So, I'm with the National Cybersecurity Alliance. Who's heard of the National Cyber Security Alliance? Anybody? Few people.
Who's heard of Cybersecurity Awareness Month, every October. Okay, that's us. We started it. This is the 20th year. We sometimes have a little argument with GHS, anybody from ISSA in the room, sorry, but sometimes we have a conflict over who really started it. It was us, we existed. Actually, Cybersecurity Awareness Month existed, When our founders sat down and started the organization. I believe Microsoft was one of the founding organizations.
So, we're also big fans of data privacy. in January, we have data privacy week coming up, we're going to expand that this year. But all kinds of... we're really about the human, we're really about that intersection of technology and an everyday humans, people like my mom and my kids that are really hard to influence. But we have tons of information that's very plain spoken advice. We're the translators, we're kind of... we think of ourselves as the training and awareness manager for the country. We're there to translate between the technologists and people like my mom and my kids.
If you work for one of these companies, does anybody worked for one of these companies in the room? I know Microsoft. These are the folks that are on our board, and we're really thankful to them for all their support.
So, we get about 2 million page views on staysafeonline.org every year, we have tons of free resources. If you have not yet signed up to be a champion for Cybersecurity Awareness Month. If you go to staysafeonline.org, there's probably still a promo box on the homepage where you can sign up to be a champion, you get all kinds of free stuff, and there's no copyright, trademark, anything.
So, we write things like sample articles for company newsletters, and things like that. It is a lot easier to start what with what we've written and edit it, than it is to stare at a blank screen. So, we provide a lot of information.
Quick questions? staysafeonline.org.
So, that's enough of my PSA, we're going to talk about some BS this morning, some behavioral science and cybersecurity. Not this kind of science, this dates me a little bit, because I was big Thomas Dolby fan back in high school, we're not gonna talk about this kind of science. I don't know anything about this, or this. We're going to talk about behavioral science.
So, this is a little psychology lesson this morning. This is what's known as COM-B. This is the behavioral science model that says that you need capability, opportunity and motivation before you do something. So, how many times you've asked your kids to do something, they say, Mom, I don't feel like it. That's that motivation piece. That is the hardest part of this model. It is emotional in nature. If we aren't motivated to do something, like go to the gym, or enable MFA, it's not going to get done. Capability is knowledge. That's what we focus on. We deliver that in training all the time. Not necessarily much motivation in the training itself. Depending on what kind of training it is, maybe it's gamified, maybe it's entertaining, that helps. And then there's opportunity. And that's pretty easy, because we're all dealing with technology all day.
So, this year, just like the past two years, we produced a report with a company called CybSafe in the UK, called Oh Behave! And this year, we surveyed 6000 people in the US, the UK, Canada, New Zealand, Germany and France. The Australians answered our email about two weeks too late, otherwise, we would have had all five eyes. So, we'll do that next year. And, hopefully, we'll include India next year, as well. And so, our sample set was people aged 18 all the way through retirees. We asked them about these five behaviors, or password habits: using MFA, installing updates, checking for phishing, smishing vishing, all of it, and backing up their data. But, we also asked them how they feel about cybersecurity, because we're trying to understand that motivation piece.
So, before I got recruited by a CISO, from... to be in security from a marketing team, I started my career at Ford doing marketing and advertising long time ago. One of my favorite advertising gurus is Seth Godin, and he says facts don't change people's behavior, emotion changes people's behavior, but what do we focus on in our training programs? The facts. So, we asked people about their feelings, because we wanted to know how that might influence their motivation.
I feel that staying secure online is a priority. How do you feel about the statement? So, obviously, there's not a lot of people are gonna go... they say they go on the Internet, and don't care about getting defrauded. So, the data is shifted really far to the right here, people agree with this. But, kind of motherhood and apple pie, who's gonna say that they don't do this? Well, Gen Z's are gonna say that they don't do this. Unfortunately, they are the least likely to agree with this statement and actually the most likely to disagree.
Staying secure online is under my control. This is really important to your motivation. If you don't feel like what you do matters, if you don't think that you have any control over what's happening, and that's incredibly demotivating, you're not going to do anything. So that's why we asked about the sense of, like, you know, personal agency. Again, we see, when we break this down by generation, we have another Gen Z problem here also the least likely to agree with this statement. And the most likely to disagree. It could be that these are folks that grew up, not like me with pen and paper and modems, eventually, they grew up with data breach headlines in the news, they grew up with technology. They're tech savvy, but they're not security savvy, necessarily. And they could feel like all these bad things just keep happening, and there's nothing I can do about it. So. with that age group, a lot of our materials, we really focus on what you can do to protect yourself, even if a company that has your data has had a breach. They are twice as likely to think that it isn't worth the effort.
