Welcome to the show.

Before I continue, if I could ask you to click the follow or subscribe

button, that would be great.

So you'll always get this content.

Hi, I'm w Curtis Preston, AKA, Mr.

Backup, and with me, I have my new office chair, comfortability consultant

Prasanna Malaiyandi, how's it going?

Persona.

I am a little worried.

I'm doing well,

have, you know, you know what's happening.

Well, first off, we have to say this is a, this is a monumental

moment for in, in multiple,

yeah.

Multiple ways.

Yeah.

right?

So I am sitting here in my new home office, not quite a

hundred percent put together.

I have my shelf behind me.

Not quite.

It's not if you look closely, if, if you have a high def.

There's no screw in that little screw hole.

So if I, if I get a, um, if I get a little earthquake, that thing's coming right over

and, uh, there's no artwork behind me.

But, um, uh,

so I'm not quite

It's a work in progress.

work in progress, but more importantly, to the moment I'm sitting in my new.

Steelcase chair provided by Crandall office furniture and

no, they're not a sponsor.

Sounds like they're a sponsor.

Uh, so I have to say, and I, and, and, and it's a very nice chair.

I'm not sure I like it.

The

I haven't told you this.

I hope it's okay that I, I, I've been, um, I, I think, I think I made the mistake.

I, I, I never thought that like I could buy a, a chair as expensive,

that ex as expensive as this, and then not like how it feels on my body.

Um,

Chairs are very subjective.

yeah, I'm thinking about, uh, do you know what Turfing is?

Mm.

Turfing is where you go to a store so that you can try this

stuff and then you buy it online.

So I'm thinking of turfing.

Um, I need to go, I, I've already looked up where there's a showroom where I can

go actually feel the, the office chairs.

Also, I, again, if I'm spending this kind of money for a chair, maybe I

should have done a little research.

I just pick like top of the line.

Everybody's like, oh yeah, get this.

One of the, you know, uh, but there's definitely some things

about it that I don't like.

Uh, and I'm not sure if it's just a matter of getting used to it,

uh, or.

Uh, well, or that, that's what I'm saying.

Um, I, I, I think I've been, I, I, I definitely understand

what the adjustments are, right?

I watched videos on the, on what the different adjustments are.

Uh, it just seems more like really wanting to push me up here rather

than a little bit farther back.

Um, that

I think there's an adjustment for that.

there, there

May I,

may, I may.

I recommend before, so I think you should still go turfing, but highly

recommend giving Crandall a call

Oh,

I'm going to, I'm going

their customer,

service is amazing.

okay.

And just

gonna call 'em and go.

I don't know if I like this, by the way.

They do have a return.

They do

have a return policy.

make sure you don't throw out your box.

yeah, I don't think I have yet.

You don't think?

I don't think.

I don't think it, uh, you may recall.

It's been a rough couple of days in the Preston household.

Yes.

And oh, I thought you were also gonna mention we got a chance to hang out in

oh, what, wow.

How can I,

how can I bury the lead the first time in what?

It's been a long time,

right?

since we've seen each other

Yeah.

Yeah.

Well, but,

Maybe a bit less.

This is the

first time that either of us have ever been to the other person's house,

Yes.

right?

And seeing each other for more than like a meal.

right.

And uh, the first time our wives have met,

Yep.

our wives can now swap stories.

Luckily they did not swap cell phone numbers, I don't think 'cause that could.

That could be, that could be problematic.

uh,

no, it was, it was very cool to have you down here and to host you and

drive you around and show you all

the cool, well, not many of the cool San Diego things.

What, what do you, what do you think was the highlight?

The,

the brisket.

you know, I, I just had a piece of that brisket just like, uh,

just a few minutes ago.

The brisket was amazing.

I also did like Balboa Park and the organ concert.

That was pretty awesome.

yeah.

Very unique situation, right?

The world's largest outdoor instrument,

period.

