WEBVTT

NOTE
This file was generated by Descript 

00:00:05.300 --> 00:00:07.730
Welcome to the Cyber Traps podcast.

00:00:07.880 --> 00:00:10.880
Today we have a very
special episode for you.

00:00:10.880 --> 00:00:12.440
I am your host, Jethro Jones.

00:00:13.233 --> 00:00:16.658
We will be talking about the
Inch 360 conference that took

00:00:16.658 --> 00:00:18.458
place in Spokane, Washington.

00:00:18.758 --> 00:00:24.038
This conference is a must attend
event for cybersecurity folks here in

00:00:24.038 --> 00:00:28.238
Spokane, Washington, and it was a great
opportunity for me to connect with

00:00:28.628 --> 00:00:33.398
cybersecurity folks here in Spokane and
learn about a lot of things that are

00:00:33.398 --> 00:00:35.438
going on in the world of cybersecurity.

00:00:35.778 --> 00:00:40.518
Right now, this episode is one of
the sessions from the conference.

00:00:40.518 --> 00:00:42.408
I hope you enjoy it.

00:00:42.836 --> 00:00:46.746
This session is The Last mile of Security:
Security Awareness training trends.

00:00:47.781 --> 00:00:48.901
My name's Heather Stratford.

00:00:48.901 --> 00:00:51.331
Some of you know me, some of you don't.

00:00:51.491 --> 00:00:55.141
Um, I am the founder and CEO of DRIP7.

00:00:55.411 --> 00:01:00.181
We are a micro learning platform,
uh, for cyber security education.

00:01:00.681 --> 00:01:05.991
And, uh, we are headquartered and
founded in Spokane, Washington.

00:01:06.501 --> 00:01:09.831
So I'm going to ask a lot of
questions, and I'm going to

00:01:09.851 --> 00:01:11.431
ask you to participate in this.

00:01:11.441 --> 00:01:15.761
So this is much more interesting
than, than you just sitting there.

00:01:16.111 --> 00:01:20.201
So, why do people think cyber
security is not their problem?

00:01:20.201 --> 00:01:22.301
How many of you have felt like this?

00:01:22.331 --> 00:01:27.331
That your leadership, your people,
all put their heads in the sand.

00:01:27.391 --> 00:01:30.221
By a raise of hands, how
many of you have felt this?

00:01:30.619 --> 00:01:32.279
I think it's getting better.

00:01:32.479 --> 00:01:37.279
I think there's more in the mainstream
news and general people who are

00:01:37.279 --> 00:01:41.399
not in cyber, all of a sudden are
saying, Oh, maybe this is one of

00:01:41.399 --> 00:01:42.879
the problems we need to think about.

00:01:43.259 --> 00:01:47.519
But this is, I love this picture because
I, I, I talk to people and they're like,

00:01:47.519 --> 00:01:48.949
Well, it's not going to happen to me.

00:01:49.539 --> 00:01:51.539
And I'm like, Why are you
putting your head in the sand?

00:01:51.539 --> 00:01:53.629
Why do you think it's not
going to happen to you?

00:01:55.648 --> 00:01:59.518
So, here are some current statistics,
and I didn't put what the statistic

00:01:59.518 --> 00:02:01.538
is for, so let's think about this.

00:02:01.608 --> 00:02:03.218
This is your mental exercise.

00:02:03.808 --> 00:02:04.938
11 seconds.

00:02:05.378 --> 00:02:06.918
Think about what is 11 seconds.

00:02:07.598 --> 00:02:08.728
1.

00:02:08.728 --> 00:02:08.778
2%.

00:02:08.778 --> 00:02:09.714
What is 1.

00:02:09.714 --> 00:02:10.311
2%?

00:02:10.311 --> 00:02:10.908
3.

00:02:10.908 --> 00:02:15.088
4 billion daily and 8 trillion per year.

00:02:16.738 --> 00:02:17.968
Think about what those might be.

00:02:18.508 --> 00:02:19.528
Alright, let's go through them.

00:02:20.888 --> 00:02:25.008
Every 11 seconds, there
is a ransomware attack.

00:02:25.518 --> 00:02:27.048
Did you realize it was that common?

00:02:28.218 --> 00:02:30.168
Every 11 seconds.

00:02:31.290 --> 00:02:35.070
So, when your leadership says,
putting their head in the sand,

00:02:35.080 --> 00:02:39.760
and says, Oh, it's not going to
happen to us, here's a statistic.

00:02:40.180 --> 00:02:41.270
Every 11 seconds.

00:02:42.258 --> 00:02:42.868
1.

00:02:42.898 --> 00:02:49.428
2 percent of all emails
that are sent are malicious.

00:02:50.083 --> 00:02:51.663
This number has increased.

00:02:52.223 --> 00:02:54.373
It used to be less than 1%.

00:02:54.423 --> 00:02:54.873
Now it's 1.

00:02:54.873 --> 00:02:56.153
2%.

00:02:56.773 --> 00:03:03.133
That means if you have a hundred
emails coming into your inbox,

00:03:03.523 --> 00:03:05.773
how many of them are malicious?

00:03:06.328 --> 00:03:07.178
A little over one.

00:03:07.673 --> 00:03:09.773
when you think about
that, you're blocking.

00:03:10.188 --> 00:03:13.828
You're blocking a lot of that coming
in, but you're not going to be perfect.

