Skip to content

Understanding Human Vulnerability Management | EP 002

Today I want to focus on the human side of phishing because if you don't understand the importance of training your staff to recognize their vulnerabilities, you leave your business open to multiple threats. And it’s not an if but a when will it will happen to you.

Watch the full episode below or listen on Apple/Spotify Podcasts. (Check out more episodes on our Gone Phishing page!)

 

Episode 2: Listen on Apple

 

Full Episode 002 Transcript:

00:00:00:12 - 00:00:31:06
Connor Swalm
Welcome to Gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO Phin Security and welcome to Gone phishing, everyone, and welcome back.

00:00:31:09 - 00:00:53:13
Connor Swalm
I'm so glad you're here again with me. In the last episode I talked about phishing, what it is and how to prevent it. Today, I'm going to focus on what I call the human side of phishing. According to Verizon's Data Breach Investigation Report, their 2022 report, 82% of breaches involve what they call the human element. So let's dove into that a little bit.

00:00:53:13 - 00:01:24:12
Connor Swalm
Figure out, is that really accurate? And talk about some issues around what I call human vulnerability management so we wouldn't be able to understand human vulnerability management unless we understood the history of security awareness training. So people have been fooling other people, has been tricking them, have been stealing their money since the dawn of humankind. So that is not necessarily what I'm going to bring into the scope of what I call security awareness training.

00:01:24:18 - 00:01:49:14
Connor Swalm
Really. I believe that security awareness training and the history of the market in general started probably about 25, maybe 30 years ago, was really with the dawn of email when everybody started using email to communicate. Or if you really want to think about like for those of you nerds that are listening to this podcast phone phreaking and stealing stuff that way that could also be considered the start of at least phishing.

00:01:49:18 - 00:02:19:23
Connor Swalm
So maybe that's also the dawn of awareness training. So in my view, security awareness training has started and stopped at training videos, phishing assessments, policies and everything else. Maybe there's a few other things included in there has started and stopped it. Those three things for the last 25 years, that security awareness training has evolved a tiny bit since its inception 25 or 30 years ago, but not by much.

00:02:20:03 - 00:02:47:19
Connor Swalm
We've maybe made the videos better, we've made the phishing more realistic, we've made the delivery a little bit better. But there hasn't been an incredible amount of change, even though the cybersecurity universe or whatever world and the way that people specifically interface with tech and the amount, the size of the role that tech plays in our lives has increased dramatically in the last 25 years, 25 or 30 years ago.

00:02:48:18 - 00:03:07:09
Connor Swalm
Most of us weren't even, you know, 22 years ago, maybe at the dawn of 2000, most of us weren't even on the Internet or most of us didn't even use it that regularly. But nowadays it's a part of literally every piece of our lives. It's on our phones, on our apple watches. It's everywhere. So why is it that training people to recognize the threats that have come with that hasn't changed?

00:03:07:22 - 00:03:41:11
Connor Swalm
So what I kind of want to talk about today is a concept called human vulnerability management. And I actually have a statement from a presentation that I'll be giving on this at MSP Econ. If you're listening to this episode before then, and it is basically this human vulnerability management is the act of incorporating an individual's behavior into how they are continually assessed and trained to recognize how they are uniquely vulnerable to social engineering.

00:03:42:02 - 00:04:11:03
Connor Swalm
So basically, human vulnerability management is the act of allowing an individual to uncover their own vulnerability. And then we teach them how to recognize that moving forward. So it's really about working with an individual one on one, treating people like they are the unique folks that they are kind of like what we talked about in the last episode and then teaching them to recognize that moving forward at the end of the day, and I didn't get into this in the first episode greatly because of how deep of a topic it can end up being.

00:04:11:13 - 00:04:36:20
Connor Swalm
But at the end of the day, at some point, your security secure gateways, your web filters, your EDR that anyone in the security space will tell you. Security is a layered approach and a concept that's been arrived, at least been hearing from all of the conferences I've been going to. It's a when, not if conversation at this point that at some level a human or you're going to have to be prepared as a company to recognize that a breach secured has occurred.

