Welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, and together we'll work with business leaders and industry experts to dive into the misunderstood business of cybersecurity and compliance to learn how to start making money from being secure and compliant. Welcome to Cash in the Cyber Sheets.
Hey everybody, welcome to Cash in the Cyber Sheets. I'm your host, James Bowers, Chief Security and Compliance Architect here at Input Output. Very happy to have you back with us today. Today, we're actually going to be jumping back into the dirty 13, the common mistakes that we see when we do audits, typically on CPA firms.
Again, these are common issues across a lot of different industries, but in the financial sector, these, what we call the dirty 13, we constantly see these same issues. So we're going to dive into another one of those today, actually centered around employee training, security awareness training, and have some good tips on there. There's no magic bullet with it, but definitely some ways to balance what you're doing to be able to get good training out there, to be able to engage during that little four second window that your employees are actually listening and nothing against your employees.
They've got lots of stuff to do, so very little amount of cognitive resources they have to spare. So just some good tips to be able to kind of snake in there and get them the security training so that hopefully when some bad things come their way, they're a little bit better prepared. Also going to talk about just some of the ineffective things that we see around security awareness training.
And obviously this could really be its own, God, its own series, but we're going to keep it condensed. Like we said in one of the previous episodes, trying to make these a little bit more bite size, a little bit more palatable. So we'll get into that in just a second.
I don't know which episode this is going to be because we're actually recording quite a few of these all together over the practically the entire month of October. So getting ready to jump into it now, it's October 1st right now that we're actually recording. So kind of peeling back the curtain there, seeing some of the movie magic.
Starting next week for three weeks straight, we'll be traveling, going on audits. One of them is an ISO 27001 surveillance audit. We've got another gap assessment, which is based off of a PCI and ISO 27001, some other audits going on.
So it's audit season. Everybody seems to forget every year that they've got to do an audit every year and lo and behold, this time of year, they start getting, start getting jam packed with them. So cool for business, happy about it.
But it is a little busy and stressful. So the point of all of that is that we're recording a lot of these. So that way I don't miss an episode because there's no way I'm going to be able to do any type of recording while on site with a client while traveling and doing ISO audits.
Those really make the backside pucker. And honestly, I just don't know if I would have the bandwidth to be able to record anything useful. So that's what's going on.
Also doing some editing to get the episodes, the interviews that we did with some of our business partners. I feel so bad about it because we haven't got those up and running yet, but we're also getting some people to help with the editing to help with the content creation. So hopefully the time availability will open up a little bit here and we'll be able to get into a better groove with these things.
It's a whole learning process, getting all of this running, getting everything set up. Yeah, my red light did go off. That's all right.
So before jumping into it, security awareness training, please click that subscribe, click that follow, tell your friends about us, go to the Input Output blog. We've got more news, a lot of great information about what we're talking about here on the podcast, just in more depth. And also starting to get a lot more eBooks and I guess materials with more meat on their bones.
So really good stuff that I think can help you out and really just trying to design it all to where a lot of it's a good primer, but builds to where you could easily start going down the rabbit hole if you're so inclined. So hopefully that's helpful. Happy to hear your comments on it and happy to redesign things to best help you out.
So no more ado, getting into it. One of the dirty 13 is issues with employee security awareness training. There's a lot of things that we see here.
One of the biggest is, well, I guess it, I guess that should be split into two. I don't know how to say it. Okay.
The issues that we see is either companies aren't doing any training at all, or they've done training like once a few years ago, or maybe even the good ones, they're doing one training a year. And that training typically consists of either sending, sending anything out through the email to do a, to do a quick online course to get a certification. You did your security awareness training, file that away.
So if an order comes, we can show that we did it, but it's not, it's definitely not sinking in. You know, we've talked about it before, the amount of cognitive bandwidth that each of us have, it's not a big gulp cup. It's, it's a sake cup, a little tiny sake cup, and you know how quick those go and you can't fill it up.
At the end of the day. So if I'm going to devote my little bit of cognitive energy, it's going to be to sales. It's going to be to my things that I have to get done that make me money, that get me through my day.
It's not going to be to learning security features, security issues, and different things that quite frankly, as an employee, I feel like IT should be handling this. Why do, why do I have to do it? I have to go make sales. I get it.
I empathize, but our employees are our first line of defense, our first and last line of defense. They're our weakest link as far as security goes. So it's so important that, that we do have the training, but how do we make a square peg fit into a round hole? How do we give them the training that will actually be useful, that they'll pay attention to, and that can actually help us be more secure.
So some, some big tips for this, the biggest thing that I can advise when, when looking at security awareness training is actually good leadership and sales training. And here's why the big things that I like to focus on with employees, with, with companies that we support is teaching more leadership, sales, and conversation tactics and methods and skills. One, this is going to pay dividends across everything your employee does.
Interactions with other employees, their leadership, with their, their subordinates and their departments, interactions with clients, sales. It's going to help all the way around. What it will also do is help strengthen their ability to essentially say no to an attacker, to say no, or to really to sniff out the bullshit when they're getting a phishing attack.
