Security Awareness (Podcast)

This episode of PCG Tech Tuesday focuses on security awareness. Learn how the right training can bolster security efforts throughout your organization. The more your team is aware of the risks, the more likely they are to follow through with best practices.

Dave Hodgdon: Welcome to PCG Tech Tuesday. I’m your host, David Hodgdon. I’m here today with Steve Ripper and today’s topic is about security training and the value it brings to your company. Good morning, Steve.

Steve Ripper: Good morning, Dave. How are you?

What Is Security Training?

Dave: Excellent. Excellent sir. So Steve, we know security’s top in mind for many people. Explain to me what really is security training.

Steve: So it’s training on the topic of security. We’re going to get together with you and we’re going to train things, like do you need to be thinking about passwords, the things that are coming after you, the bad people who are trying to reach you, MFA, phishing examples, a lot of the things that you need to be and your users particularly need to be worried about so that you are better presented and postured for security events that are out there. Because the people are as just as much a part of the solution as any of the technology that we would apply to it.

How Often Should You Do Security Sessions?

Dave: How often should you be running these security sessions, Steve?

Steve: So at least annually, but we would recommend something along the lines of automated security training quarterly with a live or at least a remotely live proctored session annually.

In-Person Vs. Remote Training

Dave: Should this training be on site at the company or done remotely?

Steve: So both can be done. I actually did a training once where I trained people on how to do Teams, which is a product for remote sessions and meetings. I actually trained the product during a remote training. There was a lot of just all the users were trying to figure out their cameras and their microphones and it was a lot of activity.

Dave: So being prepared is a big problem, right?

Steve: Yeah. Literally the night before, the point of contact had bought them all cameras and shipped them all to them that day.

Dave: Right.

Steve: But no, we can do live. Our trainers get to walk around the room, interact with people, point at the screen, do PowerPoint, but we can do it remotely too. One of the nice things about remotely done sessions is that you can share any type of screen, whether it’s a proof, whether it’s a PowerPoint kind of a thing or a diagram or even some emails as good examples. So there are good reasons for doing it either way.

Pre-recording Remote Training Sessions

Dave: And I would think, Steve, onsite is great, but not everyone could be there because the remote workforce. But this, like anything, I assume it could be recorded or they could be engaged.

Steve: Yeah. Many times we record the sessions and I’ve even done ones for companies where they’ve done multiple sessions to get around the scheduling that happens for people. We might have one on a Tuesday and one on a Thursday and then people will just sign up for whichever one that they are able to attend.

Benefits for Employers

Dave: What do you think the top benefits the employees are seeing with these sessions?

Steve: So awareness is the word that we use all the time. I always tell people the weakest link in the security posture is the users. I’m not sure if they like hearing that, but it’s absolutely the truth. If the IT people, we can put all kinds of things in there that cost a lot of money, firewalls, spam protection software, antivirus, EDR agents, all kinds of automation that does it.

But if a user lets the bad people in, if they allow, they give away their password, Dave, they click on a link that allows them to come into the network, then all of the money and all of the effort that we spent on the technology really doesn’t help because they let them in.

So you’re looking for awareness, you’re looking for the users, the people who are literally using and accessing the network. We want them to be part of the solution.

How Real-Life Examples Help With Security Awareness

Dave: And I would think in today’s role of the user itself, giving them some real examples, speaking in terms of English that they can understand you?

Steve: Yeah. So a lot of times when we do the training, we really try to talk about it. We’re not doing a lot of tech speak, tech speak about what’s going on in the firewall or what’s going on with these types of hacks. It’s not worth it. What we’re really talking about is things that mean something to them.

This is the type of email that you’re looking for because this is why they’re sending it to you. They’re trying to trick you. And so a lot of the users will come away from the sessions. The biggest feedback I get, Dave, is that now I understand what I should be looking for.

When you explain to me the type of trick that they’re tricking me into, why they’re doing it by getting their password, my password, that they can then log in as me and then figure out how to talk to other of my coworkers. They’re like now I understand why I’m looking for that and I have a better sense of when I get that type of email, why I should ignore it and why it’s okay to ignore it.

The Importance of Ongoing Education

Dave: Just like we’re always teaching or reminding our kids, clean the room, clean the room, security training you just can’t do once and it’s done. Once you do training, what’s the big thing that is important for ongoing education?

Steve: Yeah. So I get this question a lot. If we did it last year, why would we do it this year? And my answer to that, Dave, is that, so when I do it again for you a second time, I’m aware that I did it last year. What I’m really focusing on, I’m going to spend less time, I’m still going to drill in that you should have complex passwords and not reuse them, but I’m going to spend less time on that.

And in the second session, third session, every year, what I’m going to do or what we are going to do is we’re going to spend more time talking about the latest types of hacks because it’s constantly evolving, it’s changing.

So what we really want to do in the later sessions is say, now that you have the fundamentals, what we really want to talk about is these are the latest types of things that you should be aware of, you should be watching for that we’re seeing out in the wild. And so people are constantly coming away with a new set of what’s going on. So they’re just as aware of what’s going on as the hackers are aware of ways that they could try to get to them.

What Does Security Awareness Training Cover?

Dave: Right. I see training from a business standpoint is that you’re trying to protect your business’ reputation. You’re trying to protect your data and your assets. And I feel security training, your weakest link is always the employee. And most hacks now are getting through the employee, like 67% are happening through remote workforce. So I mean, we just need to always emphasize this to the audience. What do you feel are some of the top topics during the training session?