00:04:36:20 - 00:04:55:14
Connor Swalm
And what I have done is kind of extended that to humans. And at some point, your software, your technology is going to fail. Everything that you put in place is going to fail or something's going to get through. And the human sitting right there at the end of that email, that text message, or maybe it's at the front desk and somebody just walked in trying to get access to the building.

00:04:56:07 - 00:05:19:03
Connor Swalm
At some level, that human is going to have to recognize what's going on and they're going to have to stop it. So human vulnerability management is about bringing that full circle and arming that person with the ability to recognize how they are uniquely vulnerable and then teaching them how to recognize it moving forward. So social engineering is a field.

00:05:19:03 - 00:05:35:09
Connor Swalm
Phishing is a field that is constantly evolving. The attacks that people face, the things that are working, the things that are not working. And, you know, just go to any website that gives you news and look for the last breach and you'll probably find one in the last seven days. That's just the world we live in at this point until things start changing.

00:05:35:21 - 00:05:58:14
Connor Swalm
And so it's very it's critically important that the people at your organization or the people that you serve recognize what's going on around them. Because at some point, the technology you've put in place, even if you've done your job perfectly, the technology around that individual will at some point fail. There's just too many people involved and a concept I talk about this with my buddy Wes Spencer all the time is an attacker has to be right?

00:05:58:14 - 00:06:23:01
Connor Swalm
Exactly. Once a defender has to be right all the time. Those odds are stacked against us. So eventually a human's going to have to step in and recognize what's going on. So why is that very important? Well, I have some bones to pick. I'll call it that with the way Verizon's data breach investigation report has classified the human element.

00:06:23:13 - 00:07:00:20
Connor Swalm
Because I hate I hate just quoting random statistics to people that I talk to and then making it seem like there is this incredibly large and vast, unsolvable problem. Another thing that was always says super scary threat threats. It's how he phrases it. And so I have some bones to pick with the report. But if what Verizon is saying is accurate or even close to accurate, 82% of breaches, there was a human at some level who made a mistake or didn't recognize something was going on or maybe didn't enable MFA or enabled it improperly and as a result was phished out of their credentials.

00:07:00:20 - 00:07:28:19
Connor Swalm
And as a result they were leveraged to then, you know, infiltrate the organization and expand their reach. So if right if what Verizon is saying is accurate, they have an incredible amount of data to back some of this up. Humans need to recognize what's going on before it becomes a much, much, much larger problem. And so one thing I always thought about from the very beginning is the security awareness market is growing at incredible rates.

00:07:29:00 - 00:07:51:22
Connor Swalm
And yet the rate at which humans are and I'm putting this in air quotes for those of you not watching the rate in which humans are quote unquote, responsible for breaches because they made mistakes has gone up every year that the awareness training market has grown. And so one thing that I thought of initially when I founded Phin four years ago is how is it that this market is growing at incredible rates?

00:07:51:23 - 00:08:16:21
Connor Swalm
How is it that everyone's making money hand over fist, and how is it that in the midst of that, humans feel less supported and are more vulnerable than ever? Now there are a ton of reasons that I can think of just off the top of my head. So I'm sure if I sat down and thought about it, I could think of a myriad of reasons as to why this is not a result of humans being more vulnerable or, you know, really anything.

00:08:17:04 - 00:08:39:02
Connor Swalm
But I always came back to the point that it doesn't matter that if a human recognize what was going on when it was occurring, that that data point would not exist inside of Verizon's data breach an investigation report. So I always kind of latched onto that and tried to understand, well, how is it that we can teach people what social engineering might look like in a world that evolves so quickly?

00:08:39:02 - 00:09:12:12
Connor Swalm
We don't know what's going on. That was always a falcon. AI So one thing we really focus on too is, is MSPs. Those of you that aren't MSPs that are listening, it's our managed services provider, back office IT and cybersecurity infrastructure for small, medium and large businesses. Simply put, if you have if you don't have enough security and I.T. help on staff, you'd work with someone that would consider themselves at MSP to do kind of augment your staff and to do some of that work or all of that work for you.