And the four core things that, that I think will be the biggest bang for your buck when, when training your employees is first teach them how to mirror, M-I-R-R-O-R. I spell that out because I feel like it's not coming through for some reason, but teach them how to do good mirroring. If you've never done it before, it feels very awkward.
But all it is, is just repeating back what the person that you're talking to, that you're having a conversation with just said. Either directly repeating it back, typically with a little inflection up. So you want me to get how many papers or slightly changing what the person said, but really essentially repeating it just in different words.
So a good example, your boss comes in, says, I need all 500 TPS reports on my desk by 12 noon. All 500. And what this does, like a Jedi mind trick is it causes the other person to start vomiting information.
Go read, Never Split the Difference by Chris Voss. He, it's where I learned about it. And since I've been married to it, we use it in all of our social engineering.
We use it in sales. We use it with leadership. It works wonders.
What's impressive about it is in every single social engineering program that we've done, every engagement where we've, in our, our pin testers didn't always know this, but where we worked with some people on the other side to teach them how to mirror, to see how well it worked. Every time they did it with one of, one of the pin testers, the tester got, they, they, they started, I flubbing. They just like this.
They can't, they felt they, they didn't know how to handle the conversation. Like they'd been caught and it fell apart. They didn't, they weren't, they weren't successful.
And it was just very simple mirror. I need to get on your computer to do remote work, remote work. Uh, yeah, we're, we're, we're having to install some, some tools to, to, to make sure that the system's secure, that system's secure and without even realizing it, the person that you're doing it to, again, they just start vomiting more and more and more information and they end up talking themselves into a corner and as it is with phishing attempts, as it is with somebody trying to scam you a lot of times, that's all you need to do to shut that down.
It's also a great skill to have in a sales conversation, in a leadership conversation, performance reviews. It's not intrusive. People don't even notice you're doing it.
So like I said, this mirroring, if, if I had to hone it down to just one, I would bar none mirroring, learn how to do that, train your employees on that, practice it, get everybody good at it. And it's amazing what it's going to do for, for the company. And by the way, you'll also be more secure kind of neat.
The next one, and again, this goes across all dimensions, interpersonal business sales, definitely the security side. What the whistle is asking how or what questions, basically replacing any type of why question with a how or what. So somebody asked you to do something.
Maybe it's a little outside of the normal, Hey, I need you to order 50 gift cards and send me the codes from the back. How am I supposed to do that? How am I supposed to do that? Is it seems like such a silly question. You're probably listening to listening to this going, why am I spending the time listening to this? I guarantee you, how am I supposed to do that is such a powerful question that it ping pongs the issue back to the person that made the request.
Now they've got to come up with a plan for you. And in any type of situation, this works wonders. It gets the other person using their cognitive resources for you.
And it's very easy to just keep throwing out. How am I supposed to do that? Use different inflection. But what's also really powerful about this, about the mirroring and the how or what questions is in those situations where we're being phished or we think we're being scammed, but it could maybe be a manager or it could be somebody in a position of authority.
I don't know. This might be legit. I'm kind of teeter tottering.
Normally without any of this kind of training, I would just want to do it. I don't feel comfortable do it, but, but let's go ahead and do it. And then you just got, you just got scammed.
And after people get scammed, the majority of the time they say, you know what, I knew something was wrong. Yeah, but you did it anyway. With these mirroring and how and what questions it allows when you're on that teeter totter to be able to use these skills, because if it is somebody in a position of authority, if it is something legitimate, this is going to tease that out and it's going to help get you to a place to where you feel comfortable.
Executing the requests. If it's not something that's legitimate, it's actually a scam. Chances are this is going to eventually tease it out.
The next step on this roadmap of employee development and security awareness training is one that's overlooked, but it's so important. There's books on it. There's lots of books on it, but how to say no, how to say no professionally and effectively.
And what's so important about this skill. Is that one in a business setting, you need to be able to say no, you need to be able to put limits. But again, if we're in that, if we're in that position to where I don't know if I'm being scammed, I'm on the fence, I'm not really sure being able to effectively say no to a colleague, to an authority figure will allow you to comfortably remove yourself from that situation.
It will allow you to comfortably not go along with what they're asking for, or you can shut it down. And again, this is obviously going to pay a dividend. It's going to, it's going to support better security, but on the personal development, employee development, all of that side, it's going to do so much more, so here we've got three different things, mirroring, how or what questions, how to say no, that is going to, when practiced and your employees actually really do use it, blow the lid off their sales capability, their leadership skills, their personal relationship and communication skills.
And, oh yeah, we're also doing really good security awareness training. We're really building skills that are, that are going to squash some of the major issues, some of the biggest pain points. The final one here is really how to call in support.
How can I tag team? How can I pull somebody else in if I'm feeling uncomfortable? And this ties more into how to say no individually. On the company side though, it ties more into a culture. Can we create a culture? Can we have a process in our company to where if there is anything that you're uncomfortable with, here's how you can pull somebody else in.
And the best way to execute this, the, where we see the most success is when that culture actually has a structured process and that's fully respected, basically like a safe word. Any of our employees yell out pineapple, you can pull somebody else in. It doesn't matter who's asking, CEO, whoever, we respect that you called the safe word or we, we, we respect that process that you're pulling somebody else in.