This is one of the press pickups we got when we released the report and I had to crack up with that picture. I thought that was pretty funny. But, this is a problem. Clearly. So. probably some breach apathy going on probably some breach fatigue, those have been documented by different researchers.
And then there's this theory called learned helplessness, that you probably haven't thought about since freshman year psychology, like me and Ann Arbor. So, this was based on some experiments that psychiatrist did on animals long, long time ago, he administered some adverse stimuli, took away the animal's ability to escape. Even when they reintroduced the ability to escape, the animal stop trying, they didn't even bother. So, literally, we think there's some Gen Z's that have learned to be helpless about this. And so that's kind of their excuse not to change their behavior, and it's very demotivating.
So, on that list of five behaviors, I'll share some data next. And the first one is is phishing. How confident are you in your ability to identify a phishing email or a malicious link? Clearly, we're all above average. I'm not going to be the one that's going to click. This training is for somebody else! We all feel pretty confident about this. I think there's some Dunning Kruger going on here. If you've heard about this, this was literally made up by these two guys Dunning and Kruger, as a kind of a tongue in cheek exercise of saying that we all have this bias.
There's a, I think, Dilbert, that my husband likes to quote, where the boss says, What I don't understand must be easy. So, when we don't understand something, we all think we're really smart about it. Dunning and Kruger say we start out at the peak of Mount Ignorance, and go from there. So, we try to remind people that everybody's got this bias, we all don't think we're going to be the one who's going to click, even folks in security and IT. But, you'll see that in a lot of our materials.
The one thing that impressed me here was that 72%, sometimes, very often, or always, reach out to a person to verify if a message seems a little bit off. If you had told me before I was in cybersecurity that I needed to do that I told you that feels socially awkward, and that person's gonna think I'm paranoid, and I'm not going to call, that just feels really weird to me. But to know that, in this day and age, people know that if something just doesn't seem quite right, they're gonna pick up the phone and call, maybe to avoid a BEC. That's a really a really good thing. And then we've got 67% who say they very often or always check for phishing.
How often do you report phishing? You might want to compare these numbers to the report rates, if you have a simulated phishing program running in your organization. This is what the public says. Remember, this is people aged 18 through retirees This sample was reflective of census data, so it was a representative sample. 8% of people say they don't know how, or can't find the button. And, we kind of blame, or credit I'm not sure which, Google for this, because a lot of people use Gmail in their personal lives, and very quietly, a year or so ago, they added Report Phish along with the Report Spam button, and a lot of people just don't realize that it's there.
If you don't have a one or two click reporting button. If you're not using the one that's native to Outlook, now. Microsoft added one, which was fantastic. Or one of the other vendors. If you're not using one of these, please get one. You really want to reduce the barriers to the behavior you're trying to encourage.
We struggle with that sometimes, because we think this stuff is easy, but it's not easy by the end user's definition. We think it's easy by our definition, you know, I just save the email to a file, and then attach it to another email, and then mail it to the security team. It's way too many steps. When I was working at an automotive technology company, we rolled out a password manager for everybody to use. We put it on the IT self service site. And I was trying to communicate that out to the employee population, here's how to get the password manager and use it.
And, I sat down with somebody at the helpdesk, and they're like, ok, you navigate here and then you go there, and then you go the portal, and then you go to this page, whatever, and then you have to click four times down the list of software that's available on IT self serve. And I'm like, you can't just search on this? Nope. It was way too many licks to get to the center of the lollipop. That's before you even install the password manager, and then proceeded to put all your accounts in there, which people already perceive as being burdensome.
So, think about the user experience, when it comes to asking people to do things, when you want them to do the right thing. If you want them to report phish, try and make it easy, as easy as possible.
Passwords. How often do you use unique passwords for your important accounts? And, we define unique, but I still don't think people really get it, they still think they can get away with changing a few characters, and that counts is as unique. So, this number has gotten a little higher in the last year, and I almost feel like it might be inaccurate, we'll see what next year's number looks like, because I don't think people are really honest about their definition of uniqueness, that their definition of uniqueness meets our definition of uniqueness. Yeah, there's still too many people saying never. If there's any number, and never at all, like, I can't sleep at night, so 5% of people saying that they absolutely use the same password all the time.
