse incentives. And examples of what I’ve seen are organisations that literally send the same email over and over and over again so that everybody has seen it, everybody recognises it, and they never click on it. And they can say, hey, look, we reduced our click rate by ninety nine percent or whatever, and it’s it’s dangerous because it creates a false sense of security. Having that kind of training where they really can identify one email or your employees can really identify one email, it’s like having a virus scanner that can only identify one virus. Right. You need people to be flexible. You need people to be looking for general indications of risk so that they’re responsive to any risky email. They’re not just trained to identify one thing. And the example I’ll give here is we had a really big health care organisation here in the Midwest that had a meeting with us. And they’re like guys within three campaigns recently. And the click rates, 10 percent. Are we done? And the the idea that someone came up with on my team was let’s let’s switch it up, let’s send them an email that they’ve never sent before. And it was called we call it ice fishing, it’s its internal communication emulation, so these emails can be really effective because they get people. Angry they make people want to engage and deal with the problem, and the examples I can give are your email has exceeded the storage limit of this organisation. We’re going to stop the email connectivity unless you fill out this form. And ask for more storage or your web browsing has violated the firm’s electronic use policy. Fill out a form and justify why you were going to Amazon over lunch. Or whatever. And it makes people instantly angry. It’s completely routine. Everybody gets these emails so they don’t they’re not suspicious right there. Their alarm isn’t up and they click. And this company went from 10 percent to kind of standard generic external attacks to this, which was 40 percent. And it wasn’t just a fluke, it actually resulted in really big changes to that organisation’s policies and procedures, and that’s one of the things you lose when you focus on click rate, is that you’re so worried about keeping your click rate down. You don’t probe your organisation for weaknesses. And that’s what you should be doing, like a like a some kind of vulnerability scan. That’s kind of how to look at it as you’re conducting a vulnerability scan on your employees and you’re saying, oh, this email is really causing a lot of problems. Let’s change our policies and procedures to deal with that kind of email or increase our training or whatever it might be. And so tied to that idea of focussing on click rate, you know, is this idea that yearly training is sufficient or that you can even be done with security awareness? It can’t be done yearly isn’t enough. We talked about that example earlier. So you’ve got to really make sure that you’re you’re probing your employees with frequent campaigns and a variety of campaigns so that you’re you’re really probing the risks that your organisation might be facing. And the last thing is this idea that you need to make the simulations really hard. Again, there’s a lot of value in a bad fish. And the reason there’s a lot of bad value is the people who have the highest level of risky behaviour are the people who are going to click on that bad fish. Right. Everybody else is going to ignore it, but they’re risky. People are going to click on it. And so you get a much more targeted group of people that you can focus on improving. You know, it’s Bob in accounting. Bob clicks on everything. Sheila will click on anything with a kitten in it or whatever it is. Those problems are your organisation’s biggest point of risk. Not only does the employee engage in bad behaviour, but they’re far more likely to have other bad behaviours. Right, so the age old Nigerian prince scam. Why does that email still exist today? You know, give me your bank account information so I can send you money. Why does that work? Because if you’re dumb enough to fall for the Nigerian prince scam, you’re also going to be dumb enough to give them your bank account information. That cop that they call it a constellation of risk. And constellations of risk tend to cluster on certain individuals, they don’t have the virus up to date, they haven’t picked up their computer. They click on risky URLs, Bane ransomware. There you’ve lost all sorts of valuable data, so so making a quality fish and using one that’s really sophisticated is great and it definitely has its purpose, but it can also be time consuming and it might make you less likely to send out email training. So. I just I, I caution people about that you don’t need to to to to create this convincing situation. You can you can send out any old fish. And sometimes the worse it is. Let me rephrase this to the worse it looks, the better it is, because it gives you more information about risky behaviour in your company. That’s that’s that’s my theory.
[00:45:40] I won’t go on a lot of things to find useful information said think about those kind of risky behaviours and uses what some things you find most effective to help users behave most acutely.
