Stay Informed with the Gone Phishing Podcast | Phin

Why Do I Care About Cyber Security Awareness?

Written by phin | May 16, 2024 6:19:30 PM

 

Speaker: Connor Swalm

Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swam, CEO of Phin Security, and welcome to Gone Phishing.

Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin security. And today we're going to talk about me. No, we're going to talk about why I care about security awareness.

So that's going to include a little bit of my background. That's going to include Phin's background.

That's going to include a whole lot of things. What do I think about cybersecurity? Why did we decide to try and solve this problem? So on and so forth.

Some of it might be a little boring, but I find it incredibly interesting. And maybe you will, too. So, background of starting Finn. So, in college, I was actually a house flipper. How the hell was I doing real estate? I flipped a bunch of homes in college to pay for my loans. Most people had jobs in college to pay for their loans.

I viewed it very similarly, as I just taught myself to do that and learned how to flip houses and paid for most of my loans that way. And then, after graduating, lost all of my money buying a house I shouldn't have. That's a story for another day.

All of the learnings I made from listening to advisors versus knowing when you're right, not letting your ego get in the way. Whole nine yards. A lot of learning there, done.

But basically what that made me do is I had to move back into my parents house for a while, and I had to live in their basement, and I had nothing to lose because I had already lost it all. And I wasn't going to go get a career because I didn't want to do that. So I just decided to start building security tools and to start just coding because it's something that I had really enjoyed, and I only wanted to do things that I enjoyed at that time because I had just lost everything.

So I'm building these security tools, and I am meeting with. I do that for quite a while without talking to anyone. If you ever talk to an entrepreneur, you talk to anyone. And they say, if I build this people will come buy it, run the other direction. That's just not how the real world works. Build it, and they will come as a lie that only people who have not done it understand that's just not real. And so after getting really frustrated with nobody wanting to buy anything that I was working on, I decided to go talk with business owners.

I ran across one MSP in that process, and I just asked them a whole series of questions. So for those of you who are thinking about starting a company or starting one, to this day, asking questions is the best place to start doing that. And I just started asking questions like: What do you hate? Why do you hate it? What tool do you buy you wish you didn't have to buy? Which tool do you have budget for that you wish you could pull elsewhere? How much did you pay for that? How much did you want to pay for that?

I just kept asking all of these questions, what tools do you buy and not use? That's just waste of money. I wanted to know what problems that they were already committed to paying for existed in their business that I could help them with. And one MSP that I ran across in that process started mentioning security awareness.

They said, I have to educate my clients, but my clients don't like what's going on. A lot of them just ignore this. And then they keep making mistakes that keeps causing problems. And then they started to talk about their own internal companies. My employees also don't like this. My technicians don't like this.

And as I started to ask more questions surrounding, how should this work? Why should it work? Why should it work like that at all? What's the end goal? What does the industry seek to do? What is the end result that you'd really like to get out of this? It became clear that there were really two things that MSPs wanted.

One was for people to change their behavior, to understand their behavior, and then to change it when it wasn't safe and secure. The second was they didn't want to spend any time managing dashboards. Right. Stop babysitting. A dashboard is a statement that a lot of MSPs make to me. And so as I was talking about that with this MSP, they said, if you just made me a tool that was easier to use, I know 100 people that will work with you tomorrow. And that kind of felt like an opportunity. Okay, I'll just start doing that.

But then I started digging into things. So I talked with a lot of folks in the industry, whether that was practitioners, whether that was people running security awareness training programs, whether that was owners of other companies, whether that was MSTs who were currently delivering it. And there were a few things. And I even went and I talked to the employees that had to be the recipients of the training programs themselves to talk about their experience as well. And in college, I studied math, and I still enjoy talking about it to this day.

But I want to relate to you an experience I had that I saw happening in the awareness training industry and still see to this day to some extent, anytime I talked to anyone about something that I really enjoyed, that I was incredibly passionate about, which was math. The conversation would be over before it started. The light dimmed from their eyes.

Their mother, their brother, their uncle, their friend they hadn't talked to in a million years was calling them from the next room, and they needed to go. That's just how every conversation went when I tried to talk about math. And then when I would talk to employees at these companies about their experience learning cybersecurity, they would tell me almost the exact same story. I don't like this. It makes me feel unintelligent. It makes me feel uneducated.

It makes me feel unprepared. I don't like the way security folks treat me most of the time. I don't feel like this is really valuable. I don't know why I have to do this. This takes a ton of time. Insert anything you've ever heard about, any training you've ever done.

And I started hearing it all, and so I was like, wow, these are the people, if you listen to my last episode, these are the people that need to understand basic definitions and basic examples of implementation.

And they're completely turned off to the idea of learning cybersecurity because of the way they've been treated in the past.

Or they feel they've been treated in the past. And what that leads to is just them completely disengaging from the learning process and from training at all. There's just no engagement because of the way it's perceived. And so I really started to queue in on, it's like, all right, we need to change the way we're talking to people.

We need to, again, if you listen to the last episode, talk to people in such a way that they understand and doesn't make them feel like we're talking down to them. Don't use acronyms. Don't use words that are industry specific.

Just teach them basic principles and ways that they can take examples from their daily life and understand with such as multifactor authentication and losing access to your personal emails.

What would that do to you? And just go through that exercise with them. But then the second piece was, well.

Now we need to educate the practitioners and the people who are running these programs as well, it's like, hey, you need to change the way you're talking to people if your end goal is to really create additional security. The thing that creates additional security is not the program. It is the change in someone's understanding of their behavior and then the actual change in their behavior so they know what risky behavior looks like from a personal point, and then they can recognize it when it happens in their business and around them. Right? So, like, most people tailgating.

