HITT- Enhancing cybersecurity through email training and awareness- Nov 5, 2024
This HITT focused on email security and remote user protection, especially in light of the rising cyber threats. Experts Jason Stein and Jeff Hathcote discuss best practices for safeguarding digital communications, highlighting the prevalence of phishing attacks and the need for organizations to prioritize employee awareness. The training advocates for engaging methods that encourage full organizational participation and leadership involvement to foster a strong security culture. It also stresses the significance of using unique passwords, password management tools, and continuous education to combat evolving cyber threats. Ultimately, the video underscores that no organization is immune to phishing attacks and that preparedness is key to mitigating their impact.
Introduction to Email Security Training
Let’s begin today’s call with our high intensity tech training all around email security and protecting the remote user. It’s one thing to protect against phishing and other attacks generally, but you start adding the remote work environment to the mix, and it is an entirely new set of vulnerabilities.
We’re gonna look today at best practices for safeguarding digital communications that advisors should be sharing now with clients. We brought in our cybersecurity experts, VP Jason Stein, solutions architect Jeff Hathcote. They join us for today’s training. Welcome to you both. Jason emailed me this morning, and, of course, I immediately quarantined it. How good is that?
Hey, Doug. How are you?
I’m doing well. Thanks.
I’m bummed I didn’t get to hear last week’s episode with the daughter celebration.
I know. We talked a little bit about the World Series last week. Unbelievable. There’s a lot going on in the last week and a half. Who who were you rooting for?
I mean, I’m born and raised SoCal kids, so been waiting for a true championship since nineteen eighty eight. It’s, pretty awesome to see that happen and very similar with, Kirk Gibson and Freddie Freeman to end things the same way. I don’t know that last game if the Dodgers really won or if the Yankees may have beaten themselves.
But Personally, I was hoping both teams would lose.
I don’t think they would probably.
It was pretty fun to see. I still Jeff and I were talking about it. I don’t know why people celebrate and have to set things on fire, but, oh, well, what are you gonna do?
So we got election day. We have the NFL trade deadlines today.
Yeah.
You know, I don’t and then it’s national red hair day for those of you who have red hair. We got a lot going on today. So very excited to, to be with you today.
So And remote workers are probably gonna get email about every single one of those topics.
Exactly. Exactly.
Transition to Security Awareness Training
See how I did that there?
I love it. So, well, today, we wanna talk a lot about, what’s happening from a security awareness training, email security, don’t click on that, phishing. So, Chandler, let’s jump right in.
I love talking about stats.
And, you know, so some of the stats that we we wanted to talk about today, you know, global cyber attacks have increased by thirty percent just in q two of two thousand twenty four, reaching, you know, sixteen hundred attacks per organization per week, which is a lot if you’re thinking about it. And most organizations are are very understaffed.
You know, then, you know, phishing is still the most common form of cybercrime.
We have something close to three point four billion spam emails sent out every single day. You know, Google is just one. You know, a a lot of us have Gmail. They block over one hundred million million phishing emails daily, which is crazy. And then you add Microsoft and, you know, you have Proofpoint and you have Mimecast and all these other big email suppliers, and they’re all blocking something similar to that.
You know, phishing still over seventy five percent of targeted cyberattacks start with an email. So it’s it’s tough. We all get those emails, you know, and sometimes they look very legit.
Understanding Phishing Attacks
You know, so how do we make sure that our clients, employees are protected and not clicking on malicious things and being trained properly? You know, people always ask, what are some of the most targeted industries?
And look at education, slash research is number one with three thousand three hundred attacks per week. Government, of course, is huge. Two thousand attacks per week. Health care, always huge. Jeff has a really good talk track on the difference. And, Jeff, I’d love for you to talk about that.
What’s the average cost for a breach from a health care versus a non health care type of, attack data?
Well, I’m talking about records. Right? So Yep.
If you look at data that’s available out on the, you know, that scary dark web that we always talk about, credit card numbers, you know, a quarter, twenty five cents, thirty cents. Social Security number’s about the same.
But protected health information, PHI, can fetch up to a thousand dollars per record. Right? So that’s the cost that, or or that’s the the revenue that these guys are getting from it. The cost of those to the organization are way, way higher than that because not only if you’re a health core or excuse me. I can’t talk this morning. I need to go to the Doug Miller School of Elocution.
If you if you look at a company, a health care company that does have a compromise and there’s health records that are that are out there, not only are you going to get fines, you’re probably gonna get sued. You’re gonna lose reputation.
But then what a lot of people don’t realize, and this is not just for health care, this is for any organization that releases private information, you’ve gotta pay for identity identity theft, protection for each of those individuals that’s affected. And that comes at a cost of around two hundred and fifty dollars per record. So if you look at a large breach, right, that hundreds of thousands of records, that in and of itself is just a financial nightmare for that organization.
Challenges in Cybersecurity Protection
Yeah. Super tough. So then, you know, continuing on these, how how are organizations supposed to be able to protect themselves? When you think about worldwide, three hundred and sixty one billion emails are sent out every day. You know, we still see that three percent are malicious or spam. Of course, most of those being spam.
