Security Awareness for Your Organization
Summary: On this Tech Tuesday show, Steve and Dave talk about security awareness for your organization, including how you can make your users more security aware, and help them to understand what they’re up against.
Mike: It is Tech Tuesday, my friends.
Steve Ripper: Woo Hoo. Yeah. Tech Tuesday’s here.
Mike: Tech Tuesday, the morning information center with Steve and Dave, all powered today by Portsmouth Computer Group for world-class IT service and customer support. Just go to pcgit.com. Convenient locations in Portsmouth and Dover and also in Manchester and Portland, Maine. Good to have you guys with us.
Steve: Good morning, Mike.
Dave Hodgdon: Good morning.
How Can You Make Your Users More Security Aware?
Mike: Today we’re going to talk about security awareness for your organization. How can you make your users more security aware? What are we talking about here, Steve?
Steve: Well we’re going to try and get it across to them what they’re up against. Because they’re up against stuff. They’re up against hackers who are trying to out trick them.
Mike: You and me against the world.
Steve: It is. It’s you and me, the users, against the world.
Dave: Like the Patriots.
Steve: So we talk about did I go…
Mike: He’s got to throw this sports analogy in.
Steve: No he’s got to throw it in there.
Mike: He’s always got to throw it in.
Steve: It’s us against them. So I go and do these trainings, Mike, and I tell them the very first thing I say, “listen, you guys, you users are the weakest link. You’re the ones that they’re trying to trick. If you don’t give them the passwords, they can’t get in, but they’re going to try and trick the passwords out of you.”
Mike: You’ve provided me with some very interesting statistics. You say cyberattacks are on the rise. The seacoast area here of New Hampshire, Maine is averaging many cyberattacks per day. One in five businesses will suffer a cyberattack this year. 97% of breaches could have been prevented with today’s technology. That’s amazing.
Dave: It is true.
Mike: So all this stuff is preventable. Most of it.
Phishing Scams
Dave: Most of it is, but as Steve just said, it’s coming back. They’re just as…we’re going to use the word “phishing”. They’re just throwing the hook out there. The baits there, and they’re just going to see if anyone wants to bite. And they are becoming so creative, so clever on how they’re doing it. I think last week my staff was looking at an email, came to our whole staff saying, “Dave’s throwing a party, and we’re all going.” Dave’s throwing a party? And we’re going, “what’s he throwing a party for?”
Steve: Yes, so that’s…
Dave: But I mean they’re finding creative ways.
Mike: So if people were to click on that, what does that? You say they’re phishing, right?
Steve: Yeah.
Mike: So all right. So that’s an email that’s not true. That just got into your system.
Dave: Correct.
Steve: Right.
Mike: So what’s the purpose of that? What can they get from that if people, if that emails in your system?
Steve: So they’re playing on a couple of things. The first thing they did was they went to our website, and they did this, so we saw this at several of our other companies as well. In fact, one other company, two of the users went and got gift cards to go and send out. So that’s where the money is.
Mike: So Dave made out pretty well.
Dave: Yeah, exactly. I got some gift cards.
Steve: So that’s where the money part comes, Mike. What they did was they looked on our website and saw that Dave is the company owner because they want to target… They’re working on the fact that the company owner is asking this question. They then sent an email out to all the users in the company and everybody on the email said it looked like it came from Dave and it said, “Hi, I’m looking to throw a secret party and I need your help.”
Mike: Wow.
Steve: “Can you go and you buy…”. So there’s a couple of things working on there. First of all, you think it’s only to you, right? And you’re getting this request to go do something secret so you can’t tell anybody else. And it’s coming from the boss so it must be something that you’ve got to do, and you’ve go get money, you text them, and you send them the money. So that’s kind of the scam. And it doesn’t even involve like a tricky email or links, just a flat out text and just wording it to trick people.