Steve: Absolutely. So just on that point, Dave, a lot of companies and a lot of users have this idea that the hackers are hacking things, that they’re going to try to guess their password, that they’re hacking and they’re trying to crack it using computers.

And that’s not really what’s happening out there. What they’re trying to do is it’s way faster to just trick the people. If I can get you, Dave, to just give me your password, it’s way faster and way more efficient. So that’s what we’re seeing. So a lot of the times when we’re doing these training sessions, we’re talking about phishing examples.

We’re talking about the ways that they try to get you to give up your password. We’re talking about ways that you can protect yourself, particularly MFA. We haven’t talked about MFA in this session. But MFA, that idea that you also give a code in addition to your password when you sign into things from maybe mostly your phone, your device keeps the bad guy so even if you make a mistake, they still can’t get in.

So we talk a lot about that, ways that you can really solve this problem but at the user level. Because we’re already doing the hardware level, the software level, we’re doing the technology level, we want to give ways for the users to also protect themselves and be part of it.

Dave: Yeah. You’re seen a huge trend of people, they didn’t like MFA four or five years ago, but it’s becoming natural. They have to embrace it and we’re seeing that forward.

Steve: It takes time for them to just become used to the practice of it being another thing they have to do. But once they do, it’s all right. That’s fine.

How Training Helps Reduce Risks of Phishing Attacks

Dave: We always hear that word phishing and just briefly to our audience right there, explain to them what phishing is and how security training will help those threats.

Steve: So phishing is the idea that if they send you an email that looks like one that you would get normally in the course of your day, if it mimics your bank account, it looks like it comes from your bank, it looks like it comes from Office 365, it looks like it comes from Spotify, JetBlue, Amazon is a big one.

If it looks like it and it’s asking you to change your password, but it’s actually fake, you’re predisposed. You get these emails and you’re like, all right, I got to do something about that. I got to fix my Amazon password. I have to fix my Office 365.

Or maybe you’re someone who’s in charge of something for your company, maybe it’s your role to make sure that the website is paid for and doesn’t go down. If you get an email that says the website’s password is going to expire, you haven’t paid your bill, you are predisposed to quickly not think about it, do something about it. That is what they are leveraging. They are leveraging that we are so predisposed to very quickly click on the link, solve the problem that has popped up in my inbox today right now. And we all very much have a mentality of, if I don’t do it right now, I’ll forget about it.

Dave: Right.

Steve: They are preying on that. What you are actually clicking on is not a real website. It’s not from Bank of America, it’s not from Amazon. It is fake. And when you’re clicking it and typing your password in, you are then giving them your password-

Dave: The keys to the kingdom.

Steve: The keys of the kingdom. They’re not really having you log into Amazon. What they’re doing is they’re recording whatever you typed in for your password. And then the last thing I always tell people in these trainings, and some people always go a little white because they realize it’s true, if you’ve used that password several times, Dave. You used it not just for your Amazon, but also for your bank account, also for your JetBlue account, also for your Office 365 account, they’re going to try all of those. Why wouldn’t they? Why wouldn’t they try it across a whole bunch of things? And if you used it several times, now they’ve hacked all of those things on you.

So to answer that last part of your question, Dave, we are, in the training, trying to point out what these look like, be aware of these and trying to teach a culture that says it’s okay to question it. You don’t have to just click right away.

Dave: I feel that’s a win if they question or go to someone on their team or call us and they say, I’m questioning this. We’ve done our job training.

Training Starts a Company Dialogue About Security

Steve: So security training is about when I’m doing the training is about we’re starting a dialogue. We’re starting, the whole company is starting a conversation about what security looks like, what everyone needs to be thinking about. And then from there, people then, because the minute one user leans out of the cubicle and goes, hey, did you also get that email? It’s up. Right?

Dave: Right.

Steve: You’ve kind of pulled the curtain back on the tricks that they’re pulling on you. The user goes, hey, I got that too. So now what are the odds that both of you got it?

Dave: And these guys, as I call them, the bad actors, it’s almost like the mafia, the old days, they are just vicious. And we know a lot are overseas and they’re just there to hunt. And I always try to explain to people, they’re not really picking on you. That’s why they call it phishing. They’re just throwing that hook out there and hope someone bites.

Steve: We call it … Dave, we call it a numbers game.

Dave: Yes.

Steve: If they send 5,000 of these out and 500 people answer it, that sounds like a terrible percentage. Doesn’t matter. They got 500 hits.

Dave: Right.

Steve: It’s a numbers game.

Bottom Line: Security Awareness Helps Your Business

Dave: And we know with our security, it’s always the training, which is a key component. But we always follow up with security awareness training, which would be one of our topics that we talk about. And we find another huge value of these training sessions that really helps with your cyber insurance rates. Steve, we’re about wrapped up our time. Any closing thoughts on security training?

Steve: No. You got to have the conversations. You got to book it. You got to get us in there. Happy to stand in front of people, happy to do it remotely. Done them hundreds of times. But the conversation’s the thing. You got to have them. You got to start talking about it. So how can you expect a user who you’ve spoken to not one minute about how can you be upset at them because they fell for it?

Dave: Right.

Steve: You can’t because you haven’t talked about it.

Dave: Right. But your key, just open communication. Steve, great session today. Thanks again for tuning into PCG Tech Tuesday. Everyone have a great day.