Watch the full episode below or listen on Apple/Spotify Podcasts. (links to Apple and Spotify on the Gone Phishing page!)
00:00:00:12 - 00:00:30:19
Connor Swalm
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Food Security, and welcome to Gone Phishing. Hey, everyone, welcome back to Gone Phishing.
00:00:30:20 - 00:00:52:09
Connor Swalm
If you've listened to the show for a few episodes, you'll know that I very passionate about the phrase I've done human vulnerability management. I've invited Wes Spencer, one of my favorite people on this planet, back who was on our last episode. And we're going to discuss specifically what's the intersection between cyber insurance and human vulnerability management. Wes Thanks for coming back again.
00:00:52:22 - 00:00:54:07
Wes Spencer
Anytime. You know.
00:00:54:20 - 00:01:07:20
Connor Swalm
So can you give us a quick refresher in the last episode where it is security awareness training? I'll say that here because that's what most people know it as. And and cyber insurance, where do those interact with each other?
00:01:08:13 - 00:01:37:19
Wes Spencer
So the carriers have finally woken up to if we train our people and they understand why these breaches happen and how they happen in the emerald plain, it we can reduce the likelihood quite a bit both the occurrence percentage and what I call the blast radius, like how bad an attack could actually be. It's astounding when you think about how many people are involved, like the human is involved in a pretty much I mean, can you name a breach that humans not involved in these days?
00:01:37:19 - 00:01:47:06
Wes Spencer
I can't. And so they finally woke up to this. Mike. Hello? If you don't have this in place, why should we take a risk on insuring you if you're not going to train your own people around this?
00:01:48:06 - 00:02:12:14
Connor Swalm
That makes a lot of sense. You mentioned that cyber insurance carriers are waking up to this fact that humans are increasingly so becoming involved. Or I will use a slew of phrases of which I'm not 100%, you know, bought into but involved the cause of the reason for. I've seen all of those in articles on LastPass is breaches on say is breaches on every breach I've seen.
00:02:12:14 - 00:02:21:20
Connor Swalm
It's like, oh, you know, somebody wags the finger at a human. It's like they made a mistake. And cyber insurance carriers are waking up to this. Is that accurate?
00:02:22:12 - 00:02:41:06
Wes Spencer
It is accurate. And it's shocking to me that they didn't wake up to that quicker and sooner they should have all along. But yeah, they're recognizing the commonality that exists here, which is simply this, look, if you are not training your people, then that's a huge security hole that exists that should never have happened in the first place.
00:02:41:06 - 00:02:59:21
Wes Spencer
And Connor, I, when I look at all the breaches that I have seen and read about and even personally dealt with, there's always that person involved, always, always, always. Whether it's the phishing email that comes in, it's something they click on. It was their inability to report it to somebody like it. There's always a person involved.
00:03:00:12 - 00:03:21:05
Connor Swalm
Yeah, that makes a lot of sense. One thing I've been kind of wrestling with is the concept is, is technology becoming more secure or are humans becoming more insecure? And depending upon, you know, if I go to New York Times and I'm scrolling through today's headlines, you know, I waffle back and forth. But I'd be interesting to hear your opinion on that.
00:03:21:06 - 00:03:47:19
Wes Spencer
Well, there's an old quote I'm going to butcher that says something along the lines of like, computers are getting like faster and smarter every day. And but yet humans are becoming more and more stupid every single day. And so far, like, humans are winning the race or whatever. Right. And I don't know if that's true or not, but I just think that I just see the problem over and over because I have so many client conversations and usually they're all in the same boat like they know that breaches.
00:03:47:19 - 00:04:03:01
Wes Spencer
You see them on TV, but you don't really relate them to yourself and you just see them from afar. And so when you look at me like, Oh, that's for Bank of America to worry about, or if they do think it could happen to them because they've had a friend that's gone through what they misunderstand, just how damaging a breach can be.
00:04:03:01 - 00:04:23:16
Wes Spencer
They think, Oh, I mean, ask them like here's here's a takeaway. Go ask your clients, Hey, if you had a breach, how much you think it would cost, you're going to hear staggering numbers like, oh, probably 50,000, maybe 100,000 at the most. Like I couldn't possibly see it being more than that. Right. They're totally unaware. And so because they're unaware, they're not prepared to take action on something that they don't think is a problem.
00:04:23:20 - 00:04:40:20
Wes Spencer
So we actually have to reverse this and really help them understand what we're defending against. And then when they understand that, then they'll want to invest the time and understanding to be knowledgeable against that threat. And that's usually the problems. We put carts in front of forces when it comes to the client in the people side of cybersecurity.
00:04:41:09 - 00:05:03:02
Connor Swalm
You mentioned cyber insurance carriers are essentially asking the question well or stating if you're not willing to train your folks and we're not willing to insure you. What are some of the pieces of that training now? I could dove into this, but I'd love to ask you, what are some of the pieces that you see of training that you see cyber risk areas that you see MSPs or the clients you work with actually focusing on?
00:05:03:07 - 00:05:36:05
Wes Spencer
So right now, it's keep in mind just the carriers not doing the greatest job in the world. It really hardly comes to security. Right? So what they are doing, which is good and I commend them for this, is they're going to ask questions like, do you train every single user in your organization around cybersecurity and importance? And then you say yes or no, and then it's going to ask you the cadence and they least want to see that you train them once a year, which I'm just sort of like that is so archaic like in I know that makes you like squirm thinking like this archaic old school.