I thought it was just the world's largest outdoor pipe organ, but it they, they call

it the world's largest outdoor instrument.

I.

So I was talking to a colleague, uh, earlier this morning telling her

about my trip, and uh, she was saying that she thinks that the largest

indoor organ is in Philadelphia

Hmm.

at a Macy's.

Oh, really?

Yeah.

That's interesting.

That's interesting.

I think, can we agree that, uh, the bel, that the Oregon Pavilion of Balboa

Park has got to be better than that?

Macy's, I.

Oh, definitely.

Yeah.

Especially on that sunny day.

It was, it was actually a little too sunny.

I had to get a, I had to rent one of those umbrellas

and you moved over into the shade.

It was a

little

toasty.

Yeah.

But it was a great concert.

An hour, if you're ever in San Diego at Balboa Park every Sunday at

2:00 PM it's a free organ concert.

Yeah.

And uh, the highlight of that concert for me was the.

Um, the player, what would you call 'em?

The mu what would you call 'em?

The organ players.

The organ players rendition of Bohemian Rhapsody

on, on a, on,

an organ.

It's pretty amazing.

I mean, it's amazing that they're playing both in, you know, music

that was made in the 16 hundreds and music that's made in the, in the

19 hundreds on the same, uh, instrument.

And it was just, just absolutely amazing.

Um, so on to, to just go way down from that.

We need to talk about, um, security awareness training.

Now we mean cybersecurity awareness, right?

Not just, uh, but it's interesting, the, there is more, there is more to

cybersecurity than the cyber part.

There's also the physical aspect, right?

Um, and so I wanted to just talk about that.

We talk about that quite a bit and I know that we, I'm, I'm pretty sure we

touched on it in the last episode, that.

You know, it, it is part of, we, we, we, we've, we've covered on, in

this, in this series on protecting your environment from ransomware.

We talked about, uh, in the last few episodes, some of the things

that you can do or some of the things I think that you should do.

To basically wipe out about 90, 95% of the ransomware.

Right.

We, we talked about those things, those things that you should do.

We've moved on from the things that you kind of like have to do.

I mean, if you don't, if you don't have a patch management system, if you don't

have password management, if you don't, uh, you know, and if you don't Yeah.

If you don't have MFA, don't even talk to me.

If you don't have MFA and you get attacked.

It's just, it's like you're killing me.

Right?

Um, but we, we've moved on into things that you, you should do.

Right.

Um, and I do think that training of the, you know, the users in your environment,

not just the users, the admins as well, because we could be just as dumb as the,

the average, you know,

but, but let's be honest that probably 90% of cyber incidences

are probably from users.

Yes.

And as I often say, it is a weird thing that there's only

two industries in the world that refer to their customers as users,

Oh, Curtis,

us and the drug dealers.

But anyway, um, a agreed right.

But having said that though, when the admins mess up.

it's a much bigger problem.

I, I I draw you to, wasn't it, was it, was it Okta?

Which one?

Which one was the event where It was a backup script that, where they had the,

the passwords hard coded in there and then the, the person was able to get in.

They got

That was, no, that was one pass, right?

Or last

was that was that last pass.

Mm-Hmm.

With the bolts?

Yeah.

right.

Oh, right.

It was the vault.

Yeah.

So, so what I was gonna say was it may be less often that an admin messes up,

but when an admin messes up, they really

mess up

especially with the exec.

Yeah.

Their privileges and.

Yeah.

Yeah, exactly.

Um, so any, any further overview thoughts before we sort of head down the, you know.

Uh, I think before we head down, I know most users hate.

Security awareness training, they probably are like, oh, why are we doing this?

And I can't blame them because for the most part, everything

is sort of very abstract, right?

It's like, oh, read.

It's almost like reading like contracts, right?

It's like, oh, read this, and it doesn't really seem applicable.

I would say the one thing is you need to keep the business safe

and the company safe, so everyone should be going through training.

Right.

And then the other thing is I think we'll talk about it as well.

