Security Awareness Training

Dave Hodgdonand Steve Ripper talk about the importance of security awareness training for your staff, including learning about phishing attacks and password management, and how companies can tell which employees are security risks.

Mike: We’re powered today by our good friends at Portsmouth Computer Group, PCG IT. For world-class IT service and customer support go to PCGIT.com. They’ve got convenient locations in Portsmouth and Dover and now, of course, Manchester and Portland, Maine. And we welcome to our stage today, Steve Ripper and Dave Hodgdon. Gentlemen, welcome to the broadcast and welcome to Tech Tuesday, everybody.

Dave Hodgdon: Good morning, Mike.

Steve Ripper: We feel privileged. It’s like the hall of fame right here.

Mike: How are you guys doing?

Dave: We’re doing good.

Steve: Doing good.

Windows 7 End of Support

Mike: Good. Well, today’s… I mean, we’re going to get into talking about the importance of security training for your staff, but today is deadline for Windows 7 users. Today’s the day.

Dave: Today’s the day.

Mike: Today’s the day, right.

Dave: The 14th.

Mike: So this is the last day that Microsoft will support Windows 7, correct?

Steve: Correct. As of tomorrow, they’ll start getting a pop-up alert of what has to happen and actually… So I expect a lot of calls that the machine will come up, they’ll get a pop-up and we’ll see what happens.

Mike: So when you say they get a pop-up, what is that going to say, basically?

Dave: It will basically say that Windows 7’s end of support, no more updates. Make a move.

Mike: Yeah, make a move.

Dave: I haven’t seen the pop up yet, but that’s what…

Mike: Do a lot of people have Windows 8? Because that’s another system that’s out there.

Dave: Windows 8 is still prevalent. I think a lot of people skipped Windows 8 but that is not on the list to retire. So if you have Windows 8, you’re okay for now.

Mike: Yes. CBS news says that it’s going to be supported until 2023.

Dave: Yeah.

Steve: But not a lot. It means some Windows 8s, but the reason why there’s not a lot out there is because Microsoft didn’t sit on that one for very long. Windows 10 came out pretty soon after Windows 8 so it was easy for everybody to skip it.

Mike: So this means, of course, too, that if you have virus protection on your computer, with Windows 7, will that still work?

Steve: Yes.

Mike: Or will you get the virus updates, or no?

Steve: Yes. So your antivirus program will be separate from… If you have a separate antivirus program, it is separate from anything that’s going on with Windows 7. So it will still get its updates, it can still detect viruses. What we’re talking about is the updates for the operating system itself. The actual patches that Microsoft writes and makes for Windows 7, they’re going to stop doing that. So, if a bad actor out there makes something new for Windows 7 that exploit’s Windows 7, Microsoft’s not going to do anything about it. So that’s what’s going to happen.

Security Training For Your Staff

Mike: All right, so today we’re going to talk about… So this leads into what we’re going to discuss a little bit today as part of Tech Tuesday. The importance of security training for your staff. How can people who are kind of in charge of that department increase the security of their networks beyond the equipment and softwares?

Mike: What else can we talk about as far as… Beyond the software and the equipment, what else can they do?

Steve: So, training. We want to get training, we want to teach the people what to look for and what to watch for. Because we can put the antivirus and Windows 10 has the patches and we put the firewalls. But if the people inside the network still are allowing these things to happen, they’re falling for the scams. They’re using poor passwords and the same password over and over again.

That’s Dave’s big thing. You hear him talk about it every single day. Do you change your password? Do you use your password? What are you doing with your password? So if your users are still doing that, you still have this huge hole in your network because the people don’t know what the things that they should be doing.

Dave: I just see it like your kids, Mike. You’re constantly reminding them, “clean your room”, “do your homework”, “go to bed on time”. And if you don’t constantly pound that message to your users, and that’s all about training, you have to remind them, because, as Steve calls it, the bad actors are going to find a different way to get in.

Mike: So obviously you’ve been dealing with the clients that you guys have at Portsmouth Computer Group, and I’m assuming that this has been a long process, a scheduled process, where people have to sort of update their computers and update their systems and everything. And they’ve asked you to do that, obviously.