[00:45:53] All right. I’m going to sound like a broken record, but I’m practising what I preach here when I say educate, often repeat, reinforce the training. That doesn’t mean you send people a 15 minute video every week. It doesn’t even mean you send them a video every week. You but you do something often enough, I would say at least monthly, ideally weekly, where you’re constantly poking at the attack surface of your organisation. You’re you’re mixing it up. Different types of emails, all of the thirteen threat types. You’re using Assam’s you’re using voice attacks to. See where your vulnerabilities are. You’re using security awareness as a vulnerability scan, and in order to do that, you’ve got to do it often, usually isn’t enough.
[00:46:47] No one would ever and their servers once a year or threat. So that’s number one, you need an engaged management team and this isn’t just, oh, well, my boss is good about hiding the password, so that’s great. That’s kind of like the bare minimum.
[00:47:10] An engaged management team will also make resources available, and it doesn’t need to be hundreds of thousands of dollars or anything like that. But little reward rewards an incentive to go along with it.
[00:47:23] So if you say every month we’re going to have a raffle for a twenty five dollar Starbucks gift card or whatever it is, and the only people who get to be in the raffle are people who have reported this in the past month.
[00:47:37] Right. So we’re going to be sending out.
[00:47:40] One week before we bring them on, if you report them, you get entered into the raffle and you get entertained and every time you report one of these fishing campaign emails. That is what that’s what they call positive reinforcement, naming and shaming is negative reinforcement. Giving people a little treats and rewards is positive reinforcement.
[00:48:03] Maybe it’s a pizza party. Once we can all return to the office, we can have a pizza party and those kinds of things, they’re little. They’re not significant expenses. And with an engaged management team, you should have the resources that you need to create those incentives and reward people and encourage people. I also encourage you to tap into the natural human desire to compete and have contests. So you’re doing the opposite of naming and shaming your naming and you’re not naming individuals.
[00:48:37] I don’t ever recommend naming individuals, but you can say it’s accounting versus the legal department this week. And whichever department gets to the. Or has the the lowest click rate gets some sort of recognition, right? They get a travelling trophy. They get, like I said, a pizza party, the casual Friday, whatever it is. Right. You don’t even have to spend money to make it to make it successful, but you’re tapping into that competitive thing and secretly you’re making clicking and not clicking and reporting emails part of their day to day life. Right. Because they they look at that intranet page, they look at the bulletin board with the results on it.
[00:49:26] And because they’re doing that, they’re aware of clicking, they’re aware of dangerous emails with it’s totally subconscious because they don’t really see that. They just see the competition, you know, oh, ah, click rate is a 12 percent. We need to be more aware they’ve reported or more emails. We need to report more emails. That’s exactly what you’re trying to do, is increase awareness. So enough said about that. I think if you’ve ever been at an organisation that’s done a United Way campaign. To get people to donate to the charity United Way, you’ll see they have all these same types of motivators for the organisation to use to drive up the level of participation in that. So I highly recommend looking at that as a kind of a role model for security awareness. And then the last thing I would recommend is almost a tip, but don’t you? Security awareness just for basic security awareness, right? This is a phishing email here. Don’t click on this phishing email and beware of strange landing pages and all these other types of topics that every organisation fights. That’s great for that. Don’t stop using it for that, but you’ve got the the issues that are specific to your organisation. So are you are you moving from one building to another building, right, use security awareness to inform people about the risks that are unique to that situation. Right. There’s going to be strangers. There’s going to be open doors. You need to be mindful of the clean desk policy at your company. So these strangers walking through these open doors don’t see sensitive information, make sure you lock your screen, et cetera, et cetera. Periods of change and organisation are periods of increased risk, and so those events, layoffs, mergers, acquisitions, building moves or risk attacks, as they’re called, in a big in a big office building where you’re changing floors. It’s exactly like a building move. These are all situations that have their own unique security problems. And you should use the security awareness tool that you have to help educate people about those unique risks and the fact that just the fact that the event is happening represents increased risk for your company. So and they’re also distracting and remember what I said about distractions from earlier, if you have distractions, people are more likely to do something silly. So all of those things are risks and dealing. Use the tools, whatever tool you’re using to help you address the unique situations confronted by your company. And that would include covid. That would include a natural disaster. All of these things are are potential issues. You can use security awareness to help help you deal with.