There are more modern training techniques that can be used that doesn't

have to make it so boring for users.

Yeah, I, I'd say minimize the, minimize the boringness.

I don't know if that's a word.

Right.

Um, minimize the time, the level of effort needed for, you know, somebody to

go through their cybersecurity training.

Um, and, and, and we, I know we've talked about this before.

I'm a strong proponent of minimizing any or, or removing any, um,

penalties for, um, res, accidentally responding to a fake phishing attack.

Right?

or or a real phishing

attack, right?

So, yeah, so just, you know, fake or real phishing attack.

And, and why, why do I say that?

Besides, besides just morale?

Why, why do

I say that?

Because you want your users to step forward and say, Hey, I think I might

have done something I shouldn't have.

So then it can actually start figuring it out quickly.

Okay, what is our response?

Was it an issue?

And start logging things down rather than waiting till everything blows up.

Yeah.

And if you have a sort of a, a culture of fear,

uh, that isn't gonna happen, right?

So, um, so I, I, I'd say, um.

You know, the, the first thing is, is, is that I think that

we need to start with a policy.

We, we talk a lot in other, in other parts of the world, is that we have

to start with a policy that a lot of you, you, you know, you can't, you

can't get in trouble for breaking rules if the rules don't exist.

Right?

And, um, and not everybody is going to agree on what a cybersecurity policy is.

Or what should be in a cybersecurity, cybersecurity, policy?

Um, so I would think things like, um, two basic password management ideas of like

strength of passwords and, and frequency of changes and things like that would

be in a, in a, a cybersecurity policy.

I would think those would be sort of foremost.

What else do you think would be in there?

I think things around sort of use of devices or other things like that.

Potentially even, can I use external devices with my laptop?

Right.

Uh, other things include VPNs, right?

Secure communications.

Right, right.

Yeah.

You must use, when doing these things, you must be on the VPN, um, when

doing these things or when you know.

Um, perhaps you're a company, and again, this is a whole other

discussion point, but there is this concept of mobile device management,

right?

So it's very common these days for everybody to have a smartphone and then

your company wants to allow you to use your smartphone on the company network,

but they decide to do so via an MDM solution so that they can basically.

Create a VM within your phone that, that,

um, they can firewall off all the Yeah.

Sandbox.

Yeah.

That's a good, that's a better, they can create a sandbox within your

phone so that, um, number one, the corporate data doesn't get spread

out to the other parts of your phone.

And number two.

If and when you part ways, boom and uh, that, that stuff goes away, right?

So again, you, that starts with a policy of like, if you're using corporate, you

know, resources, you need to, you know, use our MDM solution, whatever it is.

If that's your policy, uh, can you think of anything else that you would

wanna put in a policy like that?

I got a good one.

Do what?

You have to go to training,

Oh yeah.

And it has to be within a certain amount of time.

Otherwise you lose access to resources.

Yeah.

Whatever you decided.

I, I would, I would suggest smaller increments of training or smaller,

smaller amounts of training over shorter, uh, periods of time.

Right.

Five, five minutes.

Five minutes a week, uh, 15 minutes a month, something like that.

Whatever it is, it's something, something that's, I, I think that, I think that the

frequency of cyber awareness training is possibly more important than the intensity

and the value.

Just continually reminding your, your users that, um, you know.

That there are bad people out there that are trying to steal everything we

have in in our company as we know it.

Yeah.

And also making it relevant to the current times.

For example, maybe with everyone working remote, it doesn't make sense

to talk about physical security.

Right?

Right.

And so talking about things like, Hey, maybe we should be

talking more and focusing more on phishing because everyone's

remote, or other aspects like that.

Right.

What, what sort of goes into the next, uh, thing was that, that if you're,

you're going to be doing cyber awareness training, or I'm sorry, if you're

going to be doing security awareness training, you, you wanna make sure

that it relates to the people that are, you know, that work for you.