How long are the passwords that you typically create? Our advice changed lately to match the federal government's advice, so we like them 16 characters or longer. Unfortunately, still a lot of people using very short passwords, 7 to 8 characters, 28% of folks, that's too bad, as well as the 46% at 9 to 11.
What is your preferred method of remembering multiple passwords? And this one is amazingly consistent no matter who I'm talking to.
So we have had the same topic answer every year for three years. And then I do a lot of talks during October where we survey the audience. So organizations ask us to speak their employees. And we use audience polling and teams resume or whatever. And we ask your employees some of the same questions that we asked people in the study. And then we see how your organization compares to the general public. And it's pretty engaging people want to if you believe Facebook, people want to take surveys and see how they compare to other people. Who who wants to hazard a guess at what the most popular answer is here three years running. And with every organization I've ever spoken to a is absolutely a unfortunately, even some free three letter agencies in Arlington told me that this was their most popular way of of keeping track of notebooks, which really, really scared me, I guess nobody's gonna break into the Pentagon steal it anytime soon. But I just really just lost theft, recovery, the recovery from this if you lose access to everything at once, that just seems like an absolute headache. But I know a lot of IT folks are afraid of password managers, they're afraid to pick the wrong horse, you know, to actually have that conversation as an organization and decide, you know, to really look into these things and decide which one to use. We still like them along with multi factor authentication, even even after what's happened to LastPass. So what we learned about MFA 30% of people have never heard of it. Which means that 70% of people have, which I guess is okay. We went out on the streets of San Francisco last year and did some man on the street interviews literally, with a journalist and a camera and put a microphone in people's faces and ask them about MFI. As soon as you explain to them what it is, you know, that thing you have to do when you want to sign on to your bank account. Oh, yeah, that I know what that is. So it's really the name. So whatever we decide to do next, that's really big and broad in the passwordless world, or why I hope they let marketing people name it, because this name really puts people off. And I guess it doesn't matter if people know what it's called, as long as they're using it. My best my favorite stat here is that once you get people to use it, 94% of them will keep using it. we're creatures of habit, you get over that initial eye roll of doing this and then you're very unlikely to disable it. And we're really excited. We're gonna start telling some more stories in our on our website and webinars and things like that, about organizations that have mandated it. So Salesforce did that lately. And as you can, as you can imagine, if you're in if you work at a tech company at all, they've grown by acquisition. It was an incredibly complex endeavor to mandate MFA across everything for all their customers, and this includes some of their costs. For those who use Salesforce or some of their apps while they're standing in front of a customer at a retail situation. So that took some bravery to say that we're going to introduce that little bit of friction even in a situation like that. And so we're going to help them tell that story because we would like to see more companies follow suit. I know that and so with Sesa, I know that there's a website out there where some developers are keeping track of who doesn't even offer MFA, it's a name and shame list of who's not mandating it, who doesn't even offer it. There are some financial services companies on that list that don't even offer it, which to me was kind of stunning. So rather than name and shame, we're going to do the opposite. We're going to try and tell the stories of the companies who we think have done done the right thing, their updates and backing up data, here's what we learned 35% of people presume their devices are automatically secure somehow. So this has become a real problem at home. Because most of us are pushing updates at work on work devices. So people bring all this technology into their homes, IoT devices, streaming apps, LastPass, all these things. And don't, we tell people this is like cutting the grass, you have to maintain this stuff, people bring it into their homes, and they just kind of forget about it. They don't they don't update their router, there's just a lot of things that don't get done with the technology people use at home. The latest development that's made me really happy from an end user perspective is my anti virus no longer requires me to restart my laptop when it runs an update. And I think that's why 17% of people, including me, at one point in my life have clicked remind me later, like who hasn't, I feel like this number should really be a lot higher, especially when it's something required to shut down, I'm in the middle of something, I can't be bothered, I don't want to stop what I'm doing. 62% have turned on automatic updates. I have some devices where I we have to investigate this. I've have automatic updates turned on. But they don't happen unless I power down my machine. So I'm not sure what's going on their priority on the device. Likewise, backing up, this is something that you're doing for everybody at work. But we're not necessarily good at doing this at home. I'd be curious how many IT and security professionals even have, like cloud backup service running? Good. It took me a couple of years to do this, to pick one. But these have gotten so much more affordable from a consumer perspective, or something we highly recommend. So those feelings that we talked about. How am I doing on time, John? Tell me what tell me what time it is. I'm good. Okay, stop me when we have like five minutes left. So we have time for questions. I find cybersecurity intimidating. How do you feel about this statement? Most people felt neutral about this. And then it's kind of evenly split between agree and disagree if you add those two up. But I think still too many people feeling intimidated, because if you feel intimidated by something, is that motivating? It's actually demotivating you're probably going to avoid it if it's intimidating. And I blame him. He shows up all over the place. He shows up on the six o'clock news when something bad happens in the headlines. He shows up in way too much of our security training. We have been using fear uncertainty and doubt for a really long time to talk about cybersecurity and it is incredibly demotivating. I think it's it hasn't served us well. We thought fear would be a good motivator. But I don't think that's really played out for us very well. I find staying secure online. Frustrating. You all can probably guess what what this looks like. This has actually come down a little bit in the last year. But still when you add up the folks on the agree side still a significant number of people who say that they find it frustrating. I think next year we need to ask we need to correlate this to what kind of job role these people are in. Because it dawned on me you could work in cybersecurity be incredibly frustrated because it's really hard and the bad guys just don't stop and I'm super frustrated.