00:09:13:01 - 00:09:43:12
Connor Swalm
So we work with MSPs, but this is applicable to everyone as everyone is a human. You know, unless I've seen the the advent of GP recently. So until all of us are replaced by our AI overlords, humans are going to be involved in all the businesses that we work with, that we buy from, that we sell to. And so at some level, a human's going to be at the end of that phone, at the end of that computer, that laptop, whatever it is, maybe it's across the desk from you or across the table.

00:09:43:18 - 00:10:12:19
Connor Swalm
So at the end of the day, a human is going to have to be responsible for recognizing how they are uniquely vulnerable. A first step is admitting they're uniquely vulnerable and then uncovering it moving forward. Kind of a concept we've latched on to here at Finn. Is that your your security awareness training program should take into account the ways that social engineering is going to change over the course of the program.

00:10:13:03 - 00:10:39:12
Connor Swalm
So if you lock in a program at the beginning of a year and you get to the end of a year, and you haven't changed it at all, the security landscape and the threats that people face have, you know, would change so quickly that you're. Well, I don't want to say do a disservice to the people that are in that program, but you're not accurately equipping them with the tools and the skills that they would need in order to recognize what's going on.

00:10:40:03 - 00:11:07:08
Connor Swalm
So another concept that goes along with security awareness, if you want to think about this from like a vulnerability detection, like actual vulnerability management, like in technology, in modern technology to discover and remediate vulnerabilities. There are five steps that we all go through. We assess the threats, we validate they exist. We prioritize the ones that we need to prioritize.

00:11:07:14 - 00:11:26:01
Connor Swalm
We remediate those, prioritize threats, and then we verify that the remediation has occurred and the threat no longer exists. And we go through that cycle with every vulnerability we discover, every threat we think exists. And we arrive at a war in a world where we feel a little bit safer or we can demonstrably prove or a little bit safer.

00:11:26:01 - 00:11:54:12
Connor Swalm
Like if you've ever done a pen test or a security audit, that's essentially what you'll go through is assess, validate, prioritize remediation, verify it's five steps. And in security awareness today we basically have the first half of assess. We are assessing folks via training and phishing, but we're not validating what other vulnerabilities might exist. There's no exploration into that.

00:11:54:12 - 00:12:11:15
Connor Swalm
The user base as call there's no exploration into what they might be vulnerable to as a whole and as individuals. And as a result of not exploring, there's no prioritization because we don't have the data, we don't have the things to prioritize. And as a result, there's no remediation because we haven't prioritized the threats that we already have and validated.

00:12:11:15 - 00:12:32:14
Connor Swalm
And as a result, we can't get to the last step, which is to verify that we properly remediated, that, you know, just because you're phishing rate goes down to zero does not mean that the folks at your organization are 100% safe. And I've talked with many, many we work with thousands of businesses now. I've talked with many companies that believe this.

00:12:32:14 - 00:12:53:05
Connor Swalm
And then I ask them to dig into how are you delivering these? Why are you delivering risk? And I've arrived at so many companies where every single phishing email has gotten caught up in the filter, and so no one has a zero. Everyone has a 0% missed rate because they never got in front of them. Or the second is everyone got the same phish at the same time of day, on the same day of the month, every month for the last two and a half years.

00:12:53:18 - 00:13:12:03
Connor Swalm
That's not realistic. While it may look good, it may feel like we're doing work. There's a lot more that I think we could be doing as an industry, that we could be arming the employees that we serve with to recognize what's going on. Long story short, your employees are the most important key to keeping your data and your company safe and secure.

00:13:12:11 - 00:13:33:18
Connor Swalm
So you need to have an up to date awareness training program to do that. That's one piece that you need to have in order to do that. So next time, let's talk about exactly that. What is a security awareness training program? What should it look like? What should we care about? What should we not care about? And then, more importantly, why should we care about this at all?

00:13:34:15 - 00:14:00:01
Connor Swalm
I'll see you next time. Thanks so much for tuning in to Gone phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out. Phin security at phinsec dot io. That's an sec that I am or click all of the wonderful links in our shownotes.

00:14:00:11 - 00:14:04:15
Connor Swalm
Thanks for visiting with me today and we'll see you next time.