Mike: You know. I cannot believe how many people, and I read about these stories maybe once every couple of months or so. The whole fake email from the Nigerian Prince looking for $10 million or whatever, or one of your friends on Facebook, I see it on Facebook as well, one of your friends is locked up in Turkey, and they’ve asked me to help them out. I’m saying myself well, why did they ask me? Why wouldn’t they ask their family first? You know what I’m saying? I haven’t seen this high school student in 45 years. But I find out that there are some people that get hooked into this.
Steve: Sure.
Mike: And will play that game and expect to think that well the Nigerian Prince needs my help, whatever. I can make a $1,000 with this if I give him so much money.
Dave: Think of the WWE wrestling how people think it’s real, and they follow it.
Mike: What? What? What?
Dave: People are just gullible that…
Mike: Now you’re going to tell me there’s no Santa Claus or Easter Bunny. Don’t start with that. Don’t even go there.
Steve: So it’s not even that Mike, at Best Buy and at Target at the customer service desk they have a sign that says if you are coming here to get a card because someone called you. The IRS, the… Or an email that is talking to you about this, call the police. Do not come and get a card from us. It is not real. They have a sign because people fall for it, Mike, they do. They just, they don’t know.
Mike: I get a call all the time. I get a call on my phone, Dave, all the time.
Steve: Sure.
Mike: And I love the language that the IRS is looking for me. The cops are going to come to my house. They don’t even say the local police. The cops. Who uses the word, the “cops”?
Dave: I got one yesterday that they had my social security number. Please call us to this number. I’m going, please call this number? You have my social security number? But it’s happening daily via the phone, via the text, via the email, and I can’t tell you Mike, that the creativity of how it’s coming in, and they’re just working. This is like the mafia. These guys are being paid.
Mike: So the hackers are one step ahead of guys like you who are the most intelligent in this business. How did they get ahead of us? How did they get ahead of us?
Dave: They’re paid a lot of money in the back end. These people being paid a lot of money.
Mike: I mean, we talked about the ransomware a couple of weeks ago. That was unbelievable.
Dave: That’s basically what this is. This phishing taps…they’re going for the money.
Your Company’s Weakest Link in Security
Mike: What’s the weakest link in security for a company?
Steve: So it’s the users, right? It’s the users, whether they’re using the same password over and over again, right? Or they’re falling for the tricks, right? So these tricks are, they’re human beings, right? So we make fun of them. I don’t mean to make fun of them. A user reads the email. Like I said, it comes from the boss. He or she doesn’t know that it’s not real, right. So we try to educate. That’s our biggest weapon is to try and teach, educate, put systems in place. But you’ve really got to educate the users.
Mike: You know, it’s interesting because I think part of the problem is, and maybe you agree or don’t agree with this, is that we get so much email now that we don’t really pay that close attention to it. I mean I came in this morning, had 165 emails just this morning, and I mean, I know which ones to delete without even reading sometimes. Because I just know them over the years that I’ve worked here and I know what comes in. There’s a lot of stuff that I just throw into trash. I don’t have time to even read it. It’s just looking for stuff and whatever. But I just find it amazing. I think we have so much email now that people don’t pay attention and sometimes they get caught.
Steve: Oh sure.
Dave: I agree with that. And a statistic that kind of scares me. And what’s going on is the average user has approximately four passwords for 50 locations or 50 sites. So that is a staggering…
Mike: So they should have much more than that.
Steve: Oh, yeah.
Dave: It should be a unique password for every site because, think about that, four passwords, probably one is your checking account or something.
Steve: You’re making it easier for them.
Dave: Making it easier for them, and you can’t make it easier for them. And that’s why part of this training that we’re talking about Mike is running a plan to help educate them, but also to give them some tools and thoughts of what to think about when this comes in.
Examples of Phishing Scams
Mike: Give us some examples, Steve, of some of the tricks that get played on some of the users, so they can be aware of this.
Steve: So some of the other ones that we see are…They love to target company presidents, they love to target accountants. Right? And this feeds into what you were talking about Mike, where these company presidents and accountants they’re working super hard really fast, right? So they’re only really scanning the email. They’re getting 200 emails a day. Like you’re getting 160.