We also ask people about their sense of worry. On the far right here. 50% falling victim to cybercrime is something that worries me in the middle 50% I am likely to be the target of cybercrime. So they don't even feel like it's random. People are walking around feeling targeted. That's a horrible way to go through life feeling that way. So we look at this combination of emotions, we've got frenched frustration and intimidation and worry. Does those sound like good? Good. Is that a good recipe for motivation for behavior change? It's a recipe for an anxiety attack. I don't want to deal with this stuff. I'm going to avoid it because it makes me feel so horrible. So I am on a one woman the crusade to get rid of cliched images like this right? This has got the punch of ones and zeros on it. Nobody really knows what that means even a lot of developers. So no again, no face. This is a faceless thing. We're not even ascribing this problem to humans. This one has every cliche in the book that you could possibly think of. We've got the hacker in the hoodie again, faceless, no eyes, skull and crossbones, the bug, the padlock, the shield, the shield was lightning bolt. I might get struck by lightning by this stuff like this is terrifying. And then it's all wrapped in binary just for some good, good measure. And John, there's some reference to PCI on there for you. I have never seen the screen in a sock once ever have any sock I've ever visited. This would make life so much easier if this was the case. I mean, when you're engineers have a much easier time if it was, if it was clearly this obvious. You know, I don't care what the vendor say it's never this obvious. This guy's not obvious. This is one of the guys from the ransomware gangs that got busted a year or so ago, sitting in jail looks like the boy next door. So before I worked for the National Cybersecurity lines, I was head of content for a training vendor that eventually got acquired by no before. And we set out to not use any more cliched images in our, in our training. We were going through due diligence with another company we're looking at acquiring and I started going through their training content. And they had one that had it was a video of live people not animation, people sitting at their desks in an office at their workstations. And they had animated above the heads of all these people sitting there emails, little pictures of envelopes with wings, like bat wings flying around the office meant to signify phishing emails. What are we teaching people when we use that kind of imagery, that a phishing email is going to be that obvious it's going to be as obvious as that that alert screen is that our phishing emails obvious these days? Through Absolutely not. When we worked on a physical security module, we decided that the guy trying to tailgate behind you was not going to be wearing a hoodie, a trench coat or a mask. Because guess what the person trying to get into your facility is not wearing maybe wearing a trench coat if it's raining, but he's probably not wearing a mask for sure. This guy doesn't look like a bad guy, he looks like the boy next door. So. So when we train people that these things are going to be obvious, we're creating a really big disconnect between the reality of what our employees are facing, and what our training is telling them. This is gonna this is gonna look like. So when COVID first started, here, I am running a content team. I've been in this job for like three months, and suddenly, we're in lockdown. And I can't even see my team in person anymore. So I decided they're all in Seattle, I'm in Austin, I decided to do a meetup group, a virtual meetup group with a UX UI design group, because I figured there's got to be a lot we can learn from the study of UX and UI design in the training training world. And they talked a lot about the emotional cost, the mental load that we're putting on people, when we're asking them to interact with our technology, whatever the interface is of the training module, or website or whatever application it is. And they did a lot of work, then on the following months, after locked down on designing during COVID. How easy can we make things for people because people are up to here, the stress level is way too high. So past couple years, we've seen a lot of that, and a lot of a lot of this. And then this turned into this. And that was pretty stressful for people and a whole bunch of this. And then this happened, and it doesn't feel like the economy's gonna get anytime soon. Unfortunately, we're kind of stuck. And then recently this happened, and this happened. And do we really want to put any more emotional load on people by continuing to use fear, uncertainty and doubt to talk about cybersecurity? Do we think that's a positive motivator? Is that going to get us to where we where we want to be? Because what do people do when they when they can't take any more of what's in the headlines that day? I'm watching I don't have grandchildren yet. So I'm watching baby videos on Facebook right I'm watching other people's other people's grandchildren. And I don't even like cats but like I watch a good cat video here and there. Because we're up to here we there's like a lot of bad stuff happening in the world. We don't need to make cybersecurity just another bad thing happening in the world. So for the talks I've been giving this October, I've been really stressing empowerment that when when you take security training that your organization makes you take, you should feel empowered, education is empowering. And don't worry about the lightning bolt and the hacker and the hoodie and all that worry. Because that's, that's just so demotivating to the behavior change that we want to see. I like to tell people, instead of thinking about the bad things that can happen, if you don't do these five things that we're asking you to do, or for this October was, was