Nine billion emails are sent out every single day in the United States.
It’s just astronomical, yet we don’t have enough resources to protect. And, let’s face it. I mean, a lot of people don’t wanna do cybersecurity awareness training. There’s fatigue.
You gotta be strategic. You gotta gamify it. And I think that’s where some of the biggest struggles are. Let’s talk about some of the organizations that are out there that can help protect, Chandler.
So, Jeff, let’s walk through some of these. Who do you like? You know, the industry leaders know before. Most companies we talked to have know before.
One, who do you like? What’s the difference between some of these? And then if you’re if you’re a partner on this call, Jeff, how do you get so a a client to pivot away from somebody that they’ve been working with for a while?
You know, as far as who do I like, I like anybody that gives good education. Right? So in addition to having videos, having static pages of this is cybersecurity. This is how you protect yourself. You’ve gotta have those phishing example. Right? You’ve gotta send out phishing emails to see if people are actually paying attention if they know how to protect the organization.
Know Before, obviously, is is a good one. We use Stickley on security here at Polaris.
The reason for that is, I don’t know, it happened before I got here.
The difference is Stickley on security is completely hands off. Right? And they, you know, essentially will send out these phishing emails randomly not to, you know, not the same phishing email to the same people at the exact same time. So the first person that gets it meets everybody and says, hey. Don’t, you know, don’t click on that. Right?
Know before is a little bit more, work intensive where somebody has to work with the template, send it out, schedule it, that sort of thing.
Obviously, these other ones are they’re they’re all within the same vein. I think when you’re looking for a provider to provide, you know, phishing and and and spam protection, type services, the training and awareness training, you wanna see that it’s it’s real. It’s good stuff. It’s not, you know, something that people are just gonna roll their eyes at whenever they get this training.
Engaging Employees in Cybersecurity
They’re going to pay attention to it. And I think the biggest thing that we don’t really talk about a lot of times in this scenario, you’ve got to make sure that the organization is fully, fully engaged from the top down. So when you’re sending these, these phishing emails, for instance, the the, campaigns or providing the training, that you’re sending that to your executive staff. No different than sending it to line staff.
Everyone must be involved in it. And one of the things that that I’ve always tried to do as a you know, within organizations that I that I work with is don’t make it where people feel like they’re being fooled or being made to feel stupid. If you click on that, that’s okay. I want you to learn from that.
So whenever a real one comes through, you’ll you’ll have a little bit better defense. Right?
Gamify it. You know, have competitions between organizations, between departments.
You know, this quarter, we did, you know, five hundred fishing campaigns.
Marketing, came out on top. They didn’t click on any of them. However, IT clicked on every one of them. Right?
So, and and it’s kinda interesting because you’ll you’ll start understanding that there are certain groups that even though they may preach this, they’re the guilty of it. I see IT a lot of times that is guilty of clicking on the malicious link. The number one offender, if you wanna use that word, is typically your c suite, your executive team. Right?
A hundred percent. I did a I did a phishing campaign at an organization, and the very first person, because it was like it was a competition, was the COO. And not only did he click it, you know, the first, he must have done it five or six times. Right?
So it’s, you know, there’s a lot that goes to it. There’s some big brother aspects to it so your staff says, you know, the staff can feel like, hey. You know, you don’t trust us, whatever. No. This is part simply part of an educational program is is cybersecurity awareness, because you are not only protecting yourself, but you’re protecting your organization as well. And you’ve heard me say this a million times if you’ve heard me say it once. Who is responsible for the cybersecurity of an organization?
It is every employee. It’s not the CISO. It’s not the CEO. It’s not the IT director.
It is everyone. Right? So I want the CISO. I want the IT director. I want the CEO to be very well, informed on this.
I’ve, you’ve heard me say this too that I don’t really worry about the people over in the Ukraine or in China or or wherever. I worry about Betty over in accounts payable who just wants to click on everything. Right? Because she wants that free Starbucks card.
So mix it up. Make it fun. Make it a competition. Gamify it. But ensure that you’ve got the the support and the, you know, the full driving power of that executive team, that they take it very seriously and that we should too.
Recognizing Phishing Attacks
So, Jeff, walk us through what a phishing attack looks like. I think everyone’s seen it, but how good are attackers getting at hiding, what they need, and and what should people do to do they do they hover over a link? What what should they do?
Well, what you see on your screen, this is actually a, a template that is used by our friends over at Stickley on security. So, you know, people get this email, and it’s you know, you’re confirmed to receive daily emails from the Justin Bieber fan club blog.
You’re gonna get emails about Justin and what he’s doing and dada dada dada dada, and we’re gonna fill your inbox full of everything Justin Bieber. I am not sure of anyone that would really wanna be a part of that. I’m sure there are plenty of twelve year olds that would like it. But from a professional perspective, no. I I really don’t want that.
But if you notice, the malicious link is one that a lot of people will click on you know, click here to unsubscribe.