We will always respect that so that you can feel confident that you're doing the right thing and that you can have somebody else look at it because somebody looking from the outside that's not directly interacting can give a much better perspective and can typically much, they're in a much better position to call foul because they're not interacting directly. They don't have that emotional involvement. So that's why it's so good to have another person come in.
This, this isn't a big expense for a company. This is really setting the tone, setting that culture and just honestly, just saying out loud, we're going to respect this and here's, here's how we can pull people in. So that really ties in with how to say no and being able to fall back on another employee or be able to kind of make an excuse that I've got to pull somebody else in is a good way also to say no without really saying no.
So those two lend to each other, but those are the big four. Uh, again, mirroring absolute Jedi mind trick, how or what questions, how to say no, and how to call in support, how to, how to, how to get a tag team in. Those four things right there will help stop the majority of social engineering and even phishing attacks.
And it's going to pay such massive, massive benefits over on the sales side, everything else. So I've said that I'm, I'm going to stop kicking that horse. I can't say that enough.
Some other really big tips, and this is more to the traditional security awareness training, actually doing like the phishing exercises, actually talking about, uh, current threats is talk about the seasonal threats. We're getting here towards Mariah Carey radio time. It's, it's the holidays.
And there's going to be a lot of, uh, UPS, USPS, FedEx phishing attempts. Hey, your package is delayed. Hey, your package isn't going to get there.
And we've ordered so much stuff right now that to be honest, I've even clicked on them, you're, you're in the middle of lots of different things I'm supposed to be having this package get there. Oh, okay. Let me check on it.
And bam, we got popped. It's, it's aggravating. It happens.
Talk about these things with employees as you get into the different phishing seasons. One of the biggest ones here is obviously the holidays, all the shipping with holiday travel. There's a lot of phishing attempts around things like that.
Also, whenever there's in this one sucks, but whenever there's a natural disaster, there's a really bad event. There's a lot of charity phishing scams. I think those are particularly scummy, but, but they do happen.
So those are really good things to talk about with employees. Hey, there was just a major hurricane or there, there was just a major incident. Here's ways that we can help.
Here's a vetted processes or vetted, uh, charities that, that we've seen. Or even if you don't bet anybody, just, just a quick reminder, Hey, be on the lookout for charity scams. Now try to try to use the big names.
Other things as we try to try to wrap this up and not get too long is have ongoing training, do phishing at least once a month, throw that in there, just randomly have some quick secured, excuse me, security and awareness training that isn't too long, but that it's just a good refresher. Another really good thing is believe it or not, it's harder now with a remote working, but it's just putting posters up. Have some stuff in a break room.
Hey, if you see something, say something, here's what an incident looks like. Here's an example of a phishing. Just different things that you can put around, lock your computer.
Don't leave your password on your desk. Those kinds of things as, as we're walking around, as we see them, you can put it on banners on the computer, on the intranet site that just rotate. They're just good, constant reminders that, that can help those little lapses.
It plants that seed even sometimes subconsciously and just helps keep people doing the right habits, which this really all goes to creating culture of security. Some other neat things you can do around the culture, security culture is make some games out of it. Some things that we've done before is putting a cash prize down for whoever can find the most people that didn't lock their computer or whoever can find the most password post-it notes.
And we're not reprimanding the people they find. It's we're rewarding the people that found it. We're creating a funny game about, about it.
But the message is pretty clear. You need to, you need to stop doing these things in this way. We're policing each other in a fun, competitive, competitive way.
And it, it makes it, it, it just turns that on the head from being a thing of, I got found out don't tattletale on me to a, I don't know, like a brother, sister thing, you know, I, I caught you. It's funny. It's great.
Make sure to lock it. And a lot of people will start doing the security requirements, locking their computer, not writing things down because they just, they don't want to get caught by their, by their fellow employee. They don't want to, they don't want to hear the bullshit.
So whatever works, these are some good things that you can do to where you're not investing a lot of extra money. In some cases, you're not investing anything extra in the case where you do the mirroring, the how and what, how to say no, and having a, a tag team process in place, you're really investing in your, in your employees, in your sales and in your leadership. You're getting a nice benefit of extra security on the side.
So I think that's all I have to talk about that today. Obviously you've listened to some of these. I could keep going on, but I'm not, I'm going to cut it short there.
What I will say is some, some, a great resource. I can't stress it enough is Chris Foss's book, Never Split the Difference. It's a phenomenal audio book.
The narrator of that does a phenomenal job as well. It's actually an interesting read. I would, interesting read and great listen.
Definitely look into that. Look into some of these. Happy to connect on a one-to-one to talk more about some of the ways to improve your security and awareness training program, but get these things in place.
Help your employees be the best that they can be and at the same time be secure and compliant. Thanks for listening today. Can't wait to see you next week.
Thanks for joining us today. Don't forget, click that subscribe button, leave us a review, and share it with your network. Remember, security and compliance aren't just about avoiding risk. They're about unlocking your business's full potential. So stay secure, stay compliant, and we'll catch you next week on Cash in the Cyber Sheets. Goodbye for now.