obsessive campaign. Think about how much better you feel if you do some of these things. Who wouldn't want some peace of mind from knowing that they've enabled MFA on all their accounts? So that's my recommendation to you this morning. Rather than leaning into some more than negativity, I know it's hard for cybersecurity professionals, our glass is always half empty, not half full. Speaking of glass half full, half empty. last poll question I'll share with you we shared we asked people, what have any security behaviors have you changed as a result of training that you've taken? And these were the answers that we got? Very few people didn't do anything at all. And I know, you know, I can think of half a dozen very binary thinkers, security engineers I've worked with over the years who would say they should all be 100%. Everybody should do all the things we put in their training. Like, you know, this isn't enough. But this was knowledge alone capability alone, motivation had to come from somewhere else for people to do something as a result of their training. So I actually think these are really good numbers. And every organization we talked to the top three are always recognizing phishing. And I credit simulated phishing programs with doing that. Using MFA, and using strong, unique passwords, those are always the top three at every organization. And honestly, if you ask me to prioritize, those would probably be the top three who I would ask everybody to do. So we're actually pretty happy with this, that 92% of people did something, which I think is pretty fantastic. So training actually does work in case in case you're wondering case, sometimes it doesn't feel like it, it does. I'm going to wrap up today with a little video. This is a video series that we launched on on Monday. This is not politically correct at all. This is going to I told one of my board members this is going to arrive don't want to be the next Sony and he said Are you kidding me? That would be the best thing to happen to us. There'll be the best publicity ever if North Korea decided to hack a tiny little nonprofit. We actually had an event Tuesday at NASDAQ market site just around the corner and we were able to put the ad for this on the on the marquee and got 50,000 views in the in the first day but it's a short video series and I'll just show you the teaser
we Hamid we use brute force we let a I figure it out while we hang on on tick tock looking for soccer. You
understand right? This is essentially organized crime. You lie and lie until you die. spams and rules that always gives me like a bevy most of them.
Oh yeah, hey, please. Park you know, doing stealing and taking the money. I don't have that. One simple scam for simple minded people. We work for one of the biggest cyber criminals in the world. It guy who keeps polonium in his cupboard, and you want to talk about snacks?
No, that's cubicle there's I think eight or nine or 10 episodes. They're just a couple minutes long each. As you can see, this is like watching the sequester the office except for we're looking at the the characters who represent China, North Korea, Russia and Iran for obvious reasons. And so we know that this we've got and we now put a warning on the website. Kind of like the we have a art director who worked in advertising and worked for a lot of alcohol brands. And you know, you go to one of those sites and it says, are you 21 or not, or it asks you to put in your birthdate. Well, we decided we need late we needed to have like a humor gate. Like if you decided this is gonna be offensive to you that this isn't politically correct. Then we put a warning on there. Maybe you shouldn't watch these. These aren't exactly for you. These are not meant for corporate training and awareness programs. Clearly I have done kind of edgy stuff before that worked really well went viral in the company. But I wouldn't recommend these for your average organizations. These are for people like my kids, my 20 Something kids who aren't paying attention, don't care. These aren't meant to be training. These are just meant to get people's attention and and to it's a little edutainment right just to make them think because I think when when we can get that light bulb to go off in people's head that they are up against for something that's highly, highly organized, I think those pictures of hackers and hoodies have made people think that it's still the kid in mom's basement, that they don't understand, you know quite how sophisticated it is. And as soon as you realize that you're up against a machine, then you kind of look at these things differently. When I do q&a during the talks this month that I give the number of people who will say things like, well, I keep track of my passwords by using things that like, you know, I've hints written in a notebook, but the password is something that that isn't true, you know, like, it's not really the street I grew up on. And I'm like, it doesn't matter if it's only six characters. Nobody's trying to humanly figure out and decipher your password, right? So people, the little mechanisms and tricks that people are using, that they think are magically going to keep bad guys away. A lot of it hinges on the fact that they feel like they're they're up against that hacker that one other person, not, you know, AI and all the technology that's that's being used to do what bad guys do. Anyway, I have time for questions, if anybody has any this morning, go. So
do you have new icons under images if you don't like the ones that are traditionally normal human