Well, that’s the link that the bad guy is trying to get.
I think this particular template has about an eighty to eighty five percent click rate, meaning people are clicking it because it just looks real. It’s so good. Right?
How can you tell? Well, there’s a few things here. Number one, I didn’t sign up to this. I know I didn’t sign up to it. Number two, there’s there’s a you know, if you see where it says thanks for signing up, it says thanks for singing up. So that’s kind of a you know, misspelled words were one of the, early indicators of a phishing email.
What if there’s no dyslexic? Yeah. Yeah.
If you look at, you know, that malicious link, if you were to hover over it, it would show you the link that it would go to.
This is a very effective one in that it’s not coming from Justin Bieber. It’s not coming from his record company or or whatever. It’s coming from Susan who started a Justin Bieber fan club blog. So being able to tell that that link, is not an official link might be a little bit more difficult.
But just use common sense in something like this. And and the one thing that people really need to start doing is get with their IT department. And if you get something like this and you want to know if it is legitimate, send it to over to IT. A lot of organizations have within Outlook, for instance, a button that you can report an email, and it’ll come back and say, yeah.
That’s good. Don’t worry about it. It’s it’s fine. Go ahead and sign up to, you know, Justin’s Justin’s blog.
But whenever you click that link, it’s going to ask for credentials. What’s your email address? Right? It may not ask for a password.
It may not ask for anything. So what a lot of, these phishing emails are doing isn’t they’re not necessarily stealing credentials or stealing your money off the bat. What I would do with this, say I was a bad guy, right, is I’m just verifying and validating email address.
Instead of just guessing what an email address is, I’m validating that that’s a good address. And so that’s gonna go in my database, and then I’m gonna be able to use that email address for future attacks to try to get more and more information. Right? Remember, these bad guys are working twenty four seven. They don’t work Monday through Friday and take weekends and holidays off.
So So so what does spoofing look like?
How do people spoof domain names, and do they have to own the domain name? What does that mean?
I’ll I’ll get to that in just a second. I’ve got a I’ve got a kinda interesting slide on that. If we go to the next if we go to that next one well, here. We’ll just do this.
Understanding Domain Spoofing
Thanks, Chandler. So one of the one of the easiest things we can do, and I’m not a bad guy. I could be. I should have been.
Probably made a lot more money.
Is there’s a there’s a publicly available website called name west dot com, and I encourage people to use this. So if you have a meeting with a client coming up, and this could be an n where we just talk about email security, awareness training, go to name west dot com and just put their domain. They may have five domains, but pick their main domain. You don’t have to put w w w or dot com or anything like that.
Just put it in there. And you will see that every miss spelling, every, every you know, we call it spoof because they’re impersonating, because they’re gonna use Cyrillic characters. They’re gonna use a an exclamation point instead of an I, things of that nature. But if you look at this, on the right side where it says domain typo status, you’ll see that some of those that are in orange, are registered.
Yeah. They’re gonna be, expiring soon, but that means somebody has registered those domain.
Those that have a green checkbox next to them mean that they’re available. So I can get an email address that looks a whole lot like yours.
I can go to a, you know, a foreign foreign country and get a registrar, register that domain and do what’s called artificial aging where it looks like it’s been around for a while, and use that domain to send email to either your internal staff or even worse, send it to your customers with invoices, for instance. Think about that. Have a a situation where I had a, it was a a very small company.
Talked to the the owner of the company, and he’s like, yeah. We’re not a target.
It’s you know, I’ve got just a handful of customers. This is semi retirement.
Someone did this and got ahold of an invoice.
Sent the invoice to customers. One of the customers responded to it and sent a hundred fifty doll a hundred fifty thousand dollar. That’s a lot of money. Right?
And there’s not a whole lot you can do about that, but it’s just let’s pay attention. And I think one of the biggest biggest tools that you have in your in your toolkit is just know about Namewest before the meeting or or at any particular time. Just go in there, run that customer’s domain name, and see what all is registered, what all is available, and how you can protect yourself.
Utilizing Domain Protection Services
And and we do have services. One of them is through, again, Stickling on Security. They have a product called, DomainAssure where you just tell them what domains you have.
Anybody that registers a domain or, makes an attempt or already has that domain, they have takedown authority where they can get rid of it on your behalf. I’ve worked for organizations that have tried to do this on their own, and it is a nightmare trying to do it because these things just pop up left and right, hundreds per day. So it’s actually a little bit automated.
So that’s a that’s a key element to look at is who’s out there looking at it. And you may be surprised because it may be a very small company.
Maybe two, three, four, five employees. It could be a giant company. But take a look at that, and that gives you some power to, to have the conversation with the folks at the organizations, your client organizations. Say, did you know this was going on?
Take a look at this. And you will see eyes get wide open. Well, what can they do with this? Well, they can send emails and pretend to be you.
They know what your name is. They know who you are. Right?
So It’s funny.
I just got a DocuSign email, and I laugh because if anybody wants me to really sign something or do something in Telarus, I won’t click on anything.
