What Will It Take for People to Care About Cybersecurity? | EP 026
Transcript:
Connor Swalm:
Welcome to gone phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing.
Hey, everyone, welcome back. It is Connor, CEO at Phin with another episode of the Gone Fishing podcast. Seems like every day there is new reports of breaches or passwords getting stolen or big companies coming out and saying. There was a data breach all the time. Sounds like that's happening all the time now.
A lot of folks in the security. Space, me included, were somewhat aware of. The risks and the dangers at hand. And how big of a problem security cybersecurity actually is specifically for american businesses. But it seems like the average individual who's not really interested in cybersecurity, or if we want to call them like cybersecurity tangential, or tertiary, so to speak, doesn't understand the gravity of the situation that we're in terms of how. Likely it is for companies to get. Breached, how damaging that could potentially be, not only for themselves as individuals, but also for their business that they work. At, or maybe that they own.
There's also this concept of once I Close the corporate laptop and shut off. The company phone, I am not going to get attacked, I'm not going to get breached. My identity is safe, or my bank accounts are safe, or something bad isn't going to happen. So there's this weird separation between personal. Life and professional life where hackers do not care.
Now, obviously, businesses represent a larger financial. Gain if they're able to attack them properly than an individual in most cases. But people are still not necessarily the direct target, but stealing passwords and Social. Security information and banking information and other. Financial information such as credit cards, for. Millions, hundreds of thousands of people, however. Many at a time, that's still a. Really valuable set of information for a lot of malicious actors that would like. To get access to that. So what needs to happen in order to, I don't want to say convince. But to relay the gravity of the situation and what we all need to.
Do together to an individual, relay that information to an individual person so they understand it and they're bought in, and we can all be a little more secure together. What do I think needs to happen? First and foremost, we need to start changing employees behavior or changing anyone's behavior, not just employees behavior. Changing human behavior is quite possibly the. Most impossible task anyone will ever set out to do. So I'll caveat. There's an entire episode with that statement, but it is what needs to happen. In order for greater security to be put into place. Most of the risk, and I'll quote. A statistic here, 88% of breaches involve. The human element, according to Verizon's data breach investigation report. I quote that all the time. I have some disagreements with the way. That status created, but I'll use it. Here because it makes my point conveniently.
If 88% of breaches are a result of the human element, then it makes sense that 88% of our efforts should. Go to reducing something commensurate to 88%. Of our efforts should go to reducing that amount. And essentially what that mean. Most of that is human behavior, if. Not all of it. Whether it's leaving your laptop unlocked and. Somebody doing something, whether that's plugging in a malicious usb trap you found in. A parking lot, whether that's writing bad code that has a flaw in it.
Somewhere, whether that's improperly setting up a. Firewall, clicking a phishing email, listening to a voicemail from the IRS saying they. Called you and you owe them money, whatever it is, all of this risk. Is a result of a human doing. Something that they knowingly or unknowingly knew they shouldn't have knowingly or unknowingly did, so to speak. So all of this, all of reducing that 88%, is just in the act of changing human behaviors, either taking good. Behaviors and making them better or taking. Bad behaviors and removing them. So the first thing convincing people that. Their behavior needs to change in the. First place is almost impossible. Nobody likes to be told that they're. Behaving incorrectly or that they're doing things. Wrong, and as a result, they need.
To change the way that they're doing things. Nobody likes to hear that on a regular basis. So getting people to buy into the. Fact that, hey, we're doing things incorrectly. And we need to do them differently, it's just hard, especially when this is. Talking to average employees in this way. Or average level of technical ability employees and telling them that they need to behave differently and then using what most. People do is they use incredibly complex. Technical terms and complex technical analogies. Say, you need to do all of these things just because that's usually where it ends. You need to do these because I'm. Telling you, nobody's going to want to change their behavior because so and so. Told them, maybe they will if their. Boss does, but they'll do it begrudgingly, not necessarily because they want to. So that's the first thing.
Convincing people that any of their behavior. Needs to change is hard. The second part is once you've convinced. Them that they need to change their. Behavior, now you need to convince them that the behavior you're recommending is actually better. So they're going to start analyzing what you're asking them to do and what they did before and start having questions. Why do I need to do these in the first place? Last episode I gave an example about two factor authentication. Why do I need to enable this at all? I've never had any of my accounts stolen. That was Susie in another department, or that was know, seven cubicles over. It wasn't me. I'm not the problem here.
Why do I need to change? They'll start asking themselves questions like that. And it's just indicative of a mentality that security practitioners that we haven't done. A great job as an industry trying. To, I guess, unenforce out of these. Folks is that we're all on the same side together. We're all defenders trying to make sure. The attacker is never right. So we're trying to be right all. The time, but we have potential risk. In all of these behaviors that people exhibit, and we're trying to get rid. Of them one by one. So convincing them that the behavior you're recommending is better also requires a little bit of skill. Also is going to require an incredible. Amount of empathy to not only get them to change, commit to changing, and then commit to changing to what you want. All of that requires an incredible amount of communication skills that are lacking in almost everyone, not just the security space in general.