beings, right, so we would, and they're not scary. That's true. No, but they're representative of the people that we're trying to relate to. When we don't, when we show humans using technology, they're just people aren't like shopping on their phone, or whatever we all do. We are coming out with a new campaign, I had a designer I used to work with when I was at the training and wellness company. And he had an idea and he's like, we were getting acquired. So he's like, we're not going to do this. And you can have the idea. And next time you have a designer who wants to do this, you can do this. And I thought it was great. And we just haven't had the bandwidth until now. But he had this concept of having showing pictures of like somebody walking in the beach. And the caption is, I paid for this vacation with phishing emails, right or showing somebody you know, just you get to just have normal humans in random situations. But you have a juxtaposition of that image with that chilling caption of like, wait a minute, like, like, these are just normal people doing this and living their lives and buying Lambos and whatever they do so. So I'd like to get that out. And I'm, maybe we can potentially have some sort of video series or something, we create a lot of content kits like that. So campaign kits, so you can download those if you go to stay safe online.org. And you, you sign up for our newsletter, or email newsletter, we don't spam people, we have a very high open rate and very low on subscription rate, because we generally provide value. Because we're a nonprofit, we're not trying to sell you anything. So we have campaign kits. And those will allow you to just hand them to your training awareness manager, or if you don't have one, your communications team, whoever it is that communicates with employees, it's all ready to go. Or you can, as I said, to edit it to your heart's delight. And so we run campaigns like on romance scams around Valentine's Day, we'll do the data privacy campaign in February we do back to school time cybersecurity tips. Holiday shopping, like pick a topic. So the Valentines that we put out last year, were really clever to last two years, I guess. So we mimicked the sort of graphic design that you see on the stuff you buy at CVS for your kids to get out of school. But they have really clever images and and copy on them. So we did one last year, if I'll give you an example, this might have been two years ago, it looked like the Chinese flag only. It was instead of stars, there were hearts. And it was pink and red. And the copy, I think there might have been a couple dancing or something in the center of the thing. And it said I love your face. Let me add it to my database. And somebody on LinkedIn who runs a training awareness program at a company in Hong Kong actually reposted it because we shared it on social media as well. And she said she used in her organization. I'm like, oh, man, I hope we're not on the list somewhere. But anyway. asking are we doing anything to help rescue adoption? So we have a guy on our staff who's following that closely and what's difficult what we're what we're what I find awkward right now as far as like what to tell people like my mom, the more we talk about, yes, we're talking about past keys, and we'll even talk I mean that those videos we shot in San Francisco were done along with Yubico. So we'll talk about we'll talk about keys, but those physical keys as well as past keys. People have a tendency to think that if passwords are gonna go away anytime soon, I can just keep my bad habits for the time being because it doesn't matter. I can keep using a six character pen password across every website. So we're really careful how we talk about that, yes, this is coming. And yes, you might be, you know, zero trust at work and only have to authenticate once a day or not at all. Or some of the companies you do business with, you know, consumers are seeing it through like, mainly interactions with Google and other companies like that, that are going really quickly. But not every company is going to get there at the same time. You know, some of my like, store branded credit cards from really small financial institutions are going to need a password and MFA for probably a long time before they make the investment. So, so we don't want people to use that as an excuse to, to not, you know, to not change their behavior now. So we're taking kind of a nuanced approach to that. Sure.
A tabletop exercise for executives, and a nod your head.
For example, ransomware. I think the facts alone are scary enough, right. So it's really the language that you use, as you're playing through the scenario. Trying refraining from you know, sort of having some judgments, along with, you know, a lot of us who've run tabletops, like, we can see how it's gonna go, when we're picking out the scenario, right? Or when we sit down with the consultants to choose the scenario that they're going to run. Like, we know it's going to be ugly. That's why we're doing the exercise. So I think it's kind of the tone and the mood in the room and the language we use a rat, I mean, sticking to the facts would be my recommendation. And and then I think emphasizing, like, isn't it great that we did this? Look how much we learned? Like, look how much more prepared we can be? Like, when are we ready to do the next one, and see how much better we can do with another scenario, right? So I would try to really lean into the positivity of how much the organization learned from it, how much more better prepared we can be. Because the facts alone watching that all play out. That's That's enough fear right there. I mean, with most executives, and they start to hear that there's like communication breakdowns happening. And, you know, maybe you're working on a scenario, it's a weekend, nobody, you know, Joe knows the application best and nobody's got, you know, cell phone. There is some of the simple things that play out. That's enough for a CEO or senior level executives, you just go like, Oh, man, now I realize like we've got a problem. We don't need to add our, our, you know, judgment of the situation or our net negativity. On top of the facts, the facts are alone enough to tell the story, I think. Sure.
