Press & Interviews

0:04 all right we're up we're running we're good to go um 2021 hey this is actually how did you think 0:10 about this is actually the first one for 2021 or is it no second one first one i have no flip include 2021 started welcome to another weisser 0:18 webinar um this one's going to be an interesting one because we are going to have a long 0:24 conversation about to fish or not to fish um we're going to look at it from the tech standpoint the human standpoint the 0:29 psychology stand by the neural standpoint and all sorts of other things um 0:34 as always uh sponsored by our uh the folks over at weiser and gabrielle is actually joining us for 0:40 this one as well so that'll be kind of fun and for those of you that are listening in and hanging out and watching our ugly 0:46 mugs on screen um we will be keeping an eye on the questions uh we will be having conversations with everybody so 0:52 feel free to ask away and with that i'm gonna shut the heck up and i'm going to let everybody introduce 0:58 themselves ladies first please if you wouldn't mind 1:03 sure my name is shayla tretwell i'm the executive director of governance risking compliance at ucs federal 1:10 i also own a uh security awareness company not training awareness company 1:15 named sincia and um what's interesting about me is that not only do i have an infosec background very used to anything that 1:21 does with the second line of defense whether it's uh integrated risk management things of that nature training and awareness but i 1:27 also my organizational psychologist so the human element is the most important element for me 1:32 and uh that's how i'll be approaching this little talk that we're having today awesome thank you and appreciate it doug 1:39 europe sir well hello um doug meyer director of information security and data governance 1:46 at gordon reese llp we're a nationwide law firm in the united states 1:51 i manage the information security program and um in its many aspects including our 1:57 fishing awareness program and that's part of what we do 2:02 did we let a lawyer in i'm not a lawyer i don't play with tv 2:11 i am an europe sir hi i'm ayman elsewhere founder and chief vcso at cloud security 2:17 labs i help startups get their security programs leveled up and in place and so 2:25 uh happy to be here awesome thank you alexander sir you're up hi i'm alexander stein i'm 2:33 an expert in human decision making and behavior and the founder of dulles advisors so we 2:39 advise ceos boards and senior management teams in organizational issues but with 2:47 complex psychological underpinnings and i am a trained licensed and accredited 2:54 psychoanalyst so i joined shayla here on team human and i'm always emphasizing 3:00 the psychological elements of why people do or do not do what we expect them to 3:06 awesome thank you gabriel sir last but definitely not least hi i'm gabby ceo and founder of wiser 3:15 so this webinar is a result of us advisor working on rebuilding our 3:22 phishing simulation and chris we've been working hard on new templates and we had a lot of 3:27 very interesting discussions so we wanted to share some of our um 3:34 things we spoke about with everyone else because there's a lot to consider when thinking about 3:41 phishing so i'm really really excited about this webinar cool 3:48 well we might as well leap into it with both feet let's be honest i mean the first question that we chucked up on the 3:54 on the website might just be the first one that we actually go through so fishing is is this a good thing or is it 4:02 not necessarily a good thing and then we can explore the yeses and why's and here's and those and all those kinds of 4:07 things um i'm actually going to start with amen if you don't mind sir and then we'll go yeah i'm putting you 4:13 on the hot spot first because you've got the human stuff and we've got two other humans and the rest of us are basically apparently a bunch of legal folks in a bunch of geeks 4:21 yeah yeah like you know i have a lot to say on this on this topic uh so yeah you know my my approach is 4:28 uh you know if you're going to do a phishing campaign uh don't set your employees up for 4:34 failure right so we all know that you know the big justification that people say 4:39 why they should do it is oh well the attackers do it well yeah that's true the attackers do do it um and so are you preparing them if an 4:46 attacker does do a fishing campaign um you know do you do do you have them 4:52 um do they know what buttons to press to report a fish do they know where to 4:57 uh send uh you know is there a security ad or is there a phishing at email for them to notify people of a 5:03 phishing you know a campaign things like that um so if you're gonna send the phishing campaign 5:09 uh you know they need to be prepared on what to do and then of course definitely stay away from like certain 5:15 topics i've seen some failures myself firsthand uh of of people sending bonus emails 5:22 during you know end of year and people got people's feelings are hurt and and i would recommend using a lot of 5:29 empathy uh and emotional intelligence in your you know uh because sometimes i mean you gotta 5:37 put yourself in their feet right uh and i'll defer to the psychologist for for for that but you know like using a 5:43 good amount of emotional intelligence and empathy and um uh just 5:49 compassion for them uh you know at the end of the day you're trying to educate them and have them do better and you're not 5:55 trying to like get get them and bait them out there and my minute is over 6:01 jay go for it okay so um this is actually a very interesting 6:06 question and get asked all the time and i actually am a fan of fishing your employees um however i will say with the caveat if 6:13 you're going to do it you have to do it right um if we're going to use fishing as an awareness activity 6:19 that i believe very strongly that you should do it we all understand that fishing is still uh the number one way 6:24 that our adversaries are actually getting to our various networks so therefore it's something that we should be worried 6:29 about however if we use it as a red tv activity i don't agree with that don't red team 6:36 to people and then punish them afterwards um so especially when it comes into building um 6:41 punitive uh repercussions for those who do end up falling victim to phishing 6:47 simulations and things of that nature i i want organizations to really think about that it's not something that i 6:53 encourage however i have worked with organizations and i've built three programs for people who could potentially even 6:59 lose their job after clicking on a phishing simulation however i put a lot of onus back on the 7:04 security team because we have to ask ourselves the question have we done everything possible to ensure that our people know what's right 7:10 and what's wrong because i have worked with a lot of douchebags that turn around and say you know what i know it's a fishy email i'm 7:15 gonna click it anyhow um because i work on the security team that's that's not cool so you kind of do 7:21 need to be punished for that kind of stuff but at the same time when we're looking at holistic enterprise-wide fishing 7:27 programs i think it's a good thing but don't even touch it if you're not going to invest the people time or effort into 7:32 doing it the right way that seems to be a common theme and it's 7:38 something i definitely didn't want to dig into i'm actually looking through gabrielle put a post out about this last week and 7:44 uh i'm i'm hoping phil is floating around here somewhere because i want to have a conversation with him about it 7:49 i'm actually gonna i'll i'm in your camp but i will play devil's hand about a couple of times in a minute first before 7:55 we get devil's advocate stuff alexander if you don't