And if, like you said, if it's a, if it's a hundred percent remote workforce, you

don't necessarily wanna focus so much on, well, so let me, let me argue with you.

You wanna focus on one element to physical security.

What would that be?

I.

Uh, watching people looking over your shoulder at your laptop screen.

Uh, no, you're a remote.

You're a remote.

Well, okay.

Yeah.

I guess if you're a Starbucks.

If you're at a

Starbucks, yes.

Physical security of your

physical?

Yeah.

Physical security of your devices.

Right?

Uh, a surprising number.

I saw a statistic.

Just a little while ago as I was researching for this episode,

a surprising, a significantly high percentage of, of, um, uh,

breaches are due to stolen devices.

Um,

I remember a prior employer, I'm not gonna say which one.

Um, they had their payroll stuff on a laptop in an employee's

car, and they lost the laptop.

Yeah, that was not good.

Oopsies.

Yeah.

And so, yeah, so by the way, back to the policy, right?

Um, policy, if you're going to use your device on our network, your

device needs to have a password.

You need device D step, you know, we suggest, we

strongly suggest the following security, uh, protocols on your Yeah, yeah, yeah.

A full device, full disc encryption on a laptop is a very good idea.

Exactly.

Um, I was thinking more like a, like a smart device, right?

Because it,

it's very easy to configure your, to configure your smartphone

in a very insecure way.

And if that smartphone, especially if you're not forcing an MDM solution.

Right.

Like, like my, you know, right now if, if I, once I'm in my phone, there's

very little security inside, right?

Outlook's there.

I'm writing Outlook, right?

I click on Outlook and next thing I know I'm in OneDrive.

Right?

Um, so I, you know, I need to have strong security on the front end.

Um,

And most companies, right?

They'll say, Hey, if you want to use Outlook or whatever else, it requires

a six digit pass device passcode, or something else like that to protect the.

Right.

Right.

Um, so we talked about, um, we talked about doing regulars,

uh, security awareness training.

Um, how do, what kinds of things would you train the customers on?

Users.

Uh, so I would, so what sort of thing?

So I think the top thing to train them on is fishing.

I was gonna say that's the top six things to train them on.

It's troop.

Yeah.

like the, it's like the three rules of real estate, right?

Uh,

location, location, location.

Yeah, exactly Right.

It's phishing, you know, phishing and password security.

Right?

Because, because I, I don't know if it's like 50 50.

But I, I actually think that stolen credentials is the most common.

Right.

Um, and then so, so

But,

phishing

Yeah, go ahead.

but I think stolen credentials,

you

usually from the end user.

well, it's

I didn't mean

to

finish your sentence.

no, no.

It's, it's probably not from the end user, but it's also that with password

policies requiring, sort of changing it periodically, having in place

certain criteria, I think it's helps.

I.

Reduce the risk of like credential stuffing for corporate end users.

I do agree for like admins and system level, like uh, root accounts and things

like that, you do need that ability.

I was thinking more phishing because it's harder to protect

against phishing, I would say, than the password management aspects.

Agreed.

Right.

Um, phishing is, you know, especially when we, when we look at

things like spear phishing, right.

Um, the, the thing about phishing, I think the, this is, this is what

I was referring to when I was saying that I think the frequency of the

training is even more important than the quality of the training.

Is that you, you just want to continually always in your head, every time you

look at, before you click on anything,

before you click on anything, right?

It doesn't matter who it's from even,

right?

Um, before you click on anything, you hover over that thing and then you see.

Now, as soon as I say that, by the way, there are attacks that, that, that

can actually do things When you hover.

Um, without even clicking on it, but, um, we gotta, we

gotta stop what we can stop,

Yeah, or asking yourself, is this something I expected?

right?

Is this something I expected?

Uh, does this URL match?

Is,

does it, is it got that sense of urgency?

That's the big one, right?

Is

it, is it got this sense of urgency?

Am I being, am I being asked to do something out of the norm?