00:03:14.168 --> 00:03:15.028
That's the problem.

00:03:15.128 --> 00:03:19.108
Cybersecurity is expected to be
100 percent perfect all the time,

00:03:19.108 --> 00:03:20.608
and you're not going to be perfect.

00:03:21.418 --> 00:03:23.638
So, 3.

00:03:23.638 --> 00:03:28.168
4 billion phishing emails are sent daily.

00:03:28.583 --> 00:03:30.103
And these are the bad phishing ones.

00:03:30.103 --> 00:03:31.313
These aren't the white hats.

00:03:31.323 --> 00:03:33.623
These aren't the people
saying, hey, learn from this.

00:03:33.843 --> 00:03:35.843
These are the bad phishing emails.

00:03:36.093 --> 00:03:36.963
3.

00:03:36.963 --> 00:03:37.613
4 billion.

00:03:39.833 --> 00:03:46.133
And over 8 trillion dollars will
be lost to cybercrime this year.

00:03:47.543 --> 00:03:52.063
That's the estimate that we will be
topping 8 trillion by the end of the year.

00:03:52.833 --> 00:03:55.203
That's a huge amount
and it keeps going up.

00:03:55.213 --> 00:03:59.083
So, first of all, you all have a job.

00:03:59.483 --> 00:04:04.663
You all have security in your job
because this is a continuing problem

00:04:04.663 --> 00:04:05.713
and it's not going to go away.

00:04:06.832 --> 00:04:12.232
So, 90 percent of cybercrime
is due to human error.

00:04:13.522 --> 00:04:17.382
How many of you, by a raise
of hands, believe this number?

00:04:17.878 --> 00:04:19.108
That's pretty overwhelming.

00:04:19.468 --> 00:04:22.898
I do have some people that argue with me
and they're like, no, I think it's 95%.

00:04:23.568 --> 00:04:25.988
And I'm like, okay, okay,
you, you might be right.

00:04:26.230 --> 00:04:30.670
but let's just all agree that
it's a really large number

00:04:30.710 --> 00:04:32.993
and it's, it's the main part.

00:04:33.277 --> 00:04:34.467
People are the problem.

00:04:34.517 --> 00:04:38.116
I keep telling people cyber
security is a people issue.

00:04:39.516 --> 00:04:40.866
There's great hardware out there.

00:04:41.686 --> 00:04:42.906
There's great firewalls.

00:04:43.366 --> 00:04:44.286
I'm not going to name them.

00:04:44.666 --> 00:04:46.266
There's great clouds, infrastructures.

00:04:46.316 --> 00:04:50.466
I won't name them either,
but there's great hardware.

00:04:51.336 --> 00:04:54.496
And yes, we do have to get faster,
but it is a people problem.

00:04:55.826 --> 00:04:57.416
So let's look at this family here.

00:04:58.171 --> 00:05:05.651
This family includes young people,
it includes middle aged, it includes

00:05:05.681 --> 00:05:08.341
older people, this is a family, right?

00:05:08.911 --> 00:05:12.731
How is this family going to
learn about cybersecurity?

00:05:13.379 --> 00:05:15.279
How do they traditionally learn about it?

00:05:15.695 --> 00:05:17.615
Trial and error, I heard over here.

00:05:18.685 --> 00:05:23.805
In the past, the first people
to really start educating in

00:05:23.805 --> 00:05:25.845
cybersecurity was the military.

00:05:26.405 --> 00:05:29.145
If you served in the military,
you were forced to learn it.

00:05:30.945 --> 00:05:36.515
You also, then, different types of
businesses, if you worked government

00:05:36.565 --> 00:05:41.395
or if you worked financial, they
started to push this education to you.

00:05:42.215 --> 00:05:49.245
So, if you were military or work, you
started to get cyber education because of

00:05:49.725 --> 00:05:52.025
who you were, what kind of job you had.

00:05:52.930 --> 00:05:55.740
Not everybody fits into those.

00:05:56.160 --> 00:06:01.720
So now, we have all different
types of, of areas that are

00:06:01.730 --> 00:06:03.900
starting to address the issue.

00:06:05.020 --> 00:06:05.780
School.

00:06:06.320 --> 00:06:13.340
So, if you go to a university or college,
I'm going to pick on Whitworth over there.

00:06:13.604 --> 00:06:18.074
Whitworth now is training their
students in cyber education.

00:06:18.404 --> 00:06:23.154
They're not the only ones, but they're
realizing, Hey, if we give them

00:06:23.164 --> 00:06:27.264
laptops and we give them access to
things, maybe we should actually tell

00:06:27.264 --> 00:06:29.127
them what they can do and can't do.

00:06:29.127 --> 00:06:32.909
You have work, colleges, you have K 12.

00:06:34.569 --> 00:06:40.559
There are two states in the United States
that mandate having K 12 education.

00:06:40.569 --> 00:06:44.189
Meaning, down to kindergarten and
first grade, they're starting to

00:06:44.189 --> 00:06:46.299
learn about privacy and cyber.

00:06:46.857 --> 00:06:50.927
Senior centers, financial institutions.

00:06:51.177 --> 00:06:53.047
Now this is a newer one, right?