I've been a trainer, all my professional
travel this morning, about training.
Because user setup is required for most strong authentication solutions, they're almost all
do we see too many of them similar? Yeah. You
have a measure of how many people are opting in when they have the opportunity?
Yeah, I think that data on MFA speaks a little bit to that of how many people use it, I think it's 60% of people use it, and the 90 something percent, continue to use it, I'm gonna get that first number wrong, I have to go back and look so many numbers in that report. So whether those are people, I don't think we have enough data to know whether or not those are people that are using applications where it's been mandated, like their bank, or if they configured it themselves. The one research report I really like to do or study I'd like to do were talking to mitre about trying to do a study with older folks and MFA to bring them in and do observational research. How many of us have sat on the phone with an aging loved one on a FaceTime? saying like, okay, no way, click there? No, not that, like we were trying to see the application just to try and to enable it on and like have get facial cues from them and see what they're doing. Or we set up a teams with our mom, just so we can screen share and help her through setting up MFA. It's really hard for them. And that demographic has the highest losses due to cybercrime. Our data shows that it's consistent with FBI data, they're defrauded less frequently, but when they are, it's for extremely high dollar amounts, they've got their life savings at risk. So I wish we would make it a little easier on Baby Boomers to configure some of these things. I gotta leave that to the phyto. Alliance, as far as like, you know, authentication and making it simple and having industry standards and everything that I sure do wish there weren't so many ways to have NFA and different ways to set it up because it really makes it hard an aging population.
great outcomes. So one thing that I felt was in the muscle hierarchy of me cyber security comes to danger, let's say Cgn or quarter. To beauty, there's been a bit of change in the incentive. Industry during the business, fixed costs of insurance agents said that happens is called Rare costs, expected loss.
I don't know, I do like the idea of digital wellness. I, I think we should be leaning into that more with our employees. There's a startup in Austin, that that has an interface that the CIO application that your employees can log into. And it's I think it's pulling from have I been poned, and a bunch of other sources to show an employee like how many different breaches they've been a part of. But then it also includes information like a link to like, Okay, you were part of this breach. So go to this website and turn on MFA or, you know, they offered you credit monitoring, and you didn't take your take, take, take them up on it, or maybe a credit freeze would be better. Here's how to do that. So it's all right there in one application. And they're actually trying to sell that to HR folks as like part of the wellness benefits that a company offers. And I think that makes complete sense, because I think, anything we can do to bring down the anxiety level on the intimidation that people feel that makes it more approachable. I have, I can't remember where it was if it was RSA or someplace. John, you might have even seen this, somebody gave a presentation on where cybersecurity is and in, in the hierarchy of needs. That was really fascinating, like how we would kind of slot in? Yeah, it's not food or air or anything else. But
you mentioned the behavior has changed, not facts, but emotions, right. And so
facts are part of it. But emotions are really what pushed us over the edge. And
I looked at cubicle video, and I'm thinking you talked about, there's fear, uncertainty. Doubt, but Right. Now, I think when you approach like the companies that are trying to incorporate cybersecurity culture, employees, it's like, you don't want to approach them, but because they know that more than any employees themselves, so, but it is good to balance like your content.
Like I like fear and humor us together. So I used to work in automotive. So remember, the old you can learn a lot from our dummy campaign. So seatbelt use one from like, 30 something percent to like, 70 something percent. Because we have an incessant bell that rings and we don't put it on, we had regulation. And we had that consumer awareness campaign, the crash test dummies, and What's scarier than a car accident than watching a crash test? So I think there is a really good argument for for combining some fear, humor with the fear. But go ahead, I interrupted your
video storyboard that a couple violence, right? And the different categories and you love there's a lot of animations that no, that's like a children's section, in a way we're trying to teach adults. But then you have like the horror section, right, which in the fear, or you have like suspense or comedy, but then you think it's Halloween time, and you have that famous Halloween series? Those are classics, in part, right, people will try to produce videos that are kinda like, see accuracy. They're not like winning, branded content to be emotionally engaging, quality. And it can put, I think it can be like fear is like beneficial, because over time, we'll use it that emotional reaction, and how to get the emotional reaction tested quality motions, like, right, remember our favorite movies and songs.