want to go for it i want to see where your thoughts are on this too so 8:02 um the webinar is teed up by its title uh a great lead in here 8:09 to look at what prince hamlet might have to say about cyber security and fishing right 8:15 so what comes next in that famous soliloquy wave to be or not to be uh to dream for chance to dream 8:22 um there's the rub uh must give us pause so he's not just being risk averse 8:28 and he's not just indecisive i would say in this context he's talking about consequences and 8:34 specifically the unintended consequences and you know to the points that are being made if you're going to implement 8:41 any kind of tool which a test a phishing test is you have to know what is your purpose 8:47 and what are the outcomes and how can you manage what those outcomes may be 8:52 the other thing that i'll say in this brief introduction is that it's critical uh to make a 8:59 a distinction between situational awareness which is typically what cyber security teams are thinking about 9:06 and self-awareness which is really the operative um human function psychological function 9:14 uh or mechanism that's at play in terms of what people are doing and what they're 9:19 aware of or not aware of doing and the phishing test itself does almost nothing 9:25 to assess or address self-awareness and that's a missing link here in the 9:31 whole system got it i actually um gabrielle and i had 9:38 this conversation about uh about hamlet gabrielle i gabrielle asked me to edit 9:43 the original title and topic for this one so we had those you know to be or not to be one i put a post out and actually i ended up 9:49 doing a techie version of like the next half a dozen lines of the saloon as well one day i actually want to go through 9:54 that whole damn soliloquy and geek it out just for fun games but that'll be one evening when i'm trying to avoid doing work on other 10:00 things all right so we've got the question i was looking forward to that came 10:06 in from doug i'll hit you in a sec but i'm gonna hit you with this one we got the question that came in on this one bad guys aren't nice 10:14 bad folks don't care about your emotions they don't give a fine fudge bar as to 10:20 whether you are aren't going to get the bonus at the end of the year godaddy being the perfect example on that one 10:25 we'll hit that one a little bit they don't give a damn about whether the cat died the dog died 10:31 or anything else their job is simply to get you to click the down button no matter how and no 10:38 matter what they use and what mechanism they used to do it in doing so how close do we 10:46 have to get to that line to try to educate how do we how do we balance this this is a it's a 10:51 really tough one doesn't want to throw this at you it still goes back to the to to fish or not to fish but how close 10:58 to that line do we have to get um and then how much education do we do before we get to that line and can we 11:03 get to the line all those other good things go for itself yeah well first response is we have to 11:09 do a lot of education when we're rolling out or continuing a fishing program to be respectful 11:16 to our employees and i think part of what i'm hearing so far is based 11:22 on an assumption at leastly somewhat that fishing programs are 100 effective 11:28 and i have yet to see proof of that yes they do in reduce the risk but and here's my point 11:34 security is a business as a ciso that's my point of view we have to show value and it's really tough to show 11:42 value of when you're trying to quantify risk avoidance so risks avoided we can try to quantify it but it's 11:48 really tough i think the trade-off um unfortunately for having a very 11:54 effective fishing program like you're talking about chris we really you know take on the role of the bad guy in the 11:59 pursuit of making the business safer the the unfortunate result is that we 12:05 end up alienating our employees i often say this people my attorneys and 12:10 staff at my firm do not come to work to be phished they come to work to 12:15 make money for the business to settle court cases they don't cut and they also don't come to work to do two factor they 12:20 don't come to work to have to have their passwords reset on a rotation basis we do a lot to sort of chafe at the 12:28 um our perspective as security pros and i think we've got to look at that too 12:33 and that's one reason why um perspective of us generally is not great is one reason why 12:39 our tenure usually is only from 18 to 24 months in any particular organization 12:46 here's a thought on this one i'm actually gonna so let me counter on this one you i i would agree ish 12:53 10 years ago 15 years ago it really was it was everything fell on our shoulders no two 12:58 ways about it you know the security the passwords the identity access and everything else then some bugger came up with these 13:04 stupid things called telephones that have all the functionality of a small computer that can do 13:09 absolutely everything and we handed them out like candy we still hand them out like candy and we've done it without any warning 13:16 sites we've done it without any education and we've done it in the assumption that 13:21 the poor users might go i know exactly how to use this and i know how to keep myself safe online 13:29 the challenge i feel today is security is everybody's responsibility you're right your legal team come to 13:35 come to work to to get the [ __ ] done to do it but as part of that they have to be responsible and respectful of their clients data 13:41 which means they have to understand how to protect it more effectively especially in this day and age and that 13:46 means understanding to 2f and everything else it also understands it also to me means that they have to 13:52 understand they're a target let's be perfectly honest you've got people like me who are advocating 13:57 stop attacking healthcare systems stop attacking all and go attack the lawyers don't beat the crap out of the lawyers 14:02 because the lawyers have got more information the lawyers have got these treasure troves of tons of data that quite 14:08 honestly is an adversary i'd love to get my hands on um and so to me every single person 14:15 inside that organization has to understand there are targets and how do we convey that effectively and that's 14:23 part of the whole awareness as well as the bigger thing about security as well um gabrielle i'm a third of you and then 14:28 we're going to do a bit of a robbery fun thing we got a bunch of questions coming so gabrielle go for him so look you know criminals 14:34 have no mercy right like they can go far and beyond like even the examples that i will give 14:40 now you know and we just can't they will probably always have the upper hand because they have no mercy you know they 14:46 can send us extortion emails you know i don't i can't imagine doing that to employees 14:53 so we can't actually stimulate we need to do one of those we we've got 14:58 to please please let me put a sex torsion a sex torsion one together just for shits and giggles i want to see how 15:04 it is you know made by chris and you know yeah 15:09 but uh but here is the thing you know like we probably have our red lines to all of 15:16 us and what eventually happens in many cases is that we train employees to detect a 15:23 specific vendor's phishing templates and they're very good at it you know you can see that employees oh there's a 15:28 phishing simulation right now running they can spot that they know how to distinguish the simulation than the real 15:34 thing because the real thing is like more you know it's higher level than 15:40 what we can do sometimes as vendors you know chris we worked hard writing those templates and we were 15:45 ruling out we had some nasty ideas and we were playing around with them but we just couldn't