00:06:53.477 --> 00:06:59.267
If your credit card, your, uh,
information is compromised, financial

00:06:59.267 --> 00:07:03.237
institutions are starting to say, Hey,
how can I better train our people?

00:07:03.247 --> 00:07:05.527
How can I help not make this happen?

00:07:06.677 --> 00:07:08.577
And then volunteer organizations.

00:07:08.937 --> 00:07:13.447
I know working with DRIP 7, we're
working with some national non profits.

00:07:13.957 --> 00:07:14.567
Why?

00:07:14.867 --> 00:07:18.207
Because they have all these volunteers
who are touching their systems.

00:07:19.037 --> 00:07:22.097
Well, you better tell 'em what
to do and what not to do, right?

00:07:22.337 --> 00:07:28.427
So all of a sudden we have more places
because it's a continuing problem.

00:07:29.737 --> 00:07:37.167
So 38% increase in 2022, which is the last
year, we have complete information for.

00:07:38.192 --> 00:07:41.002
38 percent increase
globally in cyberattacks.

00:07:41.952 --> 00:07:47.632
Now, I speak a lot, and I've
pulled this data year after year,

00:07:47.652 --> 00:07:50.552
and it's been interesting to see
how it's shifted and changed.

00:07:51.282 --> 00:07:57.882
What industry or what sector do
you not see in that top five list?

00:07:57.902 --> 00:07:59.112
And this is in order.

00:08:00.162 --> 00:08:02.382
Number one is education and research.

00:08:02.392 --> 00:08:07.562
In 2022, they were the most hit sector.

00:08:07.884 --> 00:08:12.334
Government and Military was second,
Healthcare was third, Communications

00:08:12.334 --> 00:08:16.774
was fourth, and the Internet Service
Providers were fifth on the list.

00:08:17.334 --> 00:08:18.854
Now who is not up there?

00:08:20.434 --> 00:08:22.044
Financial and Banking.

00:08:22.472 --> 00:08:23.162
Why?

00:08:24.261 --> 00:08:25.881
Much harder target.

00:08:26.031 --> 00:08:27.231
That's exactly right.

00:08:27.711 --> 00:08:33.291
They've been on the top five list
for years, and they're finally being

00:08:33.291 --> 00:08:39.901
pushed off the top five list because
they spend, defend, and train.

00:08:41.361 --> 00:08:45.521
So these other sectors, like education,
government, healthcare, communications,

00:08:45.841 --> 00:08:49.261
they have to catch up, and they
have to catch up on the people side.

00:08:49.806 --> 00:08:54.446
You know, a Fortinet firewall can
only go so far if you hand somebody

00:08:54.456 --> 00:08:56.386
your credentials and your password.

00:08:57.147 --> 00:08:59.417
So, who at work is targeted?

00:09:00.412 --> 00:09:05.612
Sometimes I think we think that
it's just a very small segment.

00:09:06.172 --> 00:09:08.582
Oh, it might just be accounting.

00:09:08.592 --> 00:09:10.712
Maybe accounting is just targeted.

00:09:12.062 --> 00:09:16.032
New hires are targeted because they
don't know the system very well.

00:09:16.122 --> 00:09:17.792
They don't know what to
do and what not to do.

00:09:17.972 --> 00:09:20.259
Mid level people, they're targeted.

00:09:20.259 --> 00:09:27.812
IT staff, who in this room has been
targeted specifically, spearfishing,

00:09:28.362 --> 00:09:31.162
by, by, uh, a phishing attack.

00:09:31.791 --> 00:09:33.211
It's because you have credentials.

00:09:33.761 --> 00:09:34.591
HR staff.

00:09:34.611 --> 00:09:38.771
Why would HR staff be spear
phished and specifically targeted?

00:09:39.210 --> 00:09:39.670
PII.

00:09:40.160 --> 00:09:40.880
Exactly.

00:09:41.930 --> 00:09:45.410
They have access and keys
to all kinds of data.

00:09:45.610 --> 00:09:46.820
W2s, etc.

00:09:47.680 --> 00:09:48.480
Vendors.

00:09:48.830 --> 00:09:49.870
Contractors.

00:09:49.930 --> 00:09:50.920
And your C suite.

00:09:51.675 --> 00:09:56.385
The attack might not be the
same, but they're all targeted.

00:09:56.906 --> 00:10:01.756
So, once again, 90 percent of
cybercrime is due to human error.

00:10:02.746 --> 00:10:04.316
So what are we going to do to change that?

00:10:04.326 --> 00:10:07.956
What are the trends in the industry
that are trying to fix this?

00:10:08.796 --> 00:10:12.236
This is a problem that I've
been working on for a long time.

00:10:12.938 --> 00:10:13.958
I love this picture.

00:10:14.138 --> 00:10:17.728
I looked hard to find a
picture that It's like, yes.

00:10:18.618 --> 00:10:20.998
What's changing in the
cyber security industry?

00:10:21.618 --> 00:10:26.168
When I talk to people about cyber security
education, some of them say, give me

00:10:26.178 --> 00:10:30.578
something better, because my people
say they want to poke their eyes out.

00:10:32.078 --> 00:10:33.228
I'm like, really?

00:10:34.118 --> 00:10:36.458
People, they have a hate for it.

00:10:36.478 --> 00:10:39.098
They're like, oh my gosh,
don't make me do that again.

00:10:39.938 --> 00:10:41.048
Some of you are laughing.