[00:52:37] Thank you. So, I mean, we could talk about this, I think, for a lot longer, but unfortunately, we have run out of time. So as as a final paying site, what resources can offer you as leverage to help strengthen their user awareness? And also, any last final thoughts and tips?
[00:52:53] Yeah, one powerful document that I use when working with the prospect or customer is the Viri, the annual Verizon Data Breach Investigations Report. And the reason that that’s so valuable is it’s kind of a neutral party. Right? So whether you’re looking at our product or anyone else’s product. Any data that I give you that has Barracuda stamped on it is going to be suspect by management that might be approving the budget. So instead, a third party data that that supports these these important security concepts like. 90 percent of breaches happen as a result of an email borne threat. Or social engineering in an email that the the average dollar value of an incident is AIX and so on and so forth, all of these are incredibly valuable tools for you to educate yourself about, but perhaps more importantly, in some cases, to educate your management team about Kaizo having a very reputable, large telecommunications company that’s not trying to sell you something, provide you with that data can be very valuable. We have such a cool campus campus, that Barracuda at that time, I can’t emphasise enough how wonderful the resources are there. If you go to the fish line product page underneath the Barracuda campus, we’ve got a ton of our videos available. We have a monthly newsletter called Click Thinking. And the issues of that are available, the the threat spotting sheets for the 13 email threat types. Those are available under fish online. Make sure you look at resources and document tabs on that page. That’s where you find them. We have a bunch of videos explaining what the various thirteen threat types are. And the other thing that I think in general people should be aware about from Barracuda is our email threat scanner, the ability for you to assess your organisation for free and get a sense of what kind of vulnerabilities you might be currently exposed to is extremely valuable and it’s free. So it’s something that you can take advantage of, and I strongly recommend that. People take advantage of that, but campus, that Barracuda Dotcom, of course, and it’s it’s all a bunch of great stuff. There’s blogs out there that talk about I have one on ice fishing. I mentioned that earlier. I talk about ice fishing in that blog. There’s lots of other great topics that are discussed. So those are the two resources off the top of my head that I would recommend is Barracuda Campus, the Verizon data breach, instant analysis.
[00:55:59] Thank you. And if you are looking for any of those links, they are in the comments section below as well. Before we let you go, Dennis, any final tips, Redhat, or advice for those watching?
[00:56:09] Well, yeah, you ask me that. I’m going to say it again. Educate often. Don’t feel like you’re trapped with training videos, so educate off and use those in the moment. And I’m sure the other companies offer something like that. But use a lot of moment training tests and don’t be afraid of doing something kind of corny with positive reinforcement. You know, the raffle for a twenty five dollar gift card or or whatever it may be. Positive reinforcement is effective with adult learners, try to incorporate positive reinforcement, even if it’s something as simple as an email from the CEO. Right. That goes to the select group of people who engaged in the right behaviour. You know, even that is it’s totally free and will have a positive effect. Do not I can’t tell you how many times I’ve seen this in my life. Do not underestimate the power of even small positive reinforcement in changing people’s behaviour. Those are my two tips.
[00:57:18] Thank you very much, Dan. I really appreciate it. It’s been an awesome conversation. Thank you very much. So I hope you all enjoyed today’s show and have gained some tips on staying safe. Remember, you can watch all of our LinkedIn live shows from the Barracuda LinkedIn page. Make sure you carry on doing your part and being cybersmart beyond the month of October. Thank you for joining today’s show. Until next time. Have a safe journey.