I I wait till I get to the end of the day.
Anymore. That’s the easiest way to do it.
So So walk us through this is real.
I mean and and here here’s here’s the thing, guys.
Why is there so much of this? Why are peep why are the bad guys sending so much phishing emails, spear phishing? Why are they doing that?
Well, it’s because it works.
Because it works. Exactly.
Reminds me of, you know, back in the day, John Dillinger, public enemy number one. Right? I remember their I don’t remember because I’m not as old as Doug, but the, a a reporter asked John Dillinger, Dillinger, why why are you robbing banks? Why do you rob banks? And his response was because that’s where the money is. Right? So bad guys are doing this because there’s all kinds of information that’s out there, and it’s easily, easily accessible.
Anatomy of a Phishing Attack
So walk us through the anatomy of what an attack looks like. How quickly when somebody clicks on something does bad stuff start to happen?
You know, it it it’ll really blow your mind, right, how quickly this can happen. So this is a good example.
Fairly, you know, high level, but, you know, bad guys sends a sends an email. The victim clicks on that email. Maybe it’s that Justin Bieber fan club. Right?
And I or or or something similar. I put in my credentials. Right? And it goes to this website that may look very legitimate.
Think Wells Fargo, Bank of America, Amazon, Netflix, whatever.
You you know, how many times have you seen the email from Netflix or from your bank saying we’re having trouble with your account. You need to validate it. Right? And simply to validate it, all you need to do is use your, you know, your your username and your password.
Your username is usually your email address and then your password. Well, human humans right now, nine times out of ten use the exact same password for every site. Right? You can shake your head and say, no.
I don’t do that, but I’ll say, yes. You do because I know you.
So the same the same password that I use for, for instance, work is the same password that I use for my banking, that I use for Amazon, that I use for Netflix, whatever. Right? So I’m gonna go to that phishing website. I’m gonna put in that put in those credentials, and then I’m going to be able to collect those because I own that website. Right? I’m actually exfiltrating that, that credential information, username and password, username and password, username and password. I’m going to then take that, and I’m going to say, oh, he thought he was going to Wells Fargo.
Well, guess what I’m going to do? I’m going to go to the real Wells Fargo. I’m going to enter those credentials that are known good because the victim put those in, and I’m gonna do all kinds of banking for you. Right?
I’m I’m gonna pay all your bills. I’m gonna pay off your mortgage. No. That’s not what I’m gonna do.
I’m gonna do stuff that’s going to make me money.
I’m gonna transfer funds all over the place. Right? So that’s in a at at a very high level. That’s how a phishing attack works.
Emerging Phishing Techniques
And there’s various forms of phishing. Right? So we talk about phishing, which is email. Well, there’s also something called quishing.
A lot of folks have never heard of quishing. Right? But what quishing is is the use of those ubiquitous QR codes that everybody sees and everybody loves because they’re so easy to to pull out your phone and you snap a picture and boom, you get what you need.
QR codes are one of the most easily, done things that get us, get us information that we want. We can we can, imitate anything. Think parking garages. Think restaurants. Think whatever. Right?
And those are very hard to defend against using any kind of, any kind of anti spam software because they are viewed by an email system as a graphic, right, as a picture. So it’s it’s very difficult. So my, my constant issue is people just click click click click click. Right?
They just want oh, it’s QR code. I’m gonna get I’m gonna get a free, I’m gonna get something free. Right? I know offhand, I know of at least five people that I’ve talked to in the last couple of weeks that have fallen victim to credit card fraud because they scanned a QR code at a parking lot.
You know? Now we don’t really have a lot of parking lot attendants. We have a QR code.
Scan here. Put in your credit card information.
Put in your driver’s license or your, your car license plate number. Boom. You’re good to go. Right?
Here’s a receipt. Put it on your dash. All you gotta do is click on that, put that information, bad guys got your stuff. Bad guy could be sitting in that parking lot with his laptop gathering that information as you do it.
So it’s you know, there there’s another one called Vishing, v I s h. That’s voice mail. Right? And we talk about AI. AI is making these things a whole lot easier. Right?
That it’s it’s just a it’s it’s it’s scary in certain aspects, but if we are well trained and we understand what they’re doing and how they’re doing it, we can much, much better protect ourselves, from this.
So, Jeff, there’s also a smishing. If somebody gets a text link, clicks on that, can they actually take down their organization from their cell phone?
You could actually do a lot of stuff from a cell phone. Right? I mean, a the thing about phishing emails is they’re not just a nuisance. They’re not just something that fills up our inbox. They’re not something that just takes, credentials from us. But that is also the number one attack vector of, you know, what we always hear every day, ransomware.
Ransomware Risks
Right? So if you click on that link, it may not take you to a fake website. It may contain what we call a payload, which is malware, right, that it automatically downloads, unpacks that malware, and then suddenly you are a victim of ransomware.
So good example right here. This is this is just another simple graphic. You know, I send that phishing email that’s got that payload in it, that link. It could be a QR code.