I think that's a really big one.

Am I being asked to do something out of the norm?

And, and a great example of that, I, I don't remember which

of our previous experts came on.

Uh, and by the way, if you haven't listened a few, uh, at this

point, it's like four or five

episodes ago, uh, either the, the red team or the blue team, uh, folks, um,

that there, there was a story of the boss.

That sent, or the, the employee that got an email from allegedly,

uh, from the boss asking him to do a, a big transfer.

And, and it wasn't the boss.

Right.

And, um, the, and they didn't, they, they followed up.

They, they, they, they, they made sure that it was the, that it was the boss.

But they used the same channel

to reply.

Right.

They used email.

Uh, is this really you?

Yes.

It's really me.

Instead of like

going through some other channel.

Right.

yeah, and I know we're talking about phishing, but what's even scarier are some

of the deep fakes that are being used.

I don't know if you heard about someone who had created a video

conferencing meeting and pretended to be the CFO and asked for the funds

to be wired, and the person wired it and it was millions of dollars.

I think it was like $22 million or something.

Yeah, I do remember that one.

Yeah.

That's only gonna get more common.

Yeah,

so, and again, you establish policy, right?

We

don't do wire transfers except under these circumstances.

Um, and, um, you know,

Or verify through a alternate channel.

yeah.

Yeah.

Um, like, it's like, I would think that it would be perfectly reasonable

to establish a rule that says we never do wire transfers except.

Under these circumstances, right?

It's gonna be a, like, if we're not, if we're remote, it's more challenging.

The,

the more remote you are, the more hackable you are, but, but it would,

in many cases it would be very possible for, to say, we will never do a wire

transfer without a face-to-face meeting a

new wire transfer.

Right.

Um, and yeah, and, and, and you can establish things like a, a keyword, right?

Um, that that is basically a, you know, it's a, it's a,

it's a, it's a shared secret.

It's, it's, it's better.

It's, it falls into the better than nothing category.

Right.

Um, but that's something that we're gonna have to do in this world of

deep fakes where you, where you live, in a world where you can

definitely get a phone call at this

point, you can definitely get, I mean, you and me, our voices are out there.

There's plenty enough, uh, software that would, that would mimic our voices.

Um, and so there's that going on, right?

So you just, I think this is why we're, what we're talking about is

security awareness, making people aware that these things exist, making

people understand that just because you got a phone call from somebody

that sounds like your boss, doesn't mean that your boss is calling you.

It could very well be somebody sitting there typing at a keyboard

with

And generating the voice.

I.

Based on what?

Yeah, I, I,

It's like all the TV shows used to be right.

it's like all the TV shows.

Yeah.

It's freaky, freaky geeky stuff.

Um, yeah, I think phishing, uh, yeah, Phish, like I said, phishing,

phishing, phishing, phishing.

Um, and, um, because that is going to be the number one way that I think a

typical attacker is going to get in.

And then you, you doubly train that with, for anyone with a, um, you

know, an elevated account, right.

I would also say another common thing, and I think that this

happened with OBSA while ago.

Right where someone hijacked Google search results.

So if you search for OBS, which is one of the recording software, it

would actually give you a bad link, which would then download malware.

So make sure you train your users on how to use search results as well.

Don't always expect phishing to be via email, right?

Also, make sure that you are being responsible with results that come from

the web or any other untrusted source.

Right, exactly.

Um, so let's talk about some of the resources of, um, that we can use there.

There are a lot of resources online.

Uh, I mean, if you just type free security awareness training,

you will get a plethora.

I.

Of, you know, things are stuff from the FTC, uh, you know, there's

a center for internet security.

The, uh, nist,

uh, has a, has a list of a bunch of either free or on, uh, low cost training.

Um, you know, there's a bunch of things out there.

And then of course there's companies, uh, like the ones

that we talked about earlier.

You want to cover those?

Yeah, so there's companies that.

Do not only training, so videos and interactive things, but

also test you along the way.

