Security Awareness Training for Your Company

Steve Ripper from Portsmouth Computer Group, a world-class IT company, discusses security awareness training for companies.

Mike: It’s Tech Tuesday. That means we’re all brought to you and powered today by our good friends at Portsmouth Computer Group, PCG IT. For world-class IT service and customer support, go to They’ve got convenient locations in Portsmouth and Dover. And, of course, Manchester and Portland, Maine.

Dave Hodgdon’s off today. Steve Ripper joins us from PCG. And Steve, good morning. Welcome to the Morning Information Center. Great to have you with us. How are you doing? Let’s talk a little bit about security awareness training for your company. We’re talking about security stuff and why people should be interested in that.

What is Security Awareness Training?

Steve Ripper: So, security awareness training. It’s interesting, Mike. It’s really important for a company to go through it, but you’re basically trying to trick your employees. It sounds mean, and in some cases it is a little mean. But you’re-

Mike: It does sound mean. Yeah, it does sound mean.

Steve: Yeah, it does, doesn’t it?

Mike: Yeah, it does.

Steve: It’s like an episode of Punk’d. So, most companies, or most people at companies, are aware of when we talk about marketing campaigns-

Mike: Right.

Steve: -where large amounts of email go out to other companies and say, “Hey, we have these services.” So, these are types of campaigns where you’re literally sending to your users, your employees, a fake phishing scam and trying to trick them into doing it. So it sounds terrible, but there’s some real advantages to it. So, what you’re hoping to do is, first of all, you want to know whose skills were high enough to notice that it was not real. Right? That’s a valuable thing to know, is who’s thinking security-wise.

Mike: Yup. I get it.

Steve: And unfortunately, unfortunately, it also points out who isn’t. So if they click on the scam, then you’re getting a report back that says, “These number of people,” and who they are, “didn’t pass the test,” as it were. You get reporting out of it. You get an idea of where the security risks are. And the most important thing, Mike, is that you’re getting everyone into a frame of mind. Right? You need everyone to have that frame of mind to be suspicious, to think about what the emails are, to take some time to read them. Because very few people read. That’s really the problem. You’re trying to get people to slow down, and to really just pay attention, and getting that security mindset.

Mike: Yeah. That’s the other thing. We’re just moving along so fast. It’s like me putting things together. I don’t want to read directions. I don’t want to read directions.

Steve: Right. Yeah. So a lot of people are used to, “Oh, that,” or click it if it scares them. They go so fast.

Mike: Yeah. Yeah.

Steve: They don’t take the time to check it out. Because like I’ve always said, everyone’s doing 20 things every 15 minutes. We have a lot of controls. We have a lot of spam blocking, and we have a lot of security, and we have firewalls, and you have IT companies, and you have Steve coming by, and you have Dave calling you on the phone, and you’ve got PCG talking to you. And so you’ve got all these things in control, but really, none of it works if the users, the people who are sitting there, aren’t also being careful. If they’re not being careful, there’s always going to be a way of tricking them, or falling for it, or being a security concern.

So we do these security awareness campaigns where we send them out, and then we see who clicks on it and who doesn’t. Now, when they click on it, Mike, we don’t actually infect them or do anything. What we do is it just brings them to a link where there’s some training. Right? And, really, a lot of companies, they try to avoid the shame aspect. “Let’s not shame the employees.” Many companies will actually tie incentives to it. If the company itself reaches a threshold where maybe a few people clicked on it but most didn’t, they’ll give out bonuses, or a parking space for the person who does the best, or gift certificates.

So there’s a lot of ways to incentivize it as opposed to shame. Shame from Game of Thrones. But it’s really important for a company to understand, and feel like their users have a concept of what the security is and what it means to be thinking all the time, “Is this real? Should I be doing this?”

Mike: Do the workers eventually know that it really is a fake phishing scam just to test people’s knowledge, and what they know, and what they don’t know?

Steve: So, that’s a great question, Mike. It really depends on how the company goes about it. And if you’re kind of picking up from what I’m saying, companies do things… While the campaigns are pretty much the same… And there’s several players out there, Mike, that do this. The biggest one is a company called [KnowBe4], meaning, “Know before it’s a problem.” So KnowBe4, K-N-O-W, Be, and then 4, F-O-R. Or KnowBe4, the number 4. So that’s a website. So all of them pretty much run the same methods, Mike, but a lot of companies go about it differently. I have seen companies do it punitively. Right? So, you see this a lot in the hospital industry, where HIPAA is a part of it.

Mike: Yeah.

Steve: And financial institutions, where they have Sarbanes-Oxley and all these other restrictions, and it’s a real big deal, with financial problems. So they’ll be punitive about it, Mike, where they might actually have meetings with the people who failed or fail three times. Right? Who keeps clicking on it. They’ll have a, “Hi, you need to come down here.” It’s like talking to the principal, right? So I’ve seen companies be punitive about it. I’ve seen companies try to not be punitive at all. They try to just be encouraging. So different companies do it differently. So, I’ve seen companies where users didn’t know that the campaign was run. They deleted it because they’re used to doing it, and they didn’t actually know that that wasn’t a real one. I’ve also seen companies might just say, “We did this last week, and here are the results.” And they make it known to everybody.

Mike: Interesting. I like the idea of not putting people down, not shaming people, like you say, but providing incentives.