And then the third piece is you have to actually convince them, hey, you're. Going to be slightly inconvenienced, but this. Is going to be good for you. I promise. This is going to be good for everybody. So there's this notion of let's someone. Feels hamstrung by all of these policies. Or these things you're having them do. Such as enabling two fa or such. As needing. A second person to authenticate. Wire transfers or something like that, or. Whether that's rotate passwords every 60 days and have to come up with them, or whether that's use a password manager. And have to relog in or keep. Their key card on them at all times in order to get into the building. And if they lose it, they have to go through a nine stage process.
To re verify they are who they say they are. All of these are slight inconveniences that. End up creating better security for everyone. Involved at that organization. And so now you have to convince them that inconvenience is also good for everybody. So it requires instilling in people that. This sense of we're all on the same side, we need to be doing everything for each other. We need to instill that belief in. A lot of people, and that's also incredibly difficult. So all of this, so to speak, requires all of that empathy that I had mentioned. And that's why it's so difficult, is. People like doing the things that they've done. They like doing the most convenient thing they could possibly do at their job.
They like showing up, doing great work, and being safe while doing it, and that's it. And any slight inconvenience added on top. Of that doesn't have a perceived. Good or they don't believe is best for themselves. It's just not going to come across the line as well as you think it would. That's one of the things that it would take for people to really buy. Into cybersecurity, is we need to start. Changing the way we talk to them, is it is really not your security folk putting in all these blockers that. An average employee has to follow. It is everyone is a defender on the same side, doing everything they can. As a group to make sure that we're all secure. So you really need to properly communicate to nontechnical folks that, hey, you're on our side, too. We're not against you.
We are completely with you. We're supporting you, and we need you. To support us as well. It goes both ways. And the quickest way to do that is to actually go where these people. Are and communicate with them how they'd like. Right? So if we continue. If I were to continue using technical. Terms with people who are not very. Technical, or I don't explain what acronyms are, or I don't provide analogies, or even if I'm a bad storyteller, right? People remember stories, they buy into stories. They buy into people who tell them very well. If I am not great at communicating. In those ways, everything that I say. Just isn't going to land in the. Way that I would like it to. So not only do I need to. Go find these nontechnical people, go to. Their place of business or talk with them in some way, but then I need to have a certain amount of. Storytelling and empathy, and I need to. Be able to drive home, that all. Of these things are really important, that the collective behavior that all of us. Exhibit creates a certain amount of risk that our business has retained, and as a result, we need to change to reduce that as much as possible. Something that I see, so I work. With a lot of msps.
Something that I see that they could do to help speed this process up is something that happened to me when. I was a property manager here in. Delaware, is you need to properly train people from the very beginning. It is very hard to change someone's. Behavior after they are used to behaving a certain way. It is much easier to tell people. That they should change, to get people. To behave how you'd like more securely if they don't have previous behavior that they've exhibited. So if you bring on a new client and you tell them your stakeholders. Are going to be bought in, your management is going to be bought in, you're going to do all these things.
You're going to communicate in these ways to your end users, to your employees that work your business, that we're helping you secure. If you actually communicate to them from the very beginning that's what you expect, then you're going to be in a much better place. It's going to be much easier for you. So what do I expect the future of the security landscape to look like? I could sit here and talk about. Chat, GPT and AI this and AI that. I'm actually going to go a different direction. I really think that in the future.
The best security practitioners and the best. People who are able to create the. Most amount of security and remove the. Most amount of risk in organizations are. Going to be the best communicators, the most empathetic, and the best storytellers. So what I'm getting at, what I. See as a future of the security landscape is that the paragons of our. Industry or the people who are most beloved and the people who are actually, let's say, creating the most amount of. Change in a good way, actually generating better behaviors. It's not going to be the most. Certified, it's not going to be the most licensed. It's not going to be the 40. Year veteran of the industry. It is going to be the people who have the most empathy, who are. Able to connect with the largest group of people because they are better storytellers, because they are charismatic, and because they are more empathetic. And everyone's going to want to buy into that story.
So I think what we're going to see as the future of the industry. Is we're going to get more nontechnical. Folks as members of the cybersecurity industry. Who are still going to be very. Well supported by the actual technical folks. Who are not only building the tools, but are responsible for implementing them properly. But I think what we're going to. See is a lot more of like. An evangelism style role end up playing out in a lot of companies and. A lot of tools and a lot. Of vendors and a lot of MSPs, because you can have very technical people and then you can have very empathetic people and very charismatic and good storytellers. But the intersection between those two, having both of those skill sets is incredibly rare.
So what I think the security industry. Is going to need to create the. Most amount of good moving forward is. Actually having more charismatic, empathetic, and great. Storytellers that are able to communicate to. People that are just like them. Nontechnical folk who just want to be doing good work and be safe while doing it. They're going to be able to communicate. To them properly, go where they are, communicate in the way that they would. Like, and drive home the point that. Gets everybody on the same side together. That's what I think we'll end up seeing in the future.
So once again, everybody, thank you for joining me. If you have any comments, questions, concerns, or feedback on what I predicted today, I guess find a way to send me that information. Find a way to send me that feedback. But it was a pleasure chatting with you all and I look forward to. Seeing you on the next episode. Bye.
Thanks so much for tuning in to gone fishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phin Security at phinsec.io. That's P-H-I-N-S-E-C IO. Or click all of the wonderful links. In our show notes. Thanks for fishing with me today, and we'll see you next time.