So they generate fake phishing emails, testing your knowledge, and are like, Hey,

can you identify a phishing attack or not?

Because they'd rather have you fail that and do additional training

rather than having you actually click a real phishing email.

So there are companies like know before there's also Hawks Hunt, right?

So there are a bunch of these that are are out there, which are used for both

the training as well as the ongoing real world scenario stuff as well.

Yeah.

And, and, and I like that.

I like the idea of, of ongoing, uh, training and ongoing testing.

And again, I'm gonna reiterate this, it's ongoing testing without penalty,

right?

You re you do the opposite.

It's, it's

There's no scarlet letter on you.

There's no scar.

That's a big C for click.

I clicked, I clicked on the thing I was supposed to click on.

Um, you, you reward the people who report that.

That's how you can really do it, right.

Honestly, a monetary award.

Maybe if it's not a monetary, maybe it's a best fisher finder.

Of the month, you know that the PPFM phishing finder of the month, right?

Recognize people who consistently recognize phishing attacks and then report

them to the appropriate authorities.

Right.

Don't do the opposite.

I, I'm thinking all the way back to, um, there was this, my first.

The company, I can bag on 'em.

'cause they, they, they don't exist anymore as a company.

This was MBNA.

A few of you listening, listening I know actually know me from my MBNA

days, which was, you know, entire

Long time ago.

Yeah.

long time ago.

And we, um, I was in the IT department and when you're in the

IT department, you were actually, uh, the only way they could pay you.

Good enough as they made you an officer at the bank and when they made you an

officer at the bank, you were subject to this monthly thing that we had to do,

which was, um, you had to do, um, you had to sit on the phones for customer

support for four hours a month and answer.

We were credit card company answer tech support calls from

regular Joe with a credit card.

They're standard at Street Corner.

Can't figure out how to make a, make a credit card purchase.

Right.

And it was, that was an amazing, like an amazing decision.

Um, there, there were a couple things they did that were, were really good

and take from this what you want.

And then I'll tell, I'll tell you the part that was really bad.

One is, it was an amazing way to connect all management.

All upper level employees with the customer.

Their phrase was, think of yourself as a customer.

Um, and, um, the, so, so that was great.

This other thing that they did was they evaluated every department.

They, they created standards for every department, and they were

metrics that you, that, that were followed and calculated and.

They then put a batch of money into, uh, they put, they put money

into a fund that got paid out as a bonus at the end of every

quarter.

And the amount of money that got put in for your department, it was a, it was a

bonus for everybody, but every department contributed to the, to the budget based on

how well they met their metric of the month.

Hmm.

for example, I was it, ours was uptime, right?

And so as long as we were a hundred percent uptime, everything's fine.

But if we had downtime and then we were like, you know, 97% for

the month, everybody hates us.

Because, because, you

know, they're losing money.

Yeah, yeah.

Uh, so that I thought was actually a, you know, it was a little bit of, a

lot of carrot, a little bit of stick.

But here's the thing that they did that was absolutely horrible.

If you, um, if you got behind on your, um, your, it was called a tax duty.

I don't telephone access, customer support, TACS tax.

If you got behind on your tax duty, you went on a spreadsheet, you, you, an email

would come out if you were a habitual.

Uh, and I'm likening this to the cybersecurity training

if you were a habitual,

um.

Delinquent.

Delinquent.

Exactly.

There was this fishbowl that everybody walked down.

There's a hall and and long glass thing, and that's where

the, the the, you know, the

customer support people sat, they would, those who were habitual tax delinquents

were made, uh, dun caps, right?

Big tall

Oh no.

They were, they were.

And it put tax Ds on the, on the, on the DS cap.

And then you had to sit there and make up your time.

By the way, it was like taxes, you know, TA death and taxes was

like that.

You never got behind.

If you got behind.

You pretty much worked for the customer support department until you were.

You know, caught

up.

It was much more, much more stick than carrot.