yes we can we know how 15:53 to write those templates but there is a point where we say you know this is too far it was actually 15:59 very very very hard and i think we succeeded it was very hard to come up with phishing templates 16:05 that will still get people to click but are not you know won't harm people on a personal 16:11 level because that's where i think the red line is um and and we i know that you know what 16:17 my time is run up uh i have more to say but i'll say it you know we will circle back through 16:23 everybody there's some really good questions all right so let me let's take a step back let's take a step back from this for a 16:28 second we know we we know well we hope that in the most parts people do 16:35 the fishing campaigns for education but why else are we doing these damn things are we using it for metrics 16:44 are we doing it for anything are we doing it to justify our existence are we doing it to justify the bad guys are continuing to attack us are we doing it 16:50 just for the pleasure of abusing the hell out of the users why are we doing doing this 16:56 why do we continue to do this alexander i'm throwing this one at you first sir if you don't mind 17:01 uh i wish that i could speak for the reasons why they do it maybe then i would have more influence 17:07 over changing the course of things it does seem to me that by and large the the test 17:14 is to see what people don't know uh rather than to understand what they do 17:22 know and then to help them build on what they can know better to mitigate the risks and make fewer 17:29 mistakes so you know just to circle back uh to one element that we passed over a 17:36 few minutes ago when you talked about how the attackers are not interested in people's emotions 17:42 so i i think the refinement that i would add to that that connects to what we're talking about here 17:47 is that uh attackers don't care about people's emotions but they're only 17:54 focused actually on people's emotions that is the centerpiece of social 18:00 engineering is manipulation of course those emotions that is what a stressor event is 18:05 and that's why it works and so part of the trick here is for organizations to help all of 18:11 their users and their workforce understand more about how they respond emotionally rather than 18:18 continuing to disconnect emotions and cognition as if you know we all have cognitive 18:24 mastery and if you learn what you need to know and not do then that's the end of the problem it's 18:29 actually only a piece of the situation yeah that makes sense anybody want to 18:35 follow on from this i'm throwing this one open to anybody that wants to hit this one i want to 18:40 look at one why do we do this go for it the easiest why that i can think of just because i live in this world is because 18:47 people told us that we have to um well but i'm just being so serious so 18:53 from from a compliance perspective i don't care what you have to adhere to from a regulatory perspective or any 18:59 prescribed framework awareness and training is going to be included so a lot of times we do stuff 19:04 just because people say that we have to and people think it looks cool and that's the honest that got through 19:10 god i hate it but you're so [ __ ] right on this you're so right and this is what pisses me off okay to that exact point 19:16 if i teach you if i take you aside once a year and say don't click [ __ ] don't send [ __ ] here's three examples 19:23 you'll remember it for a few days until craziness happens again and then and then we're screwed and then it's 19:29 useless you've got the tick in the audit box and the compliance box congratulations you can feel good about yourself 19:34 but that's it it's worse than useless it's that false sense of security and 19:40 this is you know again that's why i love hanging out with gabrielle on the team it's the whole continual shenanigans of like okay let's 19:46 continue to educate and help people all right eamon you're going to hit on something of this one yeah i mean you know there's a there's a 19:53 couple of things so one sometimes your boss expects you to do it so you know you say you knew cso 20:01 and and your boss might uh be the ceo or cfo whoever may be and 20:07 uh they expect you to to do it like hey why haven't you done any phishing campaigns and you're going to tell them well we shouldn't be doing 20:13 so there's that's one but two i think you know there's a big lack of data a metrics 20:19 that we have in security overall in general uh we we struggle with like measuring 20:25 things and so doing a phishing campaign helps us measure something it might not be the 20:31 right thing uh it might not be the you know the thing but like we are we are there's a drought of of 20:37 data in in our just day-to-day stuff so you know uh it it's tough 20:45 it's tough so i think that's why to touch upon why we do things you know we're just grasping for things 20:51 now if we uh were a little more wiser we'd understand that the main goal is to 20:57 educate people so hopefully you've done the education before you've done the fishing campaign and heck 21:02 you know if you've done a good job maybe you'll warn them hey then in this quarter we're going to do a fishing campaign and you don't need to fish them every 21:08 quarter i think i think that's like just kind of that's wild like once a year 21:13 maybe depending on the culture again it comes back to culture i wrote a whole article about this 21:18 and one of the things was understand the culture of your organization are you a bank or are you like scrappy startup or you 21:26 know or someone in the middle so you know just understanding your culture will help a lot talk what you got on this one 21:34 sir i'd say understanding your culture is very key for any security program in any 21:41 organization um so piggyback on him his comment there and i 21:47 i do believe that you know most fishing um simulations that are running these days are fairly sophisticated that they're 21:53 generating the reporting that you can provide upwards and outwards showing that you're reducing in some measure uh the fish prone 22:01 uh amongst you and you can do that by hypodirectory groups and such and so i 22:08 mean we can show that it is effective my point is is it is the value proposition there 22:14 there's so many things that we have to do as security organizations um uh time and resources is required 22:21 to maintain an effective phishing program over time so i mean we 22:27 look at the balance of things um spending 50 percent of our time on our 20 of our time on a fishing 22:33 simulation program means that we're not spending that time with something that's also going to protect and defend 22:40 the company against adversaries i leave with this comment too is sort of like this nagging question 22:45 that's been in my mind is when somebody says do you fish your employees 22:52 it's almost like they're saying are you still kicking your dog i mean there is no good answer right i mean because if 22:57 you say there is a good answer but if you say yes then you're in a defensive position of saying well the reason why we um alienate our 23:04 employees on purpose is because good reason good reason but if you if you say no and this is what i'm 23:10 wondering about you say no can you also say the reason we don't is because we have more effective 23:15 strategies we utilize our phishing and email gateway effectively we utilize 23:21 in-context messaging to provide alerts um we recognize when 23:26 somebody is getting an email from somebody they haven't gotten before or where there's one letter off 23:32 in a in a to addre a from address i i just wonder like i don't know the 23:38 answer to this question of whether we should fish or not but i do know that the feeling i get when somebody asks me do you fish 23:44 your own employees