It could be you know, I I could send this to a cell phone, right, as a as a SMS message. Click on that link. It gets unpacked, and it executes, and then it communicates with a server. We call it a command and control server.
Man, guess what, mister user? All your stuff is encrypted, and you get this cute little message in the red box that just says, oops.
Right? Everything’s oh, but you can get them all back. All you gotta do is send me some Bitcoin, and you’ll be fine. Well, once you know, in theory, once the ransomware or once that ransom is paid, you get that what’s called a decryption key, and everything’s fine. What’s wrong with this scenario?
Well, you really wanna take the chance that they’re not gonna do it again or that they’re really going to give you that key? No. Right? I mean, there’s there’s if you just look at any news site and look at look at ransomware, there are millions of examples of organizations that have paid millions of dollars, and they they did not get their files restored.
It was just, thank you for the money. I’m gone. I’m gonna go do the next thing. Right?
Well, who knows if they leave a backdoor in there most people If I’ve got you once, I’m gonna get you twice.
If I’ve got you twice, I’m gonna get you four times. Right? That’s that’s why, you know, I I teach I teach it’s called think like a bad guy. Right?
Social Engineering Tactics
And shameless shameless plug. I even have stickers. Think like a bad guy. But it’s what how’s the bad guy going to get to you?
Look at your organization as a bad guy would. Let’s say you’re the manager of a bank. Look at your organization, your bank, as a bank robber would. How do I get in there?
How do I get that data? How do I get to that person?
You know, and there’s multiple, multiple methods that the bad guys do. You know? And they’re not all high-tech.
One of the most effective methods that we have is social engineering.
And I always tell people, if you act like you belong, very few people will question you. If you have an if you have an on, you know, a high vis orange vest and carry a clipboard, maybe a stepladder, you can go watch movies all day long for free because you just walk in and say, I’m here to look at your, fire extinguishers. Right? Nobody’s gonna stop you.
Well, we need our fire extinguishers looked at. Right? Same thing with these guys. They’re going to, they’re gonna do everything that they can to get in your organization.
And if you don’t know what those weak points are, it’s very hard to defend against that.
So we’re gonna, definitely put Jeff’s think like a bad guy into our, LMS University so you guys can get some training on that. And Jeff will jump on and and do some of those. It’s a really good training. Jeff, we have a lot of partners on this call.
Password Management Strategies
How are they supposed to remember fifty different passwords? What should they use to help protect their data, their clients’ data? You know, do you recommend that there’s certain tools out there that they should be using on a daily basis?
Well, yeah.
Number one, don’t use the same password for every account that you have, and this is not just professionally. This is personally.
If you use, username and passwords, they should all be unique, and they should be very random. So I always recommend that you have a password vault, something that will generate passwords for you, that will remember those passwords, that’s encrypted. So when you go to that site, it will automatically, fill in that username and password for you, in conjunction with multifactor authentication. So you’re gonna get an SMS message or you’re gonna get an email, something like that saying, hey. Is this really you? So using something like a Microsoft Authenticator, Google Authy, Duo is a good one as well.
But one of the things that we’re moving toward industry wide, is passwordless.
Right? Because folks are still using you know, they they don’t wanna take that extra step. They want to, they want things to be easy. Right? We have an organization that a lot of folks probably already know about. Right?
Called TrueYou. TrueYou is a passwordless, solution where it uses not just things like facial recognition, but cadence of of how you type on the keyboard, how you use your mouse, what your surroundings are, what Bluetooth devices are beaming. And if it doesn’t recognize that, if you look a little different, if you’re in a place that you normally aren’t in, it’s going to tighten the security and ask for more information so you can prove, who you are. So there’s multiple, multiple ways of doing this.
It’s another, another thing that a lot of people do because it’s easy. Right? And I don’t blame them. Everybody likes things to be a little easier.
Don’t save passwords in your browser. If you use Chrome or or, you know, any of those browsers, it always prompt you, hey. You wanna save this password so it’ll be easy next time you log in. Don’t do that.
I’ve got tools that I show people how I can exfiltrate those passwords from your browser without you even knowing it.
If I can do it and I’m not the smartest guy in the world. Right? If I can do it, smart guys can really do it. Right?
So don’t save passwords in in your browser. Get a password vault. I recommend and the one that I use, personally is from, one of our suppliers called Nord. It’s called NordPass.
It’s a beautiful, beautiful package. Right? LastPass is another one. LastPass is no longer in the channel.
Yeah. But NordPass, things of that nature. There’s a lot of free ones out there too. So, get used to that.
But from a from a revenue perspective, you can very easily get folks to use, NordPass.
Right?
And explain to them this is a security element that everyone should be doing. And I recommend you don’t just do it. You don’t just use something like that at work. You use it at home. I’ve got it on my phone, and the websites that I go to are all in there.
And, you know, passwords where I use passwords, they’re this long. Right? They’re huge. They’re nobody would ever remember those, especially me.