00:10:41.218 --> 00:10:46.388
So, what's changing that it's not
this person sleeping on the computer?

00:10:46.977 --> 00:10:48.407
Here's one of the changes.

00:10:49.047 --> 00:10:55.807
A once a year training for
your employees does not work.

00:10:57.057 --> 00:10:59.217
Now, intuitively, we know this.

00:10:59.967 --> 00:11:02.767
It's still the most common practice.

00:11:02.887 --> 00:11:04.047
Hey, I trained.

00:11:04.607 --> 00:11:06.907
You know, Riley's sitting right here.

00:11:07.107 --> 00:11:10.177
I gave Riley that training on
onboarding three years ago.

00:11:10.507 --> 00:11:15.897
Or, I gave Riley that
training last January.

00:11:15.897 --> 00:11:17.887
How come he doesn't remember, right?

00:11:18.163 --> 00:11:23.873
So, it's human to forget, and it's
called the Ebenhauser Forgetting

00:11:23.873 --> 00:11:28.273
Curve, and that's just, uh, the
person who discovered it, and a lot

00:11:28.273 --> 00:11:29.763
of research has been built on it.

00:11:29.763 --> 00:11:33.083
But it basically, it says, all of
you sitting in this room who are

00:11:33.083 --> 00:11:35.573
listening to me already have tuned out.

00:11:36.173 --> 00:11:41.263
Now I'm trying to keep your attention
by moving around and changing my voice,

00:11:41.263 --> 00:11:45.393
and I'm really, really trying, but
half of you have already tuned out.

00:11:46.118 --> 00:11:47.778
So, this is what it says.

00:11:47.908 --> 00:11:52.108
If all of you pay attention for a full
hour, and then you walk out of this

00:11:52.108 --> 00:11:57.598
room, you will retain less than 50%,
you will retain about 40 percent of that

00:11:57.598 --> 00:12:02.558
content if somebody asks you to tell
you what was said just one hour later.

00:12:03.908 --> 00:12:10.898
If you go out a full 30 days, a
full month, and I go over to Riley

00:12:10.898 --> 00:12:12.318
and I say, Riley, what did I say?

00:12:13.608 --> 00:12:16.748
He's going to remember this
much, about less than 20%.

00:12:17.478 --> 00:12:20.358
Now, how do you change that statistic?

00:12:20.698 --> 00:12:23.971
And the way you do it is by it's more.

00:12:24.001 --> 00:12:26.361
You have to have more interaction.

00:12:26.441 --> 00:12:28.311
You have to see it more than once.

00:12:29.081 --> 00:12:32.621
I know I can't remember a
phone number if I am told it

00:12:32.641 --> 00:12:35.121
once I will never remember it.

00:12:35.531 --> 00:12:38.151
I have to say it over and over
and over again in my head.

00:12:38.806 --> 00:12:42.756
Our brains are just not hardwired
to hear something once and get it.

00:12:43.676 --> 00:12:47.316
So, when it comes to
cybersecurity, it's the same thing.

00:12:47.956 --> 00:12:50.416
The goal is not to check a box.

00:12:50.446 --> 00:12:53.246
The goal is how do you get
people to do something different

00:12:53.506 --> 00:12:55.396
and actually change behavior.

00:12:55.756 --> 00:12:58.096
So, first of all, they
have to remember it.

00:12:59.011 --> 00:13:04.421
They have to enhance their decision making
and they have to use it in real life.

00:13:05.001 --> 00:13:08.751
Only by doing that are they
going to change their behavior.

00:13:09.371 --> 00:13:10.651
Makes sense, doesn't it?

00:13:11.153 --> 00:13:15.935
But only a small amount of companies
right now are doing it, and

00:13:15.935 --> 00:13:17.765
yet they're seeing the results.

00:13:17.805 --> 00:13:19.795
They're seeing the behavior change.

00:13:21.714 --> 00:13:25.334
So different generations work differently.

00:13:25.761 --> 00:13:28.911
How many in this room hit
the baby boomer generation?

00:13:29.337 --> 00:13:30.897
Who's gonna raise their hand?

00:13:30.897 --> 00:13:31.947
Okay, a couple of you.

00:13:32.607 --> 00:13:34.267
How many are Gen Xers?

00:13:34.497 --> 00:13:36.307
I'm a Gen X, okay?

00:13:36.577 --> 00:13:37.927
How many are Millennials?

00:13:38.997 --> 00:13:41.377
Okay, and Gen Z.

00:13:41.437 --> 00:13:42.567
Any Gen Z's?

00:13:42.567 --> 00:13:43.687
Okay, good.

00:13:44.268 --> 00:13:49.688
Each generation is interacting
with our technology differently.

00:13:50.233 --> 00:13:56.163
Baby boomers want to sit down, have,
have a lecture, they want to go

00:13:56.163 --> 00:13:59.213
through, they want to know their,
what they're supposed to cover.

00:13:59.813 --> 00:14:03.733
They want it in a traditional format,
and they're used to it, and they like it.

00:14:04.813 --> 00:14:07.973
You get to a millennial and
they're like, ugh, roll their eyes,

00:14:08.003 --> 00:14:09.383
like, why do we have to do this?

00:14:10.353 --> 00:14:12.103
They do things differently.

00:14:12.619 --> 00:14:17.729
there are 71 million millennials in the U.

