Today I want to go through WHY security awareness training is important for both you the individual and for multi-service providers (MSPs). I’ll share with you some of the pitfalls of a bad SAT program and the benefits of having a good one.
Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
00:00:00:12 - 00:00:23:22
Connor Swalm
Welcome to Gone Fishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Food Security, and welcome to Gone Fishing.
00:00:28:19 - 00:00:54:21
Connor Swalm
Hey everyone, back again. I'm Connor and thank you for fishing with me today. Last episode, I unpacked security awareness training. So if you haven't listened to that episode and you don't know what security awareness is, then you might want to go back and check that out. Because today I'm going to talk about why is security awareness important? And it's important to everybody.
00:00:54:23 - 00:01:27:08
Connor Swalm
But specifically, why is it important to not only individuals, but for what we call MSPs? That's who we serve it. Phin I will give everyone listening the TLDR right now. Why is it important and why should it matter to you? Because simply put, when done well, it reduces the risk that a breach occurs. And for you, cybersecurity, folk, listening, the one thing that keeps you up at night that gives you heartburn as you chew on those Tums or whatever you do to get rid of your heartburn and soothe your anxiety.
00:01:27:12 - 00:02:07:20
Connor Swalm
The one thing that keeps you up is that a breach is happening or has happened and you have recognized it. So the TLDR is it helps prevent some of that, but let's actually dove into it so people in general, one of the things we've talked about on the previous podcasts are uniquely vulnerable to social engineering and that unique style flavor, whatever you'd like to call it, a vulnerability changes as the world changes around them, as things in politics become unpopular or popular, as world events occur, as companies come out with new products to sell as employees, that people work with change as their own employment changes as they have life events.
00:02:09:09 - 00:02:38:01
Connor Swalm
All of that changes the things that a person might uniquely people you might uniquely be vulnerable to. And so it's super important that when all of this vulnerability, when this unique vulnerability to social engineering changes, that the training, that the tools that are essentially the tools that a person is armed with changes as well is if we go back to the TLDR I gave, we are not reducing risk.
00:02:38:17 - 00:02:57:11
Connor Swalm
If we are not accurately training somebody and accurately equipping them with the things they need to prevent social engineering from turning into a breach. So it's as simple as that. That's why it's very important. So I could end the podcast right here. But what use would that be? Right. So we're going to go through the pitfalls of a bad awareness training program.
00:02:57:11 - 00:03:20:20
Connor Swalm
I'm going to go through not only examples I have from my own experience so far. It's the founder of Phin, but I want to go through some of the things that I have heard about before and why they might be actually removing progress and not creating additional security. So some of the pitfalls of a bad city program are essentially that the employees at your company hate.
00:03:21:16 - 00:03:47:13
Connor Swalm
And I use that word sparingly in real life, but there are a lot of employees I talk to that absolutely hate the cybersecurity theme at their company or at the MSP that serves them. And a lot of that has to do with the way they're trained, the way the awareness training program is created, is orchestrated and managed, the way people respond when they get phished, the way their managers talk to them about getting fish.
00:03:47:18 - 00:04:10:01
Connor Swalm
I brought this up in a previous episode, but some people are still there. Their compensation is dangled over their heads pending the results of phishing tests, which is just so damaging to what we actually want to accomplish in a security awareness training program, which is to make people feel supported and in that act of support, even properly equip them to recognize social engineering.
00:04:10:14 - 00:04:40:11
Connor Swalm
It's as simple as that. So some of the pitfalls are your employees mentally check out. They're just they're not going to listen to your cybersecurity team. They're going to mentally check out one of the biggest issues I see in awareness training to this day. It's just employees interfacing and interacting with the program itself. And so if you have a particularly bad program and you're off base when actually supporting the employees that the program is built for, you will see this and you will see it and you will feel it greatly.
00:04:41:09 - 00:05:04:21
Connor Swalm
So what are the benefits of a solid awareness training program? It should come to no surprise that the primary benefit is that you reduce risk of a security breach occurring because your employees are properly equipped. So that's let me take that get that out of the way, reduce the risk of a breach, and I'll put an asterisk that's there so we can talk about it later.
00:05:04:21 - 00:05:26:06
Connor Swalm
The second is, and some of the things that we are really trying to measure, it's been or how do the employees feel about the program that is put in front of them? Are they interfacing with the content? Do they feel like they're being badgered? Do they feel like their management has bought in? Do they feel like this is something that is supported up and down the chain?
00:05:26:06 - 00:05:51:07
Connor Swalm
I talked with so many c-suites and directors and managers of companies that believe they're infallible and don't need awareness training and don't need to equip themselves with any tools. And you know, when that happens, employees recognize it. They feel it. They feel that it has been deprioritized by their leader and their leadership, and so they deprioritized it themselves.
00:05:52:19 - 00:06:16:18
Connor Swalm
So the benefit of a great program that's widely supported by everyone in the organization is employees have bought in, engagement goes up, public sentiment goes up, people don't view it as a roadblock to progress. Believe it or not, they view it as like a necessary evil, which wow is not the end goal, then believing it is a necessary evil of sorts or a necessary inconvenience is a step in the right direction.
00:06:17:06 - 00:06:59:19
Connor Swalm
So how does a good asset program affect the risk for an individual? Well, when people are properly equipped to you know, I'll give a really pedantic example here, because I could talk about this specific point for hours and hours and hours. But when people are properly equipped on how to recognize social engineering to all of you technicians or SOC members or anyone here that has ever had to evaluate reported emails to see if they're actually fishing to anyone listening who's doing that right now, a benefit of a great program is that less fishes, quote unquote, that aren't real fishes get reported.