So, yeah, that’s a that that’s a key is vault those passwords. Don’t write them down. I was in the airport in Denver. I live in Denver. I was at Denver International Airport, and a guy sat down next across from me, waiting on a plane, and he pulls out his laptop. And I could tell he was probably a go either a government employee or worked for a contractor or whatever because of all the stickers that it had on it, property of and and barcode.
He lifted the lid of the laptop, and I’m sitting right across from him. And he’s got stickers on there that have usernames and password. Right?
Real secure there.
I’m sitting in a public place, and I, you know, I could’ve just done a snapshot, listened to what he was talking about, and figured out, you know, is this something that I would So let me walk through for partners on this call.
Enhancing Cybersecurity Awareness
How do you bring this up to your clients? So first, you know, the average employee spends forty nine minutes a year according to Gartner doing cybersecurity awareness training. There’s three hundred and sixty billion emails that get sent out every day. Nine billion in the United States.
You know, so first, you know, you kinda talk about security awareness training. How often are you doing security awareness training for your employees? Do you like the tools that you’re using? Anything you would change about some of those tools?
You know, how do you get employees to do cybersecurity awareness training when they don’t wanna do them? Have you gamified them? You know, have you figured out ways to get the leadership to actually do it as well? Are they part of the training?
Because sometimes the leaders, just as Jeff mentioned earlier, they’re the ones that are the busiest. They see a bunch of emails. They don’t have time to thoroughly look through. They think that it’s a trusted person.
They go and click on something bad. You know, what solutions do you have in place to protect your organization today from malicious emails? What kind of layers do you have? And then, you know, have you had any breaches to your knowledge recently?
Were any of them caused by email, by phishing, by smishing, by quishing, by all the the fun ones that you threw out there? All the issues.
One of the questions that I always ask, Jason, whenever whenever I’m talking to an organization is exactly that. Have you have you been compromised in the past?
And, of course, they’ll say no, and I follow that up with, are you sure?
And they go, no. I’m really not. I may have, and I just don’t know about it.
But when you start talking about, you know, using the term breach, using the term compromise, using the term hack, whatever, eighty five eighty to eighty five percent of those come through phishing email. That’s just the reality of it. So this should be a number one concern of of everyone in the organization as this is my attack vector. This is where the bad guys are coming in.
Right? If I’m a if, you know, if I’m a bad guy and I’m trying to compromise your organization, I’m not gonna go after your firewall. I’m not gonna go after your active directory. I’m gonna go after Betty in accounts payable who just clicks everything.
Right?
And once I get Betty to click, I got you. I got the whole organization at that point. So it should be top of mind for everyone that fishing is real. It’s not gonna go away.
You know, we see in technology. We see in this world that that things change at a very rapid pace. The one thing that is is a constant that has been around for a long time and is going to be around for a long time is phishing email. They’re not gonna stop.
How many of us get, you know, especially in this day and age, you know, where we are right now, political email.
Right? Maybe they’re real. Maybe they’re not. Click here to donate. Give me twenty bucks. You know, cast your vote here.
You know, how do you feel about x, y, and z? Right? Just click here and fill out our survey. All of those have a potential to be malicious.
Thanks, Jeff. Doug, what kind of questions do we have?
The Importance of Security Awareness Training
First of all, I gotta call out Jeff. Jeff, this dollar is coming to you in the mail. I’m so proud of you for calling back Betty before the, presentation was over. That was beautiful timing and comedy. Thank you.
This is just such a fascinating topic. First of all, I think everybody wants the stickers, and, Jeff, we gotta find out how to get more information about your training.
You gotta you gotta talk to my a you have to talk to my agent.
I know. It’s such a hassle. But, everybody is concerned about this, and I I don’t know of any company that I speak to that isn’t involved in some sort of security awareness training at this point. And yet the complaint that I hear over and over again is, yeah, we do the training, and then somebody gets in a hurry or they’re trying to get into a site that they have to get into or they’re under pressure from work or whatever it is, and so they just bypass it altogether.
I want you to talk about, if you would just a second, as advisers, how do we go in and without scaring people to death, help them understand that they’ve gotta make this more than just a game, more than, a culture. It’s it’s gotta be mandatory and for all those reasons.
Mandatory Training and Organizational Culture
Well, I I see a lot of times, Doug, where, yeah, training is mandatory. You know, the awareness training is mandatory, and you you have to go watch this video. Some organizations do it once a year. Some do it every quarter.
I’m the guy that used to do it all the time, so I drive people crazy. But you are protecting the organization. This is a real threat. And think about people, you know, in general, in in your office, a physical office, do you have locks on the door?
Do you have an alarm system? Do you leave the lights on when you leave at night? The answer is yes. Why do you do that?
Well, because there’s bad guys that wanna get in and steal stuff. No different in getting understanding how to protect yourself against phishing emails, against things of that nature than that. That this is just a a a continuation of overall protection. And remember, cybersecurity in and of itself is a form of risk management.
It’s part of risk management. So you want to you want to identify those risks. You wanna mitigate those risks as much as possible while knowing that there are so many phishing emails that come out there. Back in the day, back when when we were young, there there was no such thing as a phishing email because we probably didn’t have email.