00:14:17.729 --> 00:14:17.969
S.

00:14:17.979 --> 00:14:18.829
workforce.

00:14:19.159 --> 00:14:20.269
35 percent of the U.

00:14:20.269 --> 00:14:20.429
S.

00:14:20.429 --> 00:14:22.169
workforce are the millennials.

00:14:22.189 --> 00:14:23.999
They are the largest sector.

00:14:25.064 --> 00:14:29.354
And you've all heard of the great
resignation and trying to hire

00:14:29.354 --> 00:14:31.464
people and people just won't stick.

00:14:32.114 --> 00:14:33.664
This is one of the reasons.

00:14:34.404 --> 00:14:38.784
Because we're not adapting to how
the new generation is doing things.

00:14:39.414 --> 00:14:44.324
So, Millennials and Gen Z workers
find micro learning works for

00:14:44.324 --> 00:14:46.414
them and that's what they want.

00:14:47.379 --> 00:14:52.489
So, how do we take cyber security
education and pull it into

00:14:52.489 --> 00:14:57.499
the world of what most of our
employer, employees are made of?

00:14:57.819 --> 00:15:03.009
They're younger, they're more techie,
they want it in TikTok format.

00:15:03.294 --> 00:15:06.194
Now you're laughing, you're
like, oh my gosh, right?

00:15:06.694 --> 00:15:08.314
They want it short.

00:15:09.564 --> 00:15:11.884
So, short training sessions are better.

00:15:12.254 --> 00:15:13.964
This is what the statistics say.

00:15:14.014 --> 00:15:18.774
The statistics say, if you're listening
to something for longer than six

00:15:19.134 --> 00:15:23.584
minutes, you're sitting at your computer,
you're watching a video, if it's longer

00:15:23.584 --> 00:15:29.154
than six minutes, you start to lose
interest and your attention just drops.

00:15:29.864 --> 00:15:33.364
At six to nine minutes, learners
become less engaged, unless

00:15:33.364 --> 00:15:35.434
highly, highly motivated.

00:15:36.094 --> 00:15:40.144
And then at nine to ten minutes
They start to think about,

00:15:40.494 --> 00:15:42.304
when am I getting off of work?

00:15:42.754 --> 00:15:44.334
What am I eating for dinner?

00:15:44.874 --> 00:15:46.604
Am I going to work out with someone?

00:15:47.004 --> 00:15:47.414
Right?

00:15:47.654 --> 00:15:49.654
They start going somewhere else.

00:15:50.494 --> 00:15:56.684
So if you are not capturing them, you are
not training them in skills development.

00:15:57.844 --> 00:16:04.344
So, the new trends, gamification, and
microlearning, because it hits what

00:16:04.354 --> 00:16:06.224
the new learners are looking for.

00:16:07.409 --> 00:16:09.009
So what does gamification mean?

00:16:09.339 --> 00:16:10.389
It's kind of a fancy word.

00:16:10.689 --> 00:16:14.339
I have people who I talk to and
they're like, Oh, you made a game?

00:16:14.959 --> 00:16:18.449
I'm like, yeah, yeah, not a
first person shooter game.

00:16:18.499 --> 00:16:22.309
Like, that is not what I'm talking
about when I say gamification.

00:16:22.959 --> 00:16:30.189
What gamification means is avatars,
badges, rewards, leaderboards,

00:16:30.249 --> 00:16:35.239
um, things that are going to
engage a learner and reward them.

00:16:36.279 --> 00:16:39.349
Now, some of you are rolling
your eyes, I can already see it.

00:16:39.359 --> 00:16:41.879
You're like, oh my gosh, I've
got to reward them for doing

00:16:41.879 --> 00:16:43.459
what I'm paying them to do.

00:16:44.229 --> 00:16:46.849
And the answer is yes, they want a reward.

00:16:46.899 --> 00:16:48.209
They want a gold star.

00:16:48.459 --> 00:16:53.079
So, you need to put a gold star next
to their name saying, Hey Riley,

00:16:53.549 --> 00:16:55.349
thanks for doing your training.

00:16:55.889 --> 00:16:57.149
You get a gold star.

00:16:57.519 --> 00:17:00.649
And Riley's gonna be like,
oh man, I got a gold star.

00:17:00.899 --> 00:17:02.449
I should do my training more often.

00:17:02.912 --> 00:17:05.742
Okay, so why gamification is surging?

00:17:06.832 --> 00:17:10.192
These are three statistics
that I think stand out.

00:17:10.242 --> 00:17:11.912
They're pretty incredible.

00:17:12.462 --> 00:17:16.762
90 percent of employees say
gamification makes them.

00:17:17.382 --> 00:17:19.562
More productive at work.

00:17:20.872 --> 00:17:22.702
Let's say even half of that's true.

00:17:22.712 --> 00:17:25.822
Let's take 50 percent of that, 45%, right?

00:17:25.822 --> 00:17:28.062
Maybe some of them are
just buttering up, right?

00:17:29.482 --> 00:17:30.742
That's a huge number.

00:17:31.167 --> 00:17:33.357
They're like, yeah, that'll
make me more productive.

00:17:33.397 --> 00:17:38.907
Okay, 60 percent average engagement
increase with the gamification work

00:17:38.907 --> 00:17:46.027
experience and then 72 percent of people
say gamification Motivates them to do

00:17:46.027 --> 00:17:48.967
their tasks and work harder on the job.