Steve: Oh yeah. And then, so I’ve been doing training seminars for different companies that request it. So, every company has to kind of reach out to us. We will talk to them about it, but they’re the ones who have to really decide that they’re going to take their employees and put them in a room and give them the training. I mean, PCG wants them to do that, and it’s a good idea, but the company has to decide. You are taking people out for an hour and putting them in a room and you’re going to teach something.

So, that’s a decision they have to make. But yeah, I’ve been going out and doing training seminars where I get up there and I give examples of phishing attacks, security examples, what to do, pretty slides, Mike, of what to do with passwords and terrible passwords.

But it’s worth it, by getting the people to understand what to look for. There aren’t these moments of, “Oh my god, what did I just do? What just happened? Why did my screen go crazy? What is this thing infecting me”? It said I needed to change my password, or it said I needed to pay a bill. It didn’t look right, but I clicked the link. So those are the kinds of things we teach what to look for.

Dave: I really feel the owner/management has to embrace, as Steve said, these training sessions. All these action items we can help with are going to help improve their security posture, help with their insurance rates. But at the bottom line, it’s the data that’s at risk, and you’ve got to invest in your employees to give them the ability to understand what’s out there. That there’s so many things going on and just having that one or two hour luncheon session is so valuable. And then after we do that, Michael, we run what’s known as a phishing scam, after the fact. Did what we went over, what we educate them on, tips and tricks, then we do the fake scam, did it work?

Mike: Yeah. So you’ve always said that you’d have to look over your IT budget and make sure that you’ve got funds incorporated in that for IT and for IT training for this because this is important stuff.

Steve: Yeah. So having a training budget, and like Dave mentioned, there are strategies that companies can use to make it a little less painful on the bottom line.

We do a lot of what’s called “Lunch and Learns”. So the company will go and pick up lunch. It’s a nice thing to do for their employees. They’ll cater in a lunch, I’ll come in and do it during the lunch hour, but they’re not cutting into that productivity time between the non-lunch hours. So, that works really well.

Security Awareness Campaigns

Mike: Yeah, you’ve suggested to run a security awareness campaign. What does that do?

Steve: So a security awareness campaign is where we will set it up where we will match up a campaign for the number of users based on your email accounts. And we will send out this campaign. We will not tell the company or tell the users that it’s happening, and they’re basically fake phishing attempts. And if they click the link, it will actually take them to training materials. We won’t infect their machine or cause a breach, but it will take them to training materials.

But what that does for the company is, is that the person who’s managing this, the point of contact, the owner or the general manager or whatever, can get a list of who needs maybe a little bit more training. Who in the network fell for it? And there’s a lot of strategies you can do around it. You can do rewards. So all the people who didn’t, you get a perfect score, no one fell for it, you can do a reward.

I’ve seen companies actually also be punitive about it where those people who failed, clicked on the links, they’re considered a… So especially you see this a lot in hospitals where they will do something maybe on the second. They’ll run the campaign and if they fall for it a second time, they might schedule a conference and maybe talk with them because it is a security risk. You are allowing these things in by clicking on them and falling for the scam. So…

Dave: There’s hundreds of campaigns, Mike. You really want to gear the campaign toward that business. So something that looks viable, that they might click on. You just don’t want to throw anything that means absolutely nothing to that business.

Simple ones like changing your… If we just moved into 365, changing your password. I think we talked about, a couple shows ago, that Dave was going to put on a party, “don’t tell anybody”. It was like a secretive party. You’ve won an Amazon gift card. Do something different towards your sales department. Do something towards your accounting department. Gear the message or the phishing campaign so you’re educating that particular user for what they might be looking for.

Mike: I find those things sometimes pop-up on my phones, too, about winning things like a Sears gift card or an Amazon gift card.

Dave: I get the Amazon all the time. It’s spinning away. Yeah, right.

Mike: Is that for real or is that just one of those things that they bait you into taking surveys that you’ve got to buy products eventually down the road.

Steve: So some of them are real, Mike. They’re not valuable to you. They’re probably not giving you a card, but some of them are real where they just want the clicks. They want the likes.

Mike: Yeah, but they said I was the only one to win the Amazon gift card.

Steve: Exactly.

Mike: It said, “They, picked me out of”…I mean, why shouldn’t I believe that guy? They say specifically, “Mike, you are the only one today to win”.