is not a great one so i think you know what we seem to be hearing a lot and this is this 23:50 this is actually that's a really really good point uh there's a really nice message from candice on here which and 23:56 she's an advocate for the fishing and i totally get i totally understand that she's like look we've taken our vulnerable employees those that 24:04 continue to click from four to twenty percent down to four percent great love it totally awesome 24:09 but that's still four percent if i send out a thousand messages 40 people are going to click that is now 24:16 40 front doors that i can walk straight through if that is your soul 24:21 or that is your primary defense you're screwed you might as well just pack up shop now and just hand me the keys to 24:26 the front door because unless you assume that somebody is always going to click something unless 24:32 you assume that the big hairy nasty ass thing is already inside your organization and you still sit in there with that 24:38 primitive this is this whole thing and we've had these conversations before about this well i've got my perimeter i'm going to defend it no you don't 24:43 notice this freaking thing these days doesn't exist have a nice day i'm already on the inside how are you 24:50 going to know so for me it's less it's about the fishing stuff and it's much more about the education to me this is 24:57 the stuff that gabriel and al i mean we've been battling back and forth because he's right we put some nasty ass 25:03 phishing messages together and he's like can't use those you know i don't nasty [ __ ] i will tell you that 25:08 you're kid i'll do my research and i'll tell you that your kid's got problems at school and you need to download this report i'm 25:14 going to tell you your significant others in hospital before i give a damn your click ship as far as i'm concerned 25:20 and that's not the example i want you to learn i want you to ask more questions which means i want to educate you first a lot um 25:27 yeah it's just how does it add to this yeah go for it also about the goal like you said you know like the 25:33 four percent is the goal to get to zero if yes at what cost is you know ruining 25:38 the company culture so there's also an roi at the end of the day for you know for trying to achieve that 25:45 target we just have to put realistic goals for ourselves like people will if you know some people will 25:52 click doesn't matter how much we teach just like their car accidents you know like we cannot rule out car accidents in this world 25:58 like totally just can't can i just happen right there quickly 26:04 totally this is where i struggle because a lot of times 26:09 um well there's a couple of things one from a risk perspective when you're mitigating any risk you're 26:14 never going to hit zero that's the end of it you're always going to have a percentage of people that are either going to get in or click 26:20 or do something so we can't mitigate the risk away um the second thing is from a phishing 26:26 perspective we focus so much on the click rate i don't care about the click rate um i 26:33 personally care about our resiliency rate because the more education that i can 26:38 put out there that's the reason why i say you have to build the program the right way that means i have more people reporting 26:45 something suspicious that i have people reporting that they click something or not reporting at all 26:51 um therefore if my resiliency rate can be higher i have a more protected environment holistically so when i am 26:58 doing a fishing simulation the one metric that i'm looking at the most is how many people are reporting 27:03 that something is weird to make sure our stock know to go look into it so i i like that goes back to the whole metrics 27:09 conversation where am i looking at metrics i'm looking at kpis and from an executive lens 27:14 i think the executives want to understand how resilient their organization actually is so if you're going to do 27:20 that then my next question is how often do you do it i'm actually reading through some of the questions in here and you know eamon you said 27:26 once a quarter or maybe too much but i've got people in here that are saying hey we do fishing every week we're cycling through people we're 27:32 fishing every week and that's that's a ton i mean that literally is keeping everybody on their toes 27:37 so let me ask this question first question to everybody here if i said hey we're running a fishing campaign we're going to run it every single week 27:44 too much not enough give me uh anybody can say this way too much way 27:50 too much you're not keeping them on their toes but you're serially traumatizing and 27:55 and and essentially their cognitive capacity is going to plummet uh right so because if if you ignore if 28:04 you normalize uh incursions like that basically you're bullying 28:10 your workforce and they're not gonna they're not gonna think better or respond better because they're going 28:17 to acclimatize themselves to the normalization of a horror show interesting 28:24 how many people does that team have that they're doing security fishing i mean are they do they have everything 28:30 else in place mfa and uh non-admin access on all their laptops and 28:36 you know you know how big is this team 28:41 i'm asking him now and i actually would agree completely with uh dr stein over here uh every week 28:49 is too much um i would actually recommend monthly if you're going to do something like 28:54 that we do understand that i believe you have to encounter something at least 12 times before it becomes a habit so 29:00 you have to do it frequently enough that it becomes habit-forming for them to do the behavior that you want to but i'm a big proponent of 29:06 positive psychology and within the positive psychology model there's a such thing called flow and with flow in that model the the 29:13 goal is to balance anxiety and boredom if i fish someone too much 29:19 they get too used to it they become bored and they're not going to pay attention if i don't fish enough and then have 29:24 like some type of repercussion if you get caught you cause anxiety and you don't want that in your organization so you 29:29 actually want something in the middle that keeps people in that flow of being cognitively aware 29:35 at the same time it doesn't disrupt their work so it it it changes based off of the culture 29:41 of the organization back to doug's point um but once you understand the culture of the organization 29:46 um you can't define what that actually is for you do me a quick favor because i i was bashing a quick answer back how many 29:52 times because i i've got a really i've actually got a powerpoint slide that goes into like how many times we have to 29:58 nicely beat people over the head before it sinks in what was that number that you said i totally missed i believe 30:04 i believe that you look at researchers between seven to 12 times yes okay all right i just want to make sure that 30:09 what i've written down was what you say because it's yeah and that's which is to me is fascinating 30:14 for the people that like do fishing like once a year i'm like so it's gonna take seven to ten years for you people to figure this [ __ ] out 30:20 if you're lucky and if they retain you from the past seven years yeah you've sunk you've failed why bother 30:25 all right amen you're about you are all ready to talk all right but i think doug 30:31 wanted to say something well i'll just go in really quick um the 30:36 four percent that uh you mentioned chris that you just can't get you know you can go for the lady or 30:42 whoever was running a fishing program they got them 24 that four percent uh could be much more 30:48 dangerous uh could be just as equivalently dangerous as 20 to 20 percent depending on who it is in the company if it's a 