00:17:50.647 --> 00:17:57.847
Those are pretty staggering numbers
so Do you train for each job role?

00:17:58.512 --> 00:18:02.932
Here's another trend currently in
the cyber security awareness space.

00:18:03.702 --> 00:18:08.732
It's not that I, as an administrator,
am going to push out the

00:18:08.742 --> 00:18:11.682
same training to all of you.

00:18:12.492 --> 00:18:14.552
You all are not the same.

00:18:15.382 --> 00:18:17.272
I've got this section over here.

00:18:17.572 --> 00:18:17.862
You're IT.

00:18:17.863 --> 00:18:22.182
I push training to you and
you're like, That's wrong.

00:18:22.192 --> 00:18:23.612
How come this is said that way?

00:18:23.652 --> 00:18:25.042
No, I don't agree with this.

00:18:25.312 --> 00:18:27.602
You guys are going to argue
with me on every question.

00:18:28.707 --> 00:18:32.339
This section in the middle,
you guys are accounting.

00:18:32.769 --> 00:18:35.199
You're going to get hit
in a very different way.

00:18:35.659 --> 00:18:37.969
And then I have people
over here, you're all.

00:18:38.534 --> 00:18:39.394
New.

00:18:39.774 --> 00:18:41.244
And you're like, training?

00:18:41.254 --> 00:18:42.534
Why should we do training?

00:18:42.574 --> 00:18:42.954
Right?

00:18:43.254 --> 00:18:48.294
So, the question is, are you
currently pushing the same training

00:18:48.294 --> 00:18:50.474
to every employee in your company?

00:18:50.794 --> 00:18:56.384
Or are you staggering it and
making it job role specific?

00:18:56.735 --> 00:19:00.355
When you make it specific,
people pay more attention.

00:19:00.595 --> 00:19:04.735
Nothing is worse than being
required to take training

00:19:04.965 --> 00:19:06.935
that you know is not for you.

00:19:08.065 --> 00:19:08.535
Right?

00:19:09.335 --> 00:19:16.225
I know people, healthcare system, teachers
who are like, oh my gosh, I had to, I was

00:19:16.225 --> 00:19:22.775
required to take three hours of bloodborne
pathogens and I'm an accountant.

00:19:23.925 --> 00:19:24.785
And they hate it.

00:19:25.315 --> 00:19:27.605
So make sure it lines up.

00:19:27.955 --> 00:19:28.705
Train.

00:19:29.440 --> 00:19:31.420
Specifically for their roles.

00:19:31.490 --> 00:19:34.280
Now, some of you are going to
say, Oh my gosh, that takes work.

00:19:35.220 --> 00:19:37.660
And it's like, it doesn't,
because there are solutions out

00:19:37.660 --> 00:19:39.150
there that are job role specific.

00:19:39.690 --> 00:19:40.530
here's a question.

00:19:40.690 --> 00:19:44.220
Does phishing employees work?

00:19:44.926 --> 00:19:49.596
Okay, so I have up here, he said,
if it didn't, we wouldn't do it.

00:19:51.256 --> 00:19:56.346
Okay, so how many of you, I'm going
to say yes it works, no it doesn't.

00:19:56.346 --> 00:19:58.936
So, first yes, does it work?

00:19:59.307 --> 00:20:01.817
Okay, does it not work?

00:20:02.235 --> 00:20:03.535
It depends on how it's done.

00:20:03.575 --> 00:20:05.555
And here's, here's the
question that I put up here.

00:20:06.225 --> 00:20:11.845
For phishing to work, training
needs to be tied directly to it.

00:20:12.515 --> 00:20:18.798
So if I push a training out here to
Bill, And I push a phish to him and he

00:20:18.798 --> 00:20:23.268
fails it and then three months later
I put him in a group to learn about

00:20:23.268 --> 00:20:25.838
phishing Is that going to help him learn?

00:20:26.408 --> 00:20:26.758
No.

00:20:27.208 --> 00:20:29.318
Because it's not tied to the training.

00:20:30.058 --> 00:20:36.018
So, a lot of times fake fishing goes
out and it's like, well we got a metric.

00:20:36.293 --> 00:20:37.933
20 of the people failed.

00:20:38.063 --> 00:20:39.973
I'm like, okay, well
what'd you do about it?

00:20:40.153 --> 00:20:41.903
Did you tell them right there on the spot?

00:20:42.433 --> 00:20:48.633
So, thinking about how do you train and
use it as an actual training experience.

00:20:49.593 --> 00:20:54.153
So these are three different
types of fishes that go out.

00:20:55.013 --> 00:20:59.473
And also, I was just having this
conversation with Mike over there,

00:20:59.654 --> 00:21:03.801
where we were talking about it's almost
like companies are afraid to fail.

00:21:03.841 --> 00:21:07.211
They're like, oh, I want our
phishing number to come back as zero.

00:21:07.701 --> 00:21:09.401
I'm like, well, what good is that?

00:21:10.191 --> 00:21:14.081
If you say, this is a phish,
don't click, of course they're

00:21:14.081 --> 00:21:15.011
not going to click, right?