That's not what we want here, right?

We don't want to be hanging out.

We don't want to be the list of the top four bad clickers of the week.

We don't want that.

We don't want people getting yelled at by their bosses because they clicked.

Now obviously if you're, you are a continual bad clicker,

you just can't seem to get it.

Yeah, perhaps you need some additional training and if

then you, you know, that person needs to just honestly be let go.

Right.

But, but the average everyday person that occasionally clicks on a bad link,

um, it does not need to be reprimanded.

Right.

Um, they need to be rewarded when they don't.

Uh, and when they, when they, when they correctly identify

something as phishing, I.

And I feel really strongly about that because, because, because of what you

said earlier, what you want is you want that person to, um, when they screw up

for real, you want them to immediately contact, I think I just clicked on a bad

link.

And to have you and to, and to have them hope.

It was,

it was a fake bad link.

You're right, you're right.

It's a fake bad link.

You're okay.

Or if it's not a fake bad link, then let, let the cyber, let the cyber team

go to work on and look at whatever it is.

You just, you know, basically firewall off your, uh, you know, thing.

And I, I just, I got up on a soapbox there for a few minutes.

I

No, that's okay.

I know you feel strongly about this subject and I.

I think it's harder to get the average user to understand security, and so

if you keep beating them with the stick, they're not gonna be willing to

step up when things go wrong, right?

That's the wrong approach,

Agreed.

Agreed.

Yeah.

Um, go ahead.

One thing I did wanna talk about is, uh, I know we talked about policies earlier

for security, but I think another thing is making sure your policies, that

you're actually following the policies.

All.

Uh, sometimes you do have those policies like, hey, make sure you are rotating

passwords or other things, but don't exclude people from those because those

policies are created for a reason.

Uh, the reason I bring this up is, I don't know if you heard about this recent, uh,

healthcare hack that happened about, uh, in April, but there was a healthcare chain

in Pennsylvania that lost the records of something like a million patients.

And it turns out what ended up happening was an employee for their IT provider

who they had outsourced to a Microsoft subsidiary, had fired an employee

and had not removed their access,

and so the employee then broke into this healthcare provider and stole

the records of a million patients.

Because they did not follow their

maybe we should add that to the list of like three things.

A, a departing employee,

Yeah.

uh, policy.

Yeah.

Yeah.

that is important, right?

And so you have to follow your

Yeah.

You know, it's funny, one of my favorite stories, and I know you,

you, I know you've heard me tell

because you've referenced it, was the bank that I worked for realizing that it

didn't have a departing employee policy.

Well, it's, it's departing employee policy was delete you outta the password file.

That that was, that was easy, right?

What it didn't have was it didn't have a policy of getting rid of that user's data.

Right.

And it was the, it was that step that caused all the, the thing which,

and for those that haven't heard it, a, a good friend of mine was hired

as a consultant and she was, she was, she was told go through the,

um, it was like home one Curtis.

Right.

And then look in the password file.

Is there a username?

You know, I'm at home one Curtis.

Is there a password named Curtis?

Great.

Go on to the next

directory.

But the problem was she didn't notice before she turned on her script

that it was home one slash a slash Aaron home one slash b slash Billy.

And so she went, she just followed her way down and she go home one slash a.

Is there a username?

A no.

Okay.

Delete the

directory A.

yeah.

Which deleted all

a policy.

Have, automate the policy as much as you can, test that

automation to make sure that it

doesn't doesn't go kill people.

Um,

then have auditing.

And then have auditing.

Exactly.

Um, and I'm gonna say finally is, is, is, you know, we, you know, we talked about

how to, how to spot phishing, but just in general, if you can have your users.

Just be aware of what suspicious activity might be.

Not just phishing, but things like new apps popping up that

you've never seen before, right?

New popups popping up.

Your machine makes weird noises or sounds or behaves differently.

When you shut it

Camera turns off, auto turns on randomly, or the

turns on automatically, right?