I don't think there's anything worse than like trying to pull off consumer grade content and missing the mark. Like corporate funny, that's not really funny. So I applaud all the vendors in the space because everybody's gotten, you know, a lot more diversity of content out there, right. There's gamification. And there's animations, and there's drama, and there's all kinds of stuff. What I would challenge people to think about is, does everybody in your organization need to get the exact same training assignment? As long as we're delivering the same facts? At the end of the day, the same security advice like our policies are being communicated? Then does it matter if I watch something that's gamified verb interact with that rather than the drama or the animation, like the marketing and advertising world has run really hard into personalization in the last 10 years, it's why they're collecting our data so they can serve us up stuff that they know appeals to us. But yet when we're trying to appeal to people to change their security behavior, we're sending everybody the same thing. So my what I used to do and what I recommend is that if you have regulation or compliance that you're you have to meet that you make that one training assignment mandatory for everybody that you spit out your pretty report for audit, and then everything else you serve up to you employees during the year content wise, is voluntary. But it's got that means if people are going to opt into watching it, if they're going to give you their time and their share of mind, it's got to be really good. And it's got to be something that appeals to them. But I think that's better than the heavy handed like, you must do this. You know, every month, let me know when we're running out of time, I don't have my watch on, that makes
sure there's basically the thing is that most of the companies, they all are aware about cyber security awareness, and so on and so forth. The keyboard training question I have is more or less for the people employee. It took an attorney, how many downloads they are trying to bring home to teach the family member? I think this is a huge gap. It's also a lot of training material, I look at it more relate to your daily work in the office, but they are not really talking about what the social medias. And what are these the survey we do in the campaign for presidency or whatever, right? I know. So even though the war, all the donations Association coming from nowhere, and asking for donation with your credit card was old school donation, but they are fake. So
yeah, so a lot of more mature training and awareness programs, they are definitely including security advice for home and family. Absolutely, because they know that if we can change employees behaviors, at home, we're also going to, and they care about more about protecting their family as they should be compared to protecting your organization. So those habits are going to cross over that people don't change their habits as much between there, there is some evidence to show that people, I've read a report that said that people actually engage in riskier behavior, they will click on things at work, because they perceive that there's technology that's going to protect them, they'll click on things at work that they would never click on on their home machine. They don't want to have to deal with a malware infection on their own machine, but they'll let you deal with it at work. So but they do, most programs now include that home and work message. We try to work a lot with schools, I speak a lot like K 12, especially teachers who will introduce technology into the classroom and then like write the common password on the board. It's happening all the time, I'm actually going to speak in Albany next year at a at a K through 12 conferences being run by the state because some states are mandating North Dakota, Florida, I think it's going on in New York to some degree, they're mandating security, some cybersecurity education, starting very, very young. And that's been one of the problems, I think with Gen Z is that they didn't get they got technology in my my two kids or Gen Z, they got handed an iPad in middle school when it was like the hot new thing. But they weren't even blocking like porn sites at the proxy like it was doing absolutely nothing to to have any kind of control around what kids were allowed to do on those devices. So I think we kind of have like, a gap, we're going to have a gap there where the younger kids are starting to get it in school. But we've got a couple of generations right now that that didn't grow up with the training along with the technology. Did you ever Yes,
thank you know, great by both of them there. So really, this is just a thought in the add on. Because I'm hearing the conversation, kind of hands on the whole fear thing. And just the thought we'd kind of take a step back and maybe consider it in a different paradigm. Most of us are all of us in here. When you go to the doctor, there's no fear because you need health care need help. And I think perhaps it will be very interesting, perhaps at some point in the future, where there can be a mapping or crossover or an inclusion of thinking about cybersecurity from a healthcare perspective. Because if we look at the fear, right? Again, you want to go to the doctor because you need help. Don't want to ingest anything, because of a fear that it will do something awful to you. But you go through that barrier. And so, you know, I think that, you know, it'd be very interesting. Like I say, well, we can map that together to say, here are the things we need to do. Here are the things we know we have to do. There is a fear that if we don't do these things, but there's an opportunity cost, there's a cost out there, you're gonna get hacked, you're gonna get breached, your data's gonna get exfiltrated how
much better will you feel if you take some action? Yeah. So just a thought. I think we're out of time. Thank you very much.