30:53 managing partner or if it's a chief marketing officer so that's the 30:58 danger of the numbers that we show and i'm not to say that fishing programs aren't effective they are 31:05 um it's been proven but is the cost in terms of alienation and it worth 31:12 the effort and also one last thing 31:17 the greatest risk we face in terms of external um social engineering isn't through a 31:22 phishing email isn't through an attachment or a macro or a dubious earl it's somebody doing 31:29 their research and sending an email pretending to be somebody else or somebody they know or 31:34 somebody they work with and there's not and it can be from a legitimate email address so there's no phishing 31:41 simulation program that's going to train you on that and that what we're doing 31:47 and what we're planning on doing is making our most vulnerable and most high profile targets very cognizant of the 31:54 fact that um as a law firm we have a roster and it's out there on the internet that people are looking at you and they're 32:00 thinking of ways to manipulate your social network to get to you and it won't come through 32:06 an attachment or a on a dicey hurl so that's perfect because that leads 32:12 into this hang on set got real this is perfect because it leads into this it's back to that question we've always 32:17 done trust but verify bollocks no more of that stuff verify and then 32:23 maybe i'll think about trusting you you know we had one gabrielle you pointed this one at you when the ceo 32:29 you know sends you the message hey i need 20 gift cards get on with it do it right now god damn it i need it this very minute or else 32:36 call the ceo i'm going to hello go for it i just want to add to you know i had 32:41 this idea i don't know how to actually make it a product but i had the idea that you know we also need to check just 32:48 the processes so if something legitimate is happening let's say the ceo asks the cfo to transfer funds a legit 32:56 transaction not like a bogus one can we somehow check that the actual cfo 33:02 follow the process and call to verify with the ceo for example like can we verify that the processes that we 33:08 have are working with and that i don't know how to do that but that's something that i think you know 33:14 we need to just make sure that the processes are working so i think that's a good one so 33:21 basically my perspective let's talk about the operational part right uh you mentioned perimeter but there's 33:27 also the concept of zero trust so and and culture so all this can tie together so for example 33:34 uh first of all a lot of people are getting phished all the time anyway okay so there's enough phishing emails 33:41 coming in actual phishing emails so one are they reporting properly so in in um 33:49 do they know which button to press there's actually a button in in g suite and or workspaces and 365 where you can report 33:55 a fish and that's going to help uh the uh the the providers to prevent more of 34:01 these emails right uh do you have dkim and spf set up properly right 34:06 uh 365 has a spear phishing category you can put executives in this category 34:13 and they'll have extra protection are you doing that like do all these things first right and 34:18 and set up the infrastructure uh so that we can reduce the number of phishing attacks to begin with 34:25 um and you know i saw one organization set up a slack bot said if someone reports a fish it was 34:30 just like there's a bot that would actually walk them through a process that's awesome right 34:36 um you know you could also search if someone does report it then you can search all all these other inboxes and remove uh 34:44 these things right so do you have all these processes in place to remove nasty emails from people's inboxes but 34:51 then on the other side if your organization is like hey give 34:56 everybody admin and whatever and you are struggling to reduce your attack surface you're like 35:04 well you know i'm gonna have to do some fishing and so see you know and prove i'm just kind of being devil's 35:10 advocate here and prove uh that one fish email i can get and this is a red team party you know chris 35:17 i'm appealing to you you know and you're trying to make the case we need to have less admins we need to have less admins 35:23 on their laptop all that kind of stuff and you're getting pushback while you need to prove somehow that 35:28 you know you can do it maybe even just do a full you know do a red team say i'm going to do a red team i need to get green light for this and 35:36 prove to you you know so no i so i get this and this is where this day and age a lot of us have said 35:43 okay let's let's play dungeons and dragons for business let's sit down do some tabletop exercises right you know 35:49 again if we take candice had an amazing thing on this look i've i've taken it from 20 down to 4 if i know that alexander's 35:56 organization that's got 100 people in there i know four people are going to click so let's toss a point figure out which 36:01 four people have clicked in my tabletop exercise of d d and go okay those four people clicked 36:06 i have access i own their computers what can i get to the nice thing about that is it's not an 36:12 adversarial discussion i haven't embarrassed any one of alexander's four people 36:18 all i've done is i've i've basically gone through and said here's here's what we think is this and as long as both parties come to the 36:23 table willing to have those discussions it's that it's faster quick and simple or easier less hassle and also less 36:29 confrontational um and we still end up with the same discussion points um 36:34 okay so here's another idea okay yep here's i take a step back on this one for a second so there's been a bunch of 36:40 questions on here doug i'm gonna hit you first because i'm just gonna hit you first there's a bunch of questions on here where people have 36:46 said okay look you know we've got people that continue to click they continue to do this what the hell do we do about them i'm 36:53 just going to leave it right there what do we do about him yeah well i think you um um 37:00 cordon them off and for a second tier or third tier of remedial 37:05 training can i taser them yeah 37:12 go for a share you're wanting to say something gabriella hit you afterwards i promise i shouldn't have laughed about tasering 37:18 people i'm getting better no i i think that the thing about it 37:24 that's so interesting if you have people that keep clicking that's when your uh training awareness team really needs 37:30 to kick in whether they need additional training if they need a webinar where they're going to have to 37:36 sit there in attendance or if you can activate another control you can stop them from having access to the internet 37:41 they have to do they can't have any external internet access until they've earned their trust back 37:46 um you can do a lot of things but if you see someone who habitually clicks that's a danger to your organization and 37:53 that person is the danger and you need to make sure um they're they're taking it seriously 37:59 and uh put some controls in place to make sure they get the education they need 38:05 alexander give me some thoughts from your side as well and eamon i'm going to hit you up as well if you don't mind yeah so um have to go back to care 38:14 and emotions so you know one of the first things you need to determine for the person who's just 38:20 chronically clicking is why what are you thinking what are you not thinking about you you know you 38:26 can't just you know cuff somebody's hands behind their back and expect that they're going to stop clicking they're just going to 38:33 use another part of their body because there's something else driving that behavior and 38:38 you know one of the issues here is that just there's this enormous