Absolutely terrifying for many people, right?

Um, and, uh, yeah.

Or did you lose control?

Of the mouse or the keyboard, or did, did you?

You know, I think I saw my mouse moving around without

it's possessed.

It's possessed.

I came into work and my screensaver was off.

It, you know, it's early morning in my house.

My laptop was, you know, uh, supposedly asleep for the night and I came

and my, my screensaver was not off, trained them to look for weird things.

I think, I think, uh, you know, you've met my wife now.

I think I've met, I think I've successfully trained her to

spot things like that because

she will definitely call me up.

Right.

And go, I, this, this thing is doing this thing thing.

Is this okay?

And I'm like, yeah, it's okay.

Uh, today, uh, it's funny today she just sent me a text just a couple hours ago

and she said, Hey, I got a text and it said, Hey, um, you know, da da da da.

So it was one of the sell your home things,

right?

And said, at what price?

Uh.

Would you be comfortable selling your home?

And and she said, so what should we say?

10 million?

I'm like, yeah, 10 million, 10 million's.

Good.

If somebody wants to pay 10 million for the house, uh, that'll be enough for me.

Yeah.

Yeah.

But more than anything, like you said, it's just getting them

used to seeing what's different.

And it's okay.

Like I do the same thing with my dad.

He'll be like, Hey, is this email legit?

And I'm like, no, it's spam.

But I'm okay with the fact that he's asking, is this okay or not, rather than

just trying to figure it out on his own.

Yeah, exactly.

And the ones that I think get untrained users are the

ones that sound really scary.

Right.

The ones where it's like, you know, we're about to shut off your water.

We're, you know, we're gonna, we're gonna,

You have a warrant out for your arrest?

Yeah.

You have a warrant out for your arrest.

Exactly.

All that scary stuff, they fall for that stuff.

And it's like, that's not how the IRS works, man.

Um, if the IRS wants you, like that, the IRS has shown up at your door, that's all

I'm saying.

The IRS knows where you're at.

Yeah.

Uh, if there's one, if there's one group of, there's one group of people

that I got to be a little too familiar with, it was the IRS, the IRS.

Trust me, the IRS knows exactly where you are.

Doesn't need to send you an email.

Uh, any final thoughts on security awareness training?

No, I think, like you said, have a policy.

Do training for users, including ongoing training, and don't penalize users either

for doing the wrong thing or if it's a real or a fake, uh, phishing attack.

Yeah,

and just one other final thought on that, by the way, also.

Don't have them be one of these really cruel ones that you hear about.

We had, we had one, the, the one where the guy's wife got a thing

that said, um, it was the, it was like on Valentine's Day and

everybody got a thing that said that there were flowers downstairs for them.

Um, and she immediately, no.

It was, they said it was, um, edible, an edible

arrangement and that they just needed to click here to, to verify there, whatever.

And, and he's like, my wife knew there was no way I'm spending a

hundred dollars on, on a little thing.

He is like, there were two reasons why she knew it was, was, uh, phishing, right?

Uh, and one of them was that, but don't do that.

Don't be that company

that you know,

that I remember what he.

I remember what he said was, uh, for, for just a moment, everybody in that

company thought that someone loved him.

Don't be that person.

Oh yeah.

Don't be cruel.

too don't be cruel to a heart.

That's true.

Okay.

That's Elvis Presley.

Really nothing.

got nothing, nothing.

be cruel to a heart.

That's true.

It's your employee that loves you very much.

Well, maybe a little bit don't be mean to him.

That's all I'm saying.

Well thanks for having chat about security awareness training my friend.

No, this was fun and I do miss a brisket.

Uh, there's, there's still some in the fridge.

Can you sort of send it this way virtually?

I'll, I'll, I'll fax you a picture.

All right.

Uh, thanks for, uh, listening again, folks, and again, please, please click,

uh, follow or subscribe so that you will have us with you at all times.

That is a wrap.