Steve: Sure.

Mike: That if they do get it right, or they go through training and did not know about it beforehand and do click on it, that they get some incentives eventually to learn about it and know how to do it right. I think that’s an important thing.

Steve: Yeah, absolutely. It’s the carrot and the stick that companies are going through. So, for some companies, they can’t be compromising about it, if that makes sense, Mike. With HIPAA restrictions and people’s data, patients’ data, and things like that, they can’t be that accepting of failures. So they’ll be punitive about it. But for most companies that we see this with, they use it as an incentive tool. Like, “Listen.” And I’ve seen companies try to make it fun. So you have a lot of different options in terms of the types of phishing attacks. We use KnowBe4. But you can pick the different types of phishing exams, so you try to vary them. And then you can have different types of training that kind of says, “Hey, you didn’t click on this the right way, and these are the things you need to look for.”

Mike: Let me ask-

Steve: But generally they’re positive in their attitude.

What is Phishing?

Mike: I was going to ask you. Give our listeners just an example. I’ve known we’ve spoken about this before, over the months, but give our listeners an example of a fake phishing scam.

Steve: Sure. So, what’ll happen is they try to do it out of fear. So fear is the thing that they’re doing because they can’t really just hack you. I mean, there are ways to hack you, but that takes a lot of work and effort, Mike. It’s a lot easier to trick you, right? If they can get you-

Mike: Yeah. Sure. Yeah.

Steve: If they can get you, Mike, to click on it, that’s two-thirds of their job. Right? So what they try to do is they send you an email that is going to scare you. “Your account is about to expire. You didn’t pay the bill.” Right? “You didn’t pay your mortgage. Your mortgage is…” They love to go after the mortgages. People get scared. Right?

Mike: Yeah.

Steve: “You bounced a check.” So, the email looks exactly like one from that company. Wells Fargo. JetBlue. Office 365. Whatever it is. Because that’s easy for them to do, Mike. They can get those graphics right off the Internet. Right?

So they can make the email… Go ahead.

Mike: I was going to say, “Why would you not click on it?” You know what I mean?

Steve: Right. So you see it, and it scares you. “Oh, my God. The account is… It’s going to be expired.” Or, “I owe money.” Right? So they click the link, and then what it does is it takes them to a fake page. Right? Generally the fake page is on some other person’s website. Right?

Mike: Oh. Okay. Okay.

Steve: Like a plumbing company.

Mike: Yeah.

Steve: So, what they did was that company also had originally fallen for the scam. Right? So they got their username, password to their website, and then they put the fake page on the website, right? All of that, Mike, is just so that the FBI has a harder time tracking them.

Mike: Gotcha. Gotcha.

Steve: So, if they have it on their own servers, even if they have it on their own servers like some place in Africa, or a Third World country, or whatever, the FBI can track them down. So what they do is they try to put the websites on other people’s websites, right, so that they can’t be tracked. And so, when they go to that website and the user gets to sign in with their username and password, they record the username and password. Now they can go and be that user. Right?

Mike: Ah. Gotcha.

Steve: And that’s the game. Right? So they’re trying to get you, Mike, to give them their username and password. That’s way easier, and it’s way easier to make money that way. So, that’s an example of what it looks like. So you try to, through these security awareness campaigns, teach the users to not do that. Right? To slow down, look at the links. And really, the biggest one, the biggest one of all, Mike, is if something is asking you to log in, stop and ask questions.

Mike: Yeah.

Steve: Right? Even if you’re at home. When I say ask questions, I mean look at the website. Where does it go? What does it do? Where do the links go? And sometimes asking questions is, if you’re at the office, ask your coworkers. Right? Talk amongst yourselves. “Hey, did you get that? I got that. Did we both get that? Should I have gotten that? That didn’t look real.” Right? So those are the things that you’re trying to, through these campaigns, teach your users to think like that. Because if they think like that, it’s much harder for the bad people to get what they want.

Mike: Yeah. But, as you say, these phishing scams are so sophisticated that if you get these emails, and it looks exactly like your bank’s letterhead and your bank’s website, it’s hard not to click on that, to think that, “Okay, they got in touch with me.” But wow.

Steve: Yeah. So their favorite targets, Mike, are the accounting person at a company-

Mike: Yeah. Sure.

Steve: -who’s already harried, has a whole lot to do.

Mike: Right.

Steve: So he or she gets an email that says the whole Office 365, the whole email system for the company, is about to be shut down.

Mike: Wow.

Steve: That’s a very scary message, right?

Mike: Yes, it is.

Steve: And that accounting person takes it as, “Oh, my God. What did I do wrong? I did pay that bill. I think I paid that bill last month.” Right?

Mike: Yeah, right.

Steve: And the next thing they know, they’re clicking on it, and they’re putting their username and password in.

Mike: Oh, boy.

Steve: And that’s the moment that every company is trying to avoid.

Mike: And that’s where it starts. All right. We’ll make that the last word. Interesting stuff. I just learned something pretty new about that. Security awareness training, and the Portsmouth Computer Group can help you guys out. Steve Ripper joining us this morning from Give him a shout., convenient locations in Portsmouth and Dover, Manchester and Portland, Maine. Thank you, Steve. Stay healthy. We’ll talk to you next week, my friend. Thank you very much.