divergence that occurs that drives a kind of 38:46 institutional mindset that overlooks the complexity of 38:51 human decision making and i understand that you know trying to solve problems at scale means that you can't 38:57 necessarily put you know every person's mind on the couch so to speak to understand 39:02 why they do or don't do everything you have to be able to capture everyone uh as a group but still there's this 39:09 aspirationalism at play in which um sort of the zero failure 39:15 point pivots on if we do this it's like a silver bullet exercise if we get people to not do this 39:21 everything will be great but the problem with that is you're never going to do that to shea's earlier point you cannot get risk to zero and so 39:30 the system needs to accommodate the reality of who people are and how they behave 39:35 and how they think and that has to include tremendous variability it cannot be homogenous 39:42 and that means that you know whatever is happening that's causing 39:47 four people out of 100 to click you need to start by understanding what's going on for those four people 39:52 and then extrapolate that back out to 100. yeah i i would say yeah i would say 40:01 more on the y just like dr stein said um you know put your product manager hat on 40:07 and gabriel you might appreciate this you know put your you know be problem oriented not so solution oriented 40:13 find out what the problem is schedule a zoom call with that person why not like get on and and take that 40:20 extra mile like you know a lot of times security folks sit behind their email sit behind their you know we 40:27 want to avoid the ivory tower you know whatever it is like you know if you if if your 40:32 employees think the security team live in iowa tower then you have an issue you have a cultural issue and you should 40:38 you need to even not think about fishing campaigns you need to you need to step back and and and get you know talk to the people 40:43 so um you know go the extra mile be have those better bedside manners right like just 40:50 just be that better person kick up that empathy and and find out 40:55 why i mean maybe they're having a bad day i i don't know i don't know why you know and if you have to then we could talk 41:02 about controls but but you know find out more about the problem before you go to the solution i think the controls is an interesting 41:08 one hang on a second then gabrielle i'm going to hit you because i'm going to assume we've all run into 41:13 some folks in the c-suite who think they're above fishing we think they shouldn't be part of it or somebody manufacturing who's like oh i 41:20 don't even need this all i do is get my hands greasy and mess around with machinery why do i need to worry about this [ __ ] 41:25 and so that's great and i love you which is where your lack of trust and i'm going to build a couple of extra little controls around you so that when 41:31 your ass does get it handy to it it doesn't take the rest of the company down with it 41:36 yeah that's unfortunate sometimes all we can do gabrielle go for it so let's call employees people for a 41:43 second because on a personal level personal level 41:49 people get scammed some people are scammable just by nature they are 41:55 repeatable victims we see that with roman scams and we see that it depends because of this why people 42:02 are addicted to love people are addicted to gambling different things some people are not 42:07 curable unfortunately seriously like some people or or it's too much to invest 42:13 in in order to actually so you either take the thing that makes that thing happen like the 42:20 internet you put those controls or maybe they are not fit for that specific role but 42:26 we cannot like going back to this zero thing we not everyone is fixable um and we 42:32 will always have that percentage and we just see that again and again with you know um regular people scam 42:39 you know like it's it's the same thing at the end of the day it's the same emotions that people are addicted to 42:49 and i think at that point back to the doctor to share and everybody it gets to a point where it's like okay i'll do what i can to educate you i'll 42:55 do what i can to lower the risk and if i can't then i'm basically gonna if i still want to retain you there is a big if in there definitely if 43:01 i still want to retain you then i have to build a set of controls around you so that when you fail it doesn't take everything else down with 43:07 it all right who was about to talk i apologize i kind of missed who was doug was it you or did i miss somebody else yeah i'd call it yeah it was me 43:16 um so hear me now um we take a an apologetic approach to our fishing 43:22 simulation campaign internally um we're out there saying look we know this is what you didn't come to work 43:28 you can come to work to do this but here's the risk and here's the benefits and we also 43:34 end it with anybody can be phished so if you happen to click on a link 43:39 we're not going to shame you we're not going to guilt you we're going to probably reset your password um if it was a real fish click 43:47 and if not and we might advise that you go to one of our free opt-in training games to learn about 43:53 the various kinds of fishing that are out there but taking is taking pains really to be 43:59 as apologetic about it as possible to put yourself take yourself out of the ivory tower 44:04 that eamonn mentioned and to sort of develop some com you know um 44:10 amongst the employees some awareness that we aren't the ivory tower bad guys we're just trying to protect the company 44:16 um and that that message of no shame is really important um because i get it um you know in the 44:23 hallway or in a message that hey that was a setup that was a speed trap that was a gotcha 44:28 and our response is not too bad this is going to happen again our response is yeah i know 44:35 sorry anybody can be fished thanks for taking the train the extra training we appreciate it 44:41 so here's one thing and i love that but i'm going to add to that which is i honestly don't give a [ __ ] about the 44:46 company i care about you the human if i can help you learn if i can help 44:52 you protect yourself if i can help you educate yourself to look after you the kids the grandparents 44:58 the parents the friends and the relatives that bleeds through to the company so for me it's humanizing even more again 45:04 i'll i'll give gabrielle some kudos on this one because that's why i love doing the stuff that we do which is it's kind of 45:10 fun because it's all about human it's not about i'm gonna protect the company if i educate you the person you 45:15 will inherently you might step up and think more ask more questions in our digital realm you know you 45:23 figured out as a kid to look left and look right when you cross the street now i'm trying to educate you to do 45:28 exactly the same in the digital realm that's all i really want you to do you know and it's and how do we do that 45:35 more effectively that's that's really what it comes down to um and there's a bunch of questions um 45:42 oh where do we want to go with this where do we want to go with this there's so many questions what do i'm actually going to throw open to each 45:48 one of you just for the minute while i run through some more of these questions we we have a ton of questions um alexander go for it first and then we'll 45:55 so i actually just wanted to piggyback on what you were saying and underscore how important it is when you can add individual 46:03 self-awareness that does propagate out uh not just to the ecosystem in the 46:08 organization but to the individual pods and essays like going back to 46:14 teaching kids to look left and right before they cross the street it's not just about alerting them to the fact that there are dangers uh 46:22 but