Dave: Yeah.

Steve: In the whole country, you are it.

Dave: But then you have to zoom the screen in to see the little writing at the bottom.

Mike: I went click crazy.

Dave: Yeah, of course you did.

Steve: Did you get your card yet?

Mike: No.

Steve: Okay.

Mike: No, no. I stopped it. I stopped it right… I never do that stuff. That stuff’s not real. Come one.

Steve: No, of course not. But on the computers, that is how they do it. They will send a link, they will send an email to the person who pays the bills. They’ll figure out who pays the bills for a company, they will send an email that says, “Hey, your website’s going to go down”, or, “Your email is going to expire if you don’t pay the bill”.

Mike: Good thing I don’t pay the bills here.

Steve: And it is a fake email. But the person who pays these bills panics because they don’t want the email to stop because it’s their job to pay it. And the other thing that they bank on, Mike, is that everyone does everything so fast. You’re doing 50, 80, 100 things every hour. So when you read this email, you are just bam, bam, bam, “Okay, I’ve got to pay this. Oh my god”. And they click the link and they put their username and password in and they’ve given them that info.

Dave: That’s why I call it a bait. I mean it’s…

Mike: And the thing, Dave, everything looks so real. As we talk about the people that try to steal your information, whether it’s ransomware or whatever it might be with these types of clicks here, it all looks so real. So you’re right, Steve. I mean, it’s like we’re in this fast world of technology that we move. Our day is just moving all the time. We’re clicking all over the place, we’re surfing, we’re all over the place and we don’t really…

I mean, I get a couple hundred emails a day. And I kind of know which ones I delete automatically because they’re just a waste of my reading time. I don’t have time to read those, I know what they’re looking for. They’re just not important to me. They’re not important to my job here at the radio station.

But you’re right. I can see how people would click on these things and…

Dave: Well they need to make you look that way because it’s their job to get money out of you. If it doesn’t look good, they’re not going to get you to click. So they will spend a significant amount of time to make this look good.

Mike: No, I bet.

Steve: They will make the emails look exactly like they come from Wells Fargo, from Microsoft, from Dropbox, from wherever, Amazon. They’ll take all the graphics from the actual websites like Amazon and Wells Fargo or wherever and they will make that email look exactly like it.

So, when I do the training, Mike, I bring in examples. So I tell people what to look for. Email addresses that don’t look right. If it comes from Microsoft but it’s not a Microsoft email address, how could it be from Microsoft? So I teach people to look for that.

I teach people how to hover the links. Teach people what to look for in it. If it’s bad English. You have to read it. You can’t just skim over it. You got to read it and if it comes from a coworker, if it looks like it comes from a coworker, a lot of times I try to teach people to, does your coworker write that way? Does your coworker… Dave has a style. If I get an email that says it’s from Dave and it’s not the way he writes, I’m immediately suspicious because I’ll look at it and go, “Dave doesn’t write emails like that to me”.

Steve: So I try to teach people to look for those types of things. There are definitely cues and clues.

Mike: So these hackers are that good, huh?

Dave: Oh yeah.

Mike: They’re that good.

Steve: So, it’s profitable for them, Mike. So as long as it’s profitable…

Mike: That’s why you’re in it to do these bad things.

Steve: It’s very easy for them to put together one of these emails and kick it out to 100,000 people. And if a thousand people fall for it, that sounds like not a good percentage, but if a thousand people fall for it, that’s money that they’re making and for really no effort whatsoever.

Mike: Yeah.

Steve: So that’s what you’re up against.

Mike: Final word, Dave?

Dave: I think my tip of the day is run a security campaign on your business and get an idea of where your staff is at, and from there, that might give you the ability of, “Wow, we really have some weaknesses here” or, “We’re in pretty good shape”. And if there are some weaknesses, give PCG a call. We’d love to do a custom training, and as Steve said, go over the tips for phishing, malware, what things to look for, and invest in your staff, they’ll appreciate it.

Steve: The security song and dance. I call it the security… I get up there with the Vaudeville Show.

Mike: I like it. I like it. Important stuff. Important stuff from the tech guys from Portsmouth Computer Groups, Steve and Dave, thank you guys for coming in. As always, Tech Tuesday, always fun to get the information.