So, like, following somebody into a place of business, the people who end up. I don't want to say hackers. It's an overblown term. But the people who end up doing tailgating to actually get access to businesses, they recognize that most people at that business aren't, I don't want to say educated enough, but they are more willing to be nice than they are to stand on the boundary and say, hey.

Actually, you need to go check in with the front, because that's what we've been taught. And the gap between those two things is just explaining why it's really important to the people. It's like, hey, you may want to be nice. However, here is why it is incredibly important for somebody to understand why tailgating is a security risk to our business and what your role in preventing it is. So I just saw a ton of that happening in the industry as well, and just wanted to build something that prevented it.

Because at the end of the day, I have this belief that cybercrime is just an inefficiency in capitalism. What I mean by that, if somebody can spend a dollar to steal ten versus spend a dollar to make two via traditional means, so they steal ten versus make two. There are a lot of people and a lot of companies around the world who are going to make that decision to steal $10. That's what they're going to do. And so if there's any amount that we can shrink that gap, let's just say every fictional dollar that we shrink that gap by is a set of people who are going to realize the risk is not worth the reward, and they're going to either work at a company or they're going to build a company that makes money via traditional means and not through theft. So that's how I've always viewed it.

Is cybercrime, is this inefficiency that we should gradually approach, that should, like our goal as a society, should get it to approach zero all theft. But in today's day and age, cybercrime is the biggest topic. And so an example of that, Verizon releases one of the biggest security reports in the world every year.

It's called Verizon's data breach and investigation report, DBIR, and a big section of that is dedicated to humans to what are people doing? How insecure or secure are people? In which ways are they insecure? I remember in 2020, the first time I read their data breach and investigation report going through analysis of humans.

At every step of a breach, there was, like, infiltration. There was infiltration expansion inside, like getting access to additional privilege. And then there's all the way to the exfiltration and then theft or the ransom.

There were five big pieces, and what mistakes were humans making at every single piece?

And I remember a statement that the report made, which was something like 88% of breaches involved the human element. And that's very widely popularized. It's a term, and it's a phrase that most companies, sometimes including myself, will use.

I do have some issues with the way they report on those statistics and the way that 88% of breaches are not because a human made a mistake. 88% of breaches involve humans, technically. A statement that I make and Reg harnish makes a buddy of mine as well, and a great cybersecurity educator is, well, if that's the case, 100% of breaches involved the human element. If it was a zero day, so to speak.

So if it was a flaw that was not recognized in very commonly used software that most people use, like Google Chrome, for instance, well, a human coded that up, right? A human made the mistake of leaving a vulnerability in that code that nobody caught. So at the end of the day. Are humans responsible for 100% of breaches?

By that metric, the answer would be yes. Or through that lens, rather, the answer would be yes.

But what's very clear to me is that if we got rid of all of theft of credentials, theft of access, or losing your MFA token, or just clicking on phishing emails that downloaded software that you shouldn't have on your computer because it's malicious, if we got rid of that, most breaches, at least in that report, would be gone. It's like, okay, well, if we get rid of those little by little, or if we educate people to the point where they understand what theft of information, access and money is going to look like before it gets to their doorstep, where are we going to be? We're probably going to be a lot closer to what I'd mentioned about capitalism.

We're like spending a dollar to steal ten. Maybe they only make eight now, maybe they only steal ten now or eight now. Well, what's the result of that?

The result of that is just more people getting less of their money stolen and more businesses getting less of their hard earned capital stolen as well.

So it's just a better place for everybody to be in my mind.

My end goal for cybersecurity, education. Kind of like, I want people to not feel like they're being judged for trying to understand cybersecurity. The two fastest growing industries in the world are healthcare and cybersecurity.

And something I mentioned in my last podcast episode was technology will increasingly so becomes a part of our lives, becomes more integrated more deeply into our lives, like somebody could.

I've seen people that do this, but people would find it incredibly hard to operate their lives without a cell phone. Without not just a cell phone, but a smartphone. So if somebody didn't have a cell phone and somebody didn't, let alone a smartphone, what would you say about that person? They're completely disconnected. They're incapable of interacting with most people on a daily time frame, and life is going to pass them by.

That's just a statement that people would make. And so, since technology is here to stay and it's going to become more integrated, I see a world where teaching people who haven't grown up with the entirety of that technology because a lot of it's invented incredibly quickly, I see a world where teaching those people to not only understand it, but to recognize its implications and how to implement it properly without feeling dumb, without feeling judged, without feeling misunderstood, while feeling that they're properly communicated to and supported.

I want to make a world where that happens just because I see it as not going away. Humans will always be here.

Technology will always be here in some way, shape, or form. So they're going to have to work with each other. Now, I'm talking about technology as if it were its own Skynet level stuff, but not yet.

Maybe I'll talk about AI some other time, but not right now. But, yeah, those are all my thoughts about security.

That's a little bit of the background of Phin, a little bit of background of me, and why we chose to solve this problem. If you have any thoughts, questions, or you just want to reach out to me, my LinkedIn will be in the show notes.

I'm very active there, so I'll always be checking that. And just feel free to drop by and say some thoughts or give me some ideas. And I would love to chat with you, but once again, I am Connor, host of the Gone Phishing podcast CEO at Phin thank you so much for listening to me today. Ramble on about security and education. It was a blast and I will see you next time. Bye. Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out. Phinsecurity at Phinsec IO. That's p h insec IO or click all of the wonderful links in our show notes.

Thanks for phishing with me today and we'll see you next time.