00:21:15.011 --> 00:21:17.801
If you make it so obvious, I
mean, you're not trading them

00:21:17.821 --> 00:21:18.871
if you make it too obvious.

00:21:18.871 --> 00:21:23.561
You're not trading them if you make it so
outside their realm that it's not real.

00:21:24.659 --> 00:21:26.659
so training needs to be fluid.

00:21:26.669 --> 00:21:31.389
This is another trend within the
cybersecurity awareness space right now.

00:21:31.849 --> 00:21:32.659
Fluid.

00:21:32.689 --> 00:21:33.949
What does fluid mean?

00:21:34.699 --> 00:21:41.589
Fluid means when you see something, let's
say you have an attack coming in, you can

00:21:41.589 --> 00:21:43.869
immediately turn around and train on it.

00:21:44.249 --> 00:21:45.999
Now it seems pretty simple, right?

00:21:46.179 --> 00:21:48.169
Hey, we see something,
let's train on this.

00:21:48.839 --> 00:21:51.619
Most companies are not set up to be fluid.

00:21:52.034 --> 00:21:57.969
They're set up to say, hey, add that
to our onboarding for next year, right?

00:21:58.532 --> 00:22:03.342
and Brant brought this out in
the panel, we have to get faster.

00:22:03.782 --> 00:22:09.812
We cannot sit around and wait for
the next reiteration of our training

00:22:10.412 --> 00:22:13.332
to catch up to the current attack.

00:22:14.158 --> 00:22:17.528
one of the things you can ask
your cyber security awareness.

00:22:18.443 --> 00:22:20.643
Person is, are we fluid?

00:22:20.823 --> 00:22:23.653
Can we push out content
when we see things?

00:22:23.653 --> 00:22:25.363
Can we be adaptive?

00:22:26.043 --> 00:22:28.463
Because it helps.

00:22:30.863 --> 00:22:33.213
So what kinds of training
should I train on?

00:22:34.008 --> 00:22:38.528
Many people ask me, they're like, okay,
so what, what should be in this list?

00:22:38.948 --> 00:22:42.468
Let's go through a couple of things
that should be in your, your training.

00:22:43.028 --> 00:22:48.928
This I love, you've probably seen
a different type of chart like

00:22:48.928 --> 00:22:52.068
this, where it's for passwords.

00:22:52.928 --> 00:22:57.038
When you tell somebody, and I'm
going to pick on Kim over here.

00:22:57.358 --> 00:23:01.698
If I tell Kim, hey Kim, you
need to have a secure password.

00:23:03.303 --> 00:23:07.843
Kim's looking at me, and maybe she's not
in IT, she goes, What does that mean?

00:23:08.273 --> 00:23:10.943
Like, Oh, I'll add a
one to the back of it.

00:23:11.263 --> 00:23:13.893
Or, Oh, I'll add an
explanation point to it.

00:23:13.953 --> 00:23:14.313
Right?

00:23:14.673 --> 00:23:17.373
Kim doesn't understand
what I'm talking about.

00:23:17.723 --> 00:23:22.723
So, if you look at here, number of
characters, if I go down to, let's say,

00:23:23.433 --> 00:23:29.613
ten characters, and I go across, and I
include numbers, lowercase letters, and

00:23:29.633 --> 00:23:33.303
upper, I'm at one month to crack that.

00:23:34.483 --> 00:23:41.463
If I just add two or three more digits
to this, if I go down to 14, and I go

00:23:41.463 --> 00:23:49.133
across to upper and lower case letters,
and numbers, I'm at 800, 000 years.

00:23:49.433 --> 00:23:50.603
Now that's random.

00:23:50.733 --> 00:23:54.453
That's saying it's random, and most
of us put, you know, known words in.

00:23:54.675 --> 00:24:00.240
but the number is
exponentially harder to crack.

00:24:00.800 --> 00:24:04.240
Like, it, it's just,
it goes off the charts.

00:24:04.910 --> 00:24:10.770
So, when I talk to people, I'm like, Kim,
hey, you have a ten, ten digit password.

00:24:11.560 --> 00:24:13.540
You need to make it fifteen digits.

00:24:14.600 --> 00:24:15.560
Kim gets that.

00:24:15.990 --> 00:24:20.880
And if you show her why, Kim's like,
oh, well that makes sense, I know why.

00:24:21.410 --> 00:24:25.660
So, you need to train, and
you need to help explain why.

00:24:27.075 --> 00:24:31.825
Alright, you also can train on things that
are a little more technical, like OWASP.

00:24:32.225 --> 00:24:40.168
So many of you know this, but, Mark
created this in 2001, uh, Mark.

00:24:40.443 --> 00:24:46.053
Ker fee, I think that's how you pronounce
it, and OWASP is an international

00:24:46.053 --> 00:24:52.573
organization now, and it stands for
Open Web Application Security Project.

00:24:52.793 --> 00:24:57.803
Now, why I put this up here is
because if you have technical staff,

00:24:58.003 --> 00:24:59.873
you want to be training on this.

00:25:00.433 --> 00:25:07.273
From 2017 to 2021, There were changes in
the OWASP top 10 and what they're seeing.

00:25:07.543 --> 00:25:12.323
Things were added, like for example, down
here on the bottom, server side request

00:25:12.323 --> 00:25:15.663
forgery is one of the new top 10 areas.

00:25:16.293 --> 00:25:18.533
Have you trained your
IT staff on that yet?