00:05:36:05 - 00:05:51:22
Wes Spencer
Like, where's your one training for the year? Oh, there you go. Versus continuous education. But and then the other thing that they ask and I want to get your commentary and the other thing they ask is, do you do actually test them? And same thing you do it once a year, do you do quarterly? And that's usually about the break up.
00:05:51:22 - 00:05:58:07
Wes Spencer
And so that's their view right now is like we at least want to start there, but you and I both know it could be way better, right?
00:05:58:07 - 00:06:25:05
Connor Swalm
It could be infinitely better in my estimation. So this whole concept of of human vulnerability management is going way beyond your yearly trainings, like you mentioned, your yearly test. The oh, this is clearly a phishing email forwarded around you, all your friends and say, don't click on this. This is the fifth. If we go way beyond that and do what I believe would be the right thing, which is to actually simulate the real world to say, okay, if someone was trying to gain access to this company, what would they do?
00:06:25:05 - 00:06:45:18
Connor Swalm
They go on LinkedIn, they look at the employees, they try to figure out who works with who on a regular basis. They might simulate business email compromised. They would do something more particular and more relevant to that specific client. And that was my initial thought around human vulnerability management as well. What if we did this on a consistent basis to keep up with the real world, you know, as it changes day by day?
00:06:46:00 - 00:06:58:22
Connor Swalm
And what if we actually made it relevant to the client and simulated what they are most likely willing to face and what is most likely going to result in a successful breach if it worked? What if we simulated that that was we're kind of we.
00:06:58:22 - 00:07:15:23
Wes Spencer
Started that's red hot band because like the old school mantra is like you said, let me just test periodically and and that's why I'm doing it versus like, I won't name names Connor, but someone that, you know, might have sent me a phishing email that I clicked on a while back. And you know what, darn it, I still remember that.
00:07:15:23 - 00:07:31:11
Wes Spencer
And to this day, I'm like, You know what? I'm glad I got phished on that because I'm a cybersecurity guy is what I do, and I can be Phish. It's so the real goal is like what you just said, but simulate the real life and let's celebrate failures so that I can be aware and be like, Oh man, that got me good.
00:07:31:12 - 00:07:47:18
Wes Spencer
I'm really glad that I'm thinking about this in front of mind and I'm worried about it and I'm concerned about it. That's the goal is to build what we call the awareness piece that huge a part of of of sat. Right. And so I just I really agree. The point is not to like we're going to do these minimums and make sure we do it.
00:07:47:21 - 00:07:51:02
Wes Spencer
No, it's all about let's let's be like real world here.
00:07:51:12 - 00:08:16:13
Connor Swalm
Yeah. And I know you you remember this from some of your banking days, but I still run across partners who have clients where they're tie people's compensation to their performance on phishing tests and speaking from experience, guaranteeing that an email gets to an end users inbox unscathed on looked at by Microsoft or Barracuda or any kind of web built there, a secure gateway is nearly impossible 100% of the time.
00:08:16:13 - 00:08:35:00
Connor Swalm
So these employees start freaking out. They start to believe their cyber team is punishing them. They start to hate the people on the security team, and it just creates such a horrible dynamic between what should essentially be a role of the individual and then the supporting team, which is the cyber people making sure that people are safe.
00:08:35:00 - 00:08:56:18
Wes Spencer
Yeah, I agree. I'll just say this is, you know, we security people always talk about how to be less adversarial and then we go and we shoot herself in the foot by having these very adversarial approaches that you just mentioned around, you know, like, oh, you got punished for this. It don't understand it. And in such a bad way to go, it throws in the face everything we're trying to accomplish with the far better culture.
00:08:57:12 - 00:09:19:19
Connor Swalm
Yeah, you're absolutely right. I mean, even gets down to the once a year training this 4 hours long, and it's like, listen, I don't know who's listening to this at the cyber practitioner, but here is reality. The average employee just wants to show up, do their job, do great work, and be safe while doing it, hammering them over the head with these videos that are hours long.
00:09:19:19 - 00:09:36:09
Connor Swalm
If it's for a year at a time, it's just not it's not cutting it at this point. Every employee I've ever talked to personally has said the exact same thing they'll take. I'm looking at you right now. I'll move you to my second monitor and I will play with my dog, my cat, say hi to my spouse, my kids, whatever it is, I'll take a walk.
00:09:36:09 - 00:09:53:07
Connor Swalm
Well, that plays in the background and I'll come back and I'll answer the questions. And if I get it wrong, oh, I'll just rinse and repeat answer again with different answers and I'm good to go. And so, you know, I always say two things happened in that scenario. The employee got no additional learning and you paid for it.
00:09:53:18 - 00:10:12:07
Connor Swalm
So yeah, absolutely. Well, thanks. This has been an amazing discussion. I always love chat with you and I definitely want to have you back any time. Maybe next time we can dig into a specific breach. Or maybe we won't. Name, name. You don't need to name names, but I'd love to figure out, is there anything we can learn?
00:10:12:07 - 00:10:15:02
Connor Swalm
Anything the listeners can learn about a specific breaches and something you'd like to do.
00:10:15:05 - 00:10:16:12
Wes Spencer
Oh, I got a good one.
00:10:17:11 - 00:10:40:17
Connor Swalm
Oh, now you're making me wish we could record another one. So, anyway, thanks so much for that, Wes. Thank you, everyone, for listening. If you want to find out more about creating a high quality awareness training program that actually engages the employees to change their habits, then check us out in security at Phinsec Dot IO or click the link in the show notes.
00:10:41:00 - 00:10:47:13
Connor Swalm
I'm Connor CEO and Phin. Thanks again for joining me on gone phishing and I'll see you next time.