There were just a couple of computers on desks. Right? Now everybody’s got email. They’ve got email on their phones.
They’ve got multiple email accounts. Right?
It is a it it’s a risk, and you have to take it seriously. And if people don’t take it seriously, that’s a management issue. And that’s why I always talk about leadership being involved in this. Your c suite, it can’t just be one person.
Leadership’s Role in Cybersecurity
It can’t be your CSO or your your your IT director. It’s got to be that entire leadership team saying, look. We’re taking this seriously. Therefore, you take it seriously.
If you don’t take it seriously, you’re putting you’re putting our organization at risk. If you’re putting our organization at risk, then we need to have a different conversation.
Right? It’s no different than someone working in a medical organization, for instance, that gives medicine that just willy nilly just gives medicine. Right? Don’t care what kind it is.
We’re just gonna stick it in that patient. Right? It’s no different than that. We are at risk.
We need to understand what that risk is. I’m not here to scare you. I’m just here to tell you what the reality is.
You click the wrong thing, you can you can take this business down.
I said Alberto asked the customer, Doug, and, you know, he he had twenty five thousand employees, fourteen on his staff, and, you know, I asked him what was the biggest burden to his staff, and he said, it’s the employees.
It’s the employees doing something malicious that I can’t control. I have all these layers of security. I spend a ridiculous amount on cybersecurity, but one employee doesn’t follow cybersecurity warning strain because they didn’t think it was important. They click on it, and it could take down our entire organization. That’s what causes me not to sleep. That’s what the board worries about.
And so, yeah, it’s super that layer eight, by the way, OSI layer.
Yeah. You know, there’s seven. Layer eight is the users. That’s our biggest that’s our biggest gap.
Biggest gap.
Alberto asked the question early on. I think it’s a great one. Is there a difference in threat level between a larger company, a smaller company? What’s the size of a company where you don’t have to worry about this anymore because after all, we’re too small?
Risk Assessment for All Company Sizes
There’s not one. You know, I mentioned that that and that was a true story about the guy that, he had thirteen customer. Right? And it was a two man company, and they had one server. And he was the one that got caught up in that business email compromise with the, with the fake invoice. Oh, it was a real invoice. It just had the ACH numbers, that were different.
So there is no there is no company out there that is safe. Right?
It it it you know, there’s what we call collateral damage. You know, you may not be part of the initial attack, but you’re caught up in it. Right? You, you you get the outward pieces of it.
So I don’t care if you’re a single person, sole proprietor, or if you’re a Fortune fifty organization with employees all over the world.
You all have the exact same risk, and that’s why everyone should have the exact same mindset when it comes to protecting the organization.
Yeah. Agreed. We have a we had a a partner in our portfolio who sent something, clicked on it, and, unfortunately, it cost a ton of money. And, you know, I mean, this was his own personal email. So it doesn’t matter how big the organization is. If you have assets, you know, they’re they’re gonna they can be exploited, and it can cost you a lot of money.
Tools for Cybersecurity Assessments
Our adviser, Mark, asked a great question, about security assessments. We’ve talked a lot about employees. We talked about different things that can happen. For advisers who wanna go in and talk to their clients and do an actual assessment, do we have suppliers? Are there tools out there that can give you a generalized version of what are the vulnerabilities that could apply to your organization?
Oh, absolutely. One I think one of the biggest things that or the or the best tools that we can use is the cybersecurity QSA.
Right? Is simply, you know, ask these questions. Right? Use it, as a, you know, whenever you have a have a client that says, well, I think we’re good because we have a firewall.
Well, that’s great that you have a firewall. I mean, there’s more to it than that. But, if it’s someone that’s just dipping their toes into the cybersecurity pieces, start with those things like, how many phishing emails do you get a week? You know, talk to the IT people.
How do you respond to those?
Use that name west dot com that I that I mentioned earlier. Just show that. Say, these are people that are already in impersonating you. They may not have done it yet, but they’re they they very well can. Somebody can.
Just talk about things at a at a at a a low level or a high level.
We don’t want to go into an organization that wants to talk about things like SASE and zero trust and all of this stuff if they don’t have the basics. Right? You’ve gotta build the foundation. You know, when you’re building a house, you don’t start with a roof. You start with the foundation. Right?
So it’s it’s very easy to start that conversation using those tools, the awareness training. The domain assure is a good one.
Things of that nature. You know? Do you have anti malware? Do you have, you know, in, endpoint detection and response at a very low bring a Telarus engineer to that conversation.
We hear it all the time where folks are like, well, I don’t want to have the conversation because I’m afraid that the client’s gonna ask a question that I don’t necessarily know the answer to, and I don’t wanna look foolish.
That’s fine.
Bring a Telarus engineer to that discovery call. They don’t have to be you know, it doesn’t have to be a deal that is one hundred percent, yeah, we’re gonna close this. Bring an engineer in to start the conversation to have these questions, and and and get some good, get some good information from that client of where they are. And at the end, people hear me you know, those of you on the call that have have been on calls with me hear this from me all the time is, you know, mister customer, at the end of the day, the business decision is yours. Right? I’m not gonna try to jam a square peg into a round hole, but I want you to be aware of the risks that are out there.