it's about how you stay safe it's not just about warding off bad things it's about how do you move 46:27 forward in your life in a healthy way and you know that that is something that's going to carry over 46:34 to all kinds of good decision making and good judgment not just you know don't click here and 46:40 don't click there and to this i would add in response to your question how do we go about that 46:46 the incredible value of incorporating just as a normal matter of 46:52 course multi-disciplinary teams in organizations you know one of the problems that i see time and again 46:59 i expect shea can can back me up on this is that you know these are decisions that 47:06 are being made at the enterprise level by business people and technologists 47:11 who have at best maybe a lay understanding of superficial psychology it's 47:18 enormously thick and complex there are just so many different things that you have to consider and it really 47:25 would be you know the reverse analogy would be my coming in and telling a technologist 47:30 this is what you need to do with your hardware or you know this is the policy that you need to do to develop control i would be so far 47:37 over my skis you should just push me over and this is what i encounter all the time 47:42 in organizations where there are people in positions of authority and influence making determinative 47:50 policy decisions about things that relate to what they think is going to be the consequence of the 47:56 solution and they actually have almost no idea what they're talking about and that that's a good area to 48:02 start changing things 48:10 well i think along those lines um fishing simulation programs have a perception problem 48:15 generally speaking i'm not not all but some do many do and i think the solution lies in 48:22 starting to shift focus to empower instead of shaming the employee instead of gotcha the employee to empowering the 48:29 employee and developing a healthy curiosity in the employee about phishing 48:34 security awareness give them the tools to here and there jump in and do a one to two minute sort 48:42 of uh self-education on the benefits of being highly security aware of being 48:49 highly aware of risk while online of the the the the bad actors out there 48:54 who are who are targeting us because we have an email address at our company and i think if we put the back in the 49:01 hand if we put it more back in the hands of the employee to be self-motivated um we will improve 49:07 the overall perception of these programs here's a question and this i'll ask this 49:13 to to everybody is this because fishing came out of our side of the 49:18 world it came out of the red team side of the world it came out because it was an effective tool to use to get into a company i mean 49:25 we'd be sitting there beating up against the web server and that's like that screw let's just go up against the human it's more fun 49:30 um is that because it first started out as a tool basically of abuse and it was born out 49:38 of the fact that it was used to abuse people and unfortunately that mentality is carried on no 49:43 people don't see it as a tool for education and for help they see it because they remember from 20 years ago when they did get their ass 49:50 handed because the big hairy thing decided to basically walk in through their computer i wonder if that's a big part of it as 49:55 well i mean i mean the fact is that 90 up to 90 50:00 according to some some vendors out there uh of attacks are from fishing so it's just 50:07 happening now right so you can be conservative and say 60 or 70 or 80 but that's my two cents on 50:14 that the other 10 is coming from solarwinds i think the uh the other issue um this 50:20 is what's interesting about fishing specifically uh as an attack mechanism not only did 50:25 it come out of that cyber world which is fairly new we're going to keep seeing that 50:31 it's like what 30 40 50 not 50 years old yet you know what i mean so like so it came 50:37 out of that world that world needs ownership of something um additionally this is a business 50:42 problem because companies are losing upwards to 1.5 billion dollars a year holistically over fishing attacks 50:49 so when you have those two things coupled together and then you start thinking about people nobody cares about people people 50:56 they care about money so um it kind of desensitizes um the way that we approach this thing 51:03 and um i do want to pick you back up on something that alexander said earlier um talking about the person coming first 51:11 any campaign that i run any type of infosec or cybersec campaign that i run 51:17 the first one that i do in any organization is about telling people that they matter the most and i don't even talk about the 51:23 company at all i talk about ways to protect their network at home 51:28 or um what emails to look out for when you're at home because what you'll find is that people 51:34 start having habits in their everyday life at home um when they're dealing with their family or 51:39 their children and things of that nature they're more likely to bring it back into the workplace so 51:44 if we could start attacking this issue that way by coupling appropriate awareness campaigns with it 51:51 what's interesting is that it sticks with people more and you'll probably get more people receptive to it suddenly 51:56 being not so much of a retinal activity but a true awareness activity because i just protected your child or just protected 52:03 your you know parent from not taking a billion dollars from the prince of mesopotamia or something like that 52:11 that's a great question in here i [ __ ] love it um huge call out to um hughes color to 52:17 enjoy so what do you do if you do actually have a department that handles finances for nigerian princes 52:23 and i'm just like yes all right so there's a really good one in here um we talked a little bit about 52:30 kids and crossing the streets and all this kind of stuff anastasia edwards asked the question what do we think about fishing programs 52:37 in schools for training students um where's our heads on this one do we agree on 52:42 this when do we not agree on on this one and do we think it's a good idea um i'm going to save my thoughts for the 52:47 end gabrielle i'm throwing this one at you for a second and then we'll wander around everybody else 52:52 so i want to share something that you know we do and i think it also can apply to 52:58 schools because this is something that i was actually thinking about implementing in schools so we have something called the fishing game 53:04 so unlike fishing simulation where you know we basically attack the people a fishing 53:10 game everybody has to participate they have 10 emails half of them or 53:16 a certain amount are phishing emails others are not and people need and they know this game 53:22 they know that they have to identify the the fishing ones and hardly no one gets 100 so even though 53:28 they are aware that this is you know some of them are fishing templates almost everyone fails at least you know 53:35 one or two or three or even more in this game so for me the you know i love this game 53:41 because first of all everybody participates and it's not like a phishing simulation where maybe just 15 53:46 open the email in general but implementing something like this with kids i think is much more educational 53:53 than starting to attack the kids at school that to me sounds a little bit you know 53:59 um yeah too much but if we do gamify it i think there's a lot of value 54:06 because it's still not easy even though you know some of them are you know legit and some of them are not 54:12 it's still not easy to detect them yeah i mean i remember ages ago we said 54:18 then did the gunning for grandma stuff so we're still building that that'll be totally cool um all right uh 