00:06:59:22 - 00:07:25:17
Connor Swalm
And so you end up having to evaluate fewer marketing emails that people have enrolled themselves in in order to get a target to submit for fishing. So for the individual, it equips them with the ability to actually recognize, is this just stupid traffic, email traffic or phishing or is it stupid traffic or is it fish? Is this a real legitimate text message from a concert that I'm trying to go to?
00:07:25:17 - 00:08:01:10
Connor Swalm
Or is there somebody trying to fish me out? My information people become better at recognizing that and there becomes less of a burden on your external stock, your internal stock, whoever is going to be evaluating the report efficiency less of a burden for sure. So it benefits not only the individual benefits, your benefits your greatly. So we talked about this a tiny bit in I can't believe which one of the previous episodes Verizon's data breach investigations report shows or states I'll put up put states there that 82% of breaches involve the human element.
00:08:01:15 - 00:08:26:21
Connor Swalm
Now I would like to go over how some of that data is, in my mind misrepresented, because I don't think that paints the full picture of what really happened. When Verizon is saying that, I don't think they're purposely doing this. I think it's just how people work with statistics in general. It's 82% of breaches involve the human element that is not just people getting socially engineered out of information, access or money.
00:08:27:07 - 00:08:51:09
Connor Swalm
That is credential abuse that might have been stolen due to no fault of their own. If you want to see an example of this, I was just reading about last passes incident where one of their DevOps engineers got hacked. Go read that. Very, very, very interesting. And so I want to I want to draw attention to that 82% number that gets it's publicly available.
00:08:51:09 - 00:09:20:01
Connor Swalm
You can go download the report right now or some of your buddies, if you're listening to this and security researchers or anything probably stating it. It not only includes social engineering and actual attacks, it includes errors in it, it includes credential abuse and some of that. I'd have to actually dove in and do a little work on, you know, what amount of it some of that is attributable to a human making mistake or a human not knowing what to do.
00:09:20:17 - 00:09:40:20
Connor Swalm
At the end of the day, though, if a person's credentials are abused, their you know, that remains to be seen. I won't say always, but a person is at some level liable for their credentials being abused at some. I won't say all the time, but I can't think of anything off the top of my head that would prevent that.
00:09:42:00 - 00:10:08:03
Connor Swalm
So final thoughts on why is it is more important. This is and I'll wrap this up kind of with it with a philosophical belief that I have. It's over the last 20 years especially. But in general, technology is becoming a deeper ingrained part of every human's life. You can't be effective. You can't be a contributing member of society almost without a smartphone these days.
00:10:08:03 - 00:10:27:06
Connor Swalm
Now, I know that there are a few folks listening to this right now who still have the flip phone. Flip phone, and they still have to press three buttons to get one letter. Yes, I am old enough to have texted like that, but at some level, technology continues to be pervasive in our lives and it's only becoming more pervasive.
00:10:28:01 - 00:11:07:09
Connor Swalm
And so one thing that I have done no research into as of now, but a philosophical belief that I've had, is as technology becomes more prevalent, as technology becomes more built out, right. The Internet's relatively new compared to human society. A computer is incredibly new compared to human society. As technology becomes more built out, I believe that the reason software and technology can be abused has less to do with zero day threats or vulnerabilities and exploits in the technology, and more to do with exploits and vulnerability around the human.
00:11:08:13 - 00:11:35:13
Connor Swalm
And so I believe we're going to get into a world where if Verizon's already saying something like this, where 80% of breaches involve humans, the other 18% might be zero days or some other form of breach or vulnerability in the actual software and hardware itself. But I believe that humans are actually going to be the easier source of stealing money, access and information long term.
00:11:36:10 - 00:12:19:06
Connor Swalm
So equipping humans with the ability to recognize it or it becomes a problem is going to be paramount to fighting the good fight. As I say, it's going to be paramount to reducing the amount of money and really the amount of inefficiency that theft due to security breaches creates in our society today. So that's why it's going to be really important, is humans, in my mind, are going to be more risk, not necessarily responsible, but they're going to be the easier source of access because vulnerabilities in zero days, you know, they do exist, but humans are going to be the easier path moving forward.
00:12:19:06 - 00:12:42:10
Connor Swalm
That's what I believe. Happy. You know, I'm on LinkedIn, Twitter and Facebook everywhere. Happy to discuss this with folks because it's something I've been thinking about a lot recently, but so thank you so much for listening. I hope that was super helpful to all and I hope now you see a little bit about the importance of awareness training and maybe why it should be applicable to you and your business.
00:12:43:07 - 00:13:06:02
Connor Swalm
In episode one, I mentioned that I'll be bringing on experts to help discuss some topics that maybe I don't have any expertize in. So on the next episode, I'm going to make good on that promise, and I'm going to bring in self-proclaimed dictator, one of my best friends, and a cyber insurance wizard and a cybersecurity practitioner, West Spencer.
00:13:06:18 - 00:13:41:11
Connor Swalm
And we're going to talk about the intersection between awareness training, security awareness training and cyber insurance. Some of you may be following the news. There are an incredible amount of legislation. There is an incredible amount of legislation being created. CMC requires this at some level. Almost every awareness, almost every compliance framework requires this at some level. And so what I've talked about with West a ton is cyber insurance is kind of viewed security awareness training as a way to flip the loss ratios that they're seeing.
00:13:42:00 - 00:14:00:05
Connor Swalm
And a lot of that has to do with kind of what Verizon's trying to get into, which is 82% of breaches involve the human element. So we're going to be talking about that with West. I always love chat with West and he's always such a great person to bring on the show. We're going to dove into that. I will see y'all next time.
00:14:01:07 - 00:14:22:22
Connor Swalm
Thanks so much for tuning in to going fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits. Then check us out.
00:14:23:08 - 00:14:27:10
Connor Swalm
Thanks for fishing with me today and we'll see you next time.