Building Cyber Resilience
And if you are serious about, protecting your organization, protecting your employees, these are some recommendations that I would do, and they don’t have to break the bank. Right? We can start off very, very small, and then work up to what we call cyber resilience. So when you do get compromised, and notice I say when, not if, but when you do get compromised, is the difference between being able to recover from that in a timely fashion versus being the last person out the door flipping the light switch off because you are no longer in business.
You hear Jeff talk a lot about business conversations too. Then none of these are technical. You know, a a great way to start a conversation is, you know, let them brag a little bit about their team. What is your team really good at?
What do they hate showing up to work for? What do they wish wasn’t on their plate? What’s the biggest burden to your staff? And most of the time, they’ll say employees recovering, deleted files, you know, trying to figure out how to get people to take cybersecurity awareness training so that they won’t compromise our organization.
And then you can say, is it is it fatigue? How are they doing? What if we could take some of that burden off their plate and help you? Would you be interested in that kind of conversation?
And then you can bring in the engineers and the the solutions architects that we have that are fantastic.
Creating a Culture of Reporting
We’ve touched briefly on the idea that, it’s important to have a culture where it’s okay to make a mistake so that people feel comfortable in reporting something that they may have clicked on or done that can, help prevent further damage from occurring.
With the proper tools in place, I would think it becomes easier then to have that kind of a culture in place. Without the tools in place, everything is a fire drill. Right?
Absolutely. I mean, usually, whenever you don’t have, when you don’t have that culture, that that that tool set in place, you know, you say fire drill, but it just it’s very reactive. Right?
Where oh, no. Somebody did this. What do we do? Right? In a situation where people, you know, people who’ve been trained.
Right? You know? And I relate it to a, like, a soldier. Right? If anybody’s ever been in the military regardless of branch, you drill, drill, drill, drill, drill, drill.
So when a real situation happens, you’re ready for it. You’ve got that muscle memory. You know what to do, where to go, who to do you know, who who to be with.
It’s no different in this, and it’s, you know, part of incident response really is. That’s why we practice these things. So when you’ve got someone that say, you know, in this vein, clicks on a phishing email, instead of that person and the IT department going, oh, no. What do we do?
This is bad. They already know what to do because it’s been practiced over and over and over because that person has clicked the email. They immediately report it to IT or or whoever, right, that is that is covering security for the organization. And there’s a set procedure process in place to to take that machine offline, quarantine it, understand where the threat is, how to get rid of it, how to mitigate, what is going on.
But it’s gotta be practice. It’s like, you know, I would love to be able to sit down at the keyboard of a piano and, you know, play like Tchaikovsky. That would be great.
I I I’ll never be able to do that because I don’t practice. I don’t play the piano. Right? So if someone walks up to me and says, I need you to put on a piano concert, I’m gonna be like, good luck.
Right? Same thing in this situation. Right? Where if you’re not practicing your incident response, if you’re not practicing what to do when that happens and that that’s what these phishing campaigns, the know before.
Know befores and sticklies and symbols. That’s what they are for is to know what to do in the event something like this happened.
Resources for Ongoing Training
Made me wanna go take another course and get me some of those stickers. Jason, where should our partners head next?
Yeah. So we wanna start driving everybody to the LMS. You know, we have a lot that we’ve been adding content wise, for our university.
We just added cloud. Security is gonna be, right around the corner, and you’ll be able to get one zero one, two zero one, three zero one, both sales and technical trainings on a lot of different input that Jeff, Halfcoat, myself, Jason Kaufman have all put together in in our team. So you’ll be able to get a lot of training there. We also can sync you up with some of those providers.
If you wanna have a conversation, I can help, you know, train your team. We can make this, video recording available. We have some blogs that we’ve been doing on security awareness training, email attacks that we can also share with you. Lot of different resources that you have.
You know, it’s this is a great avenue to start because there this is one of the most vulnerable areas for an organization. They’re constantly being bombarded by tons of threats that are getting better and better every single day, and AI is driving some of that. So we need to make sure that we’re better than all the attacks that are coming in and overwhelming our employees, our clients’ employees, and, you know, the organization itself, especially with a small lean IT staff. So please let us help.
Go get a password protector for your own organization.
Implementing Identity and Access Management
Let’s make sure your clients have one. And then that identity and access management, that password list where they study facial recognition, they study your mouse patterns, that’s something great to lead with. TrueYou has it. ECI has it. We have a bunch of conversation tracks around that, and it’s been one of the best differentiators for this year heading into next year.
And one thing too to remember, Doug, is if any of you out there have a question or you just want to you wanna dig a little deeper, do not hesitate to give me a call. Send me an email.
We we can get you where you need to be.
Always appreciate it. Thanks again. Jason Stein, Jeff Hathcote for the HITT training today, and thank you, Betty, wherever you are.