So they’ll do things like, they’ll send an attachment that has a PDF in it or a document that’s password protected. Right? So here you have a company president or accountant who is working on deals trying to keep the doors open, keep the lights on, right? And then this document looks like it comes from someone they know because that person that they know got hacked. Right? And then when they click the document, it asks them for their password, and of course, they type it in, they’re busy, right? They’re fast. So this is a type of scam that’s really targeting, it’s not just technical, it’s targeting human nature. They know the way this company president operates, and they’re playing off of that.
Mike: Wow.
Steve: Okay. So that’s one. We talked about the scare tactics where they’ll send one that comes from someone that looks like Dave and I’m an employee. Do I do that? And then, of course, you see the more…
Mike: How do you know not to do that though? How do you know not to do that if it’s coming from Dave your boss?
Steve: Dave doesn’t like to throw parties for us.
Dave: During the middle of the week.
Steve: So yeah, he doesn’t…
Mike: I thought you were that type of person. I thought Dave’s house, Wednesday afternoon.
Dave: Every day, every Wednesday.
Steve: Right, and that’s where the training comes in. We try to train users to talk it out. Don’t keep it to yourself. You try to get over the fear that I made a mistake and I’m going to get called out on it. I’m going to lose this job. You have to get over that. We try to talk the company owners into getting us in to train them. Where we can stand in front of them and say, listen, talk to your other employees. Talk to your bosses.
Dave: Right.
Steve: So at PCG when we got this email, Mike, we all went around and go, did you get that too? And by talking around the room, we all got it. It’s obviously fake. Right?
Mike: Wow.
Dave: That’s one of the things when you do the training that we actually target the training toward a group. So if you’re going to send an email, fake one to accounting, towards sales, toward admin. You want to plan that email, that fake email, we do the security awareness training is send the email that looks like it’s geared towards your department. That you’re going to buy into it. And you change the content wording so when they click on it, the goal right there is letting them know what happened. It’s going to train them and give them a video of what they need to look for next. But what it really does, it’s allowing you and us and the manager to know as a group now next time something happens, they go ask, Hey, is this real? So you got them to understand now they’re thinking about this doesn’t look right. You’ve trained them. Now they’re going to go ask their supervisor or PCG is this right?
Mike: So PCG, Portsmouth Computer Group you guys set up these security awareness training sessions.
Steve: We do.
Dave: We do.
How Often Should a Company Do Security Awareness Training?
Mike: And how often should a company or organization do this?
Dave: I think it should go once a month. But we’ll send… Steve goes does a lot of these Mike that we’ll actually just for a general awareness this what goes on. Then part after that it’s going to be a campaign about once a month or once a quarter. We’ll actually send out: change your 365 password, you won a gift card from Best Buy. Here’s an Amazon gift certificate click here to get more. Depending on the department, we’ll send this campaign out to that group and it comes back and tells us who clicked on it.
Mike: Right.
Dave: Then your ability to educate those persons more and more. Your goal is to get that click right down, and we’ve done our job because again the end-users are the weakest link.
Mike: All right security awareness for your organization. Don’t forget PCG is also holding the next breakfast technology forum. Is that coming up?
Dave: We got it October 22nd [2019] Tuesday at the Portsmouth Country Club.
Mike: And who is this geared for Dave? Companies, anybody who works?
Dave: It’s geared towards companies. Anyone that works. Anyone that is concerned about, as we said, one of those stats, one in five business. It’s just a matter of time before you will get hit, Mike is that we’re going to train you on some of the things you can do and how to prevent the ransomware and crypto as we talked about the big payload.
Mike: All right, that’ll be on Tuesday, October 22nd at the Portsmouth Country Club. What are the hours for that?
Dave: Eight o’clock is registration. The show will be 8:15 to about 9:45. Full of good content and a well-worth your attendance.
Mike: All right, pcgit.com is where the guys are from. Portsmouth Computer Group, Manchester and Portland, Maine, and Portsmouth and Dover as well. Steve, good to see you.
Steve: Thanks Mike.
Mike: Dave always good to see you.
Dave: Our pleasure.