54:25 anybody want to add on to that one on the kids one anybody want to catch up so one of the things that i like about 54:32 the idea of that so far as it's done you know thoughtfully uh and sensitively uh is that 54:40 as with you know learning to cross the street and look both ways and whatnot you're really talking about personal 54:45 safety you know with children especially in digital they've natives uh really the greater threat there is 54:51 things like you know cyber bullying or some other kind of hostility against the child's person 54:58 uh not to an institution right so so the child is going to be learning something about her or himself about 55:04 self-care which is incredibly important just as a developmental tool and process um 55:11 the other thing is to focus on education itself so one of the things that i've done 55:16 in my work with organizations doing cyber security programs and awareness training programs is to bring in ideas from 55:25 child development and education to understand you know what are the ways 55:30 what are the techniques in which teachers can engage disengaged students or children who are recalcitrant or aren't 55:37 interested in learning or seem to be obstructionist to the curriculum or something like that 55:42 and there are a lot of well-traveled pathways there they don't need to be reinvented by infosec personnel with regard to how to 55:50 help people learn or how to help people become interested in something that they might 55:55 feel opposed to right so starting to bring this into the school system is a natural part 56:00 of a curriculum we'll have an roi you know 10 years from now that will be 56:06 you know exponentially tremendous so you hit a really good point which 56:11 hang on two seconds you hit a really really good point which i think is you know this is why i love having all of you on here this isn't an infosec 56:19 problem these questions these comments these thoughts have been asked over the centuries we've had to look after 56:25 ourselves as humans all we're now doing is translating that into a digital world so it shouldn't just be an 56:31 infrastructure somebody said hey hr should own it and i'm like actually no we should collaborate with hr and legal and 56:38 compliance this isn't ours this is everybody's go for amen yeah so um you know some of the things 56:46 i've come to discover about myself like so i i've come to like educational psychology uh lately and 56:52 in in in some of the work that i do uh helping others like get into security on 56:58 in the podcast that i do um i've come to learn about neuroscience educational psychology and i've and even in the work 57:03 what i do with my clients i've come to learn that as a security practitioner you are an education 57:09 uh professional whether you like it or not your job is oftentimes to educate people 57:15 because you know i'll get pushback on like say why should i do devsecops or devops or why should i automate 57:21 things like okay so let's you know let's let's walk through that so 57:27 it's amazing what gabriel and dr stein said uh you know let's i mean i would i would say let's 57:33 take that education approach that we would take as to a kid and use it on our people 57:39 employees as well right create a safe space for them to ask that question 57:44 um you know it's care to safe space for them to ask that question uh hand hold them but really focus on 57:51 the education and um you know it you're gonna win you know at the end of the day if you 57:57 take that approach all right so we are running up against the top of the hour um i just had i 58:02 actually just answered somebody um who yeah i know we just went really quickly somebody's like we need to do 58:08 this again so i'm actually gonna extend an invite to everybody here i would love if everybody's up for it to get this 58:14 group together again at some point probably in the not too distant future gabrielle and i'll work it out because we've got a couple already but 58:21 this has been like stupidly fantastic i i loved all the conversations um i'm gonna 58:26 shut up and just if everybody would love to give a closing statement that would be perfect um again ladies first please 58:32 i think my closing savings as we're at that top of the hour i i want to make sure people don't skimp 58:38 out on the training and awareness programs um it's easy to make that someone's quarter of their job but don't do that 58:44 uh because you have to market security you got to make people feed into it and believe it 58:49 so be comfortable marketing security to your company um through fishing programs and even more um and think outside the box where 58:55 you're doing it so that's just my statement 59:01 well doug okay yeah i totally agree with what shea just said 59:06 and also um your point earlier about phishing simulation programs being 59:12 kind of checkbox compliance and people got them in place but they're not really looking at them critically 59:18 a lot of advances have been made recently in the last few years in terms of what phishing email spam and email gateways can do 59:25 what office 365 can do to sort of like be the front line of defense to bend off those uh phishing attacks 59:32 especially aimed at key employees and we can do we can leverage in message of learning to give people a 59:37 context like hey this may not be who it purports to be um 59:43 so i think that's one thing that we need to leverage is the technology itself and then secondarily 59:48 what gabe mentioned the schools yeah let's let's make let's gamify and let's take 59:54 advantage of people's competitive nature especially kids so that when they arrive at the workplace they're very well informed very wise and 1:00:01 very savvy about what is and isn't a legitimate email um the the attack vector is going to stay 1:00:08 there it's going to get more sophisticated you've already seen how much more sophisticated it is so our challenge is 1:00:14 to keep that security awareness program in place ratchet it up um in terms of like uh countering the 1:00:21 sophistication of the attacks out there and to not let go of that you know perspective that we've talked about here 1:00:26 of like we're here to help we're not here to shame we're not here to guilt and we're all in this together 1:00:32 cool hey man you're up sir i think we said enough we said a lot so 1:00:38 my only two cents would be watch this webinar again before you do a phishing campaign big time and the hundreds of bloody 1:00:45 questions that came in that we're going to try and hit offline as well freaking awesome stuff uh doctor europe 1:00:50 nexo i would just remind people that cyber security is a human issue that involves 1:00:56 technology not the other way around and take it back to prince hamlet 1:01:02 in answer to the question to be or not to be i would say unequivocally to be and therefore please look both 1:01:08 ways before you cross the street awesome love it gabriel elsa you get to wrap it up 1:01:14 yeah well you know i'm still uh on my way to this vision where um security or online safety 1:01:22 is a basic life skill i think we did a little bit more today as well this is why we're doing this webinars 1:01:28 this is why we're doing wiser um so we'll this is recorded um 1:01:34 we'll be writing um an abstract of this as well and we will post it 1:01:39 tomorrow so i learned a lot of new things today so i really enjoyed this conversation 1:01:45 um with all of you cool and i'll echo the same comments um hugely appreciative thank you very 1:01:51 very much everybody thank you for the time and thank you for the amazing comments thanks to everybody in the audience 1:01:56 freaking brilliant this this has been a fantastic one love you guys all stay safe stay healthy all those kind of good things please 1:02:02 and take care we will do this again thank you bye everybody