00:25:19.703 --> 00:25:24.373
If you haven't, this is one of those
areas that you can do training with.

00:25:25.253 --> 00:25:28.183
Okay, third, ransomware attack.

00:25:28.770 --> 00:25:34.510
if you were to pick a random person
in your organization, Just a regular

00:25:34.510 --> 00:25:36.690
employee, not an IT employee.

00:25:37.750 --> 00:25:42.930
And they had a ransomware
screen hit their computer.

00:25:43.300 --> 00:25:45.520
Do they know what to do?

00:25:47.220 --> 00:25:51.140
Raise your hand if you think your
random employee knows what to do.

00:25:51.644 --> 00:25:52.584
They don't.

00:25:53.514 --> 00:25:55.494
They're going to freak out.

00:25:56.304 --> 00:25:59.474
Many of them are not going to
tell you because they're afraid

00:25:59.474 --> 00:26:00.854
they did something wrong.

00:26:02.469 --> 00:26:03.689
They're going to reboot.

00:26:03.719 --> 00:26:04.589
Thank you, Brandt.

00:26:05.089 --> 00:26:09.089
Yes, they're going to lose the
forensic evidence because they don't

00:26:09.099 --> 00:26:13.329
know not to turn off their and un,
not reboot their computer, right?

00:26:13.619 --> 00:26:15.849
So train them.

00:26:15.999 --> 00:26:19.669
So this is one of those areas
you can say, this could happen.

00:26:20.159 --> 00:26:23.789
If it did happen, here are
the three things I want

00:26:23.809 --> 00:26:25.509
everybody to know what to do.

00:26:26.894 --> 00:26:31.964
So, three different areas that
you can train your employees on.

00:26:32.264 --> 00:26:36.184
So, you want to nurture
skills development.

00:26:36.434 --> 00:26:40.694
You want to make sure you're
covering everything from physical

00:26:40.694 --> 00:26:43.644
security, mobile and home computing.

00:26:44.294 --> 00:26:49.564
Many people, if you ask a general
employee in your company, do you have

00:26:49.564 --> 00:26:53.044
a password on your router at home?

00:26:53.284 --> 00:26:54.504
They'd be like, oh.

00:26:55.109 --> 00:26:57.569
Routers all have passwords, right?

00:26:57.789 --> 00:27:00.299
So, so you have to train them.

00:27:00.679 --> 00:27:04.689
Social engineering, phishing,
passwords, privacy, and current trends.

00:27:04.959 --> 00:27:07.239
These are some others
over on the other side.

00:27:07.339 --> 00:27:11.299
Piggybacking, cloud computing,
uh, data classification.

00:27:11.339 --> 00:27:12.979
These are all areas to train on.

00:27:13.829 --> 00:27:20.209
So, I want a raise of hand for somebody
to tell me what this number is.

00:27:20.249 --> 00:27:23.609
What percentage of cybercrime
is due to human error?

00:27:24.644 --> 00:27:25.714
Go ahead in the back.

00:27:26.404 --> 00:27:27.874
Ninety percent.

00:27:27.904 --> 00:27:28.524
Thank you.

00:27:28.744 --> 00:27:30.554
Now why did he remember that?

00:27:32.024 --> 00:27:32.664
Why?

00:27:32.944 --> 00:27:34.014
Go ahead, Nolan.

00:27:34.014 --> 00:27:35.164
Why did he remember it?

00:27:36.194 --> 00:27:37.564
It's written on the bottom.

00:27:37.594 --> 00:27:38.434
because he's cheating.

00:27:38.474 --> 00:27:38.934
Okay.

00:27:40.044 --> 00:27:41.994
He must have really, really good eyes.

00:27:42.524 --> 00:27:42.894
Okay.

00:27:42.974 --> 00:27:44.774
Why did he remember?

00:27:45.447 --> 00:27:46.727
It's been less than an hour.

00:27:47.100 --> 00:27:53.520
I said it, so you heard it, said it,
and he saw it multiple times, right?

00:27:53.630 --> 00:27:56.470
So when you train, he's
going to remember that.

00:27:56.480 --> 00:27:59.730
So in a month, if I ask him,
what did Heather talk about?

00:28:00.090 --> 00:28:03.060
He's going to be like, Oh,
I remember 90 percent of.

00:28:03.315 --> 00:28:04.855
Cybercrime is due to human error.

00:28:05.215 --> 00:28:09.785
It's the one thing he's going to remember
because it was said multiple times.

00:28:10.245 --> 00:28:13.225
That's what microlearning is.

00:28:14.045 --> 00:28:17.245
So, train your employees
in cyber security.

00:28:18.055 --> 00:28:24.365
If you feel your employees are not
valuable enough to train, you should

00:28:24.365 --> 00:28:27.135
rethink having those employees.

00:28:28.595 --> 00:28:30.535
Training will reduce cyber risk.

00:28:31.605 --> 00:28:37.025
You need to train not just
yearly, but weekly or daily.

00:28:37.705 --> 00:28:39.725
Training should adapt to changes.

00:28:39.755 --> 00:28:43.525
When you see it, you should be able
to turn around and train on it.

00:28:44.085 --> 00:28:45.995
Training should be engaging and short.

00:28:46.305 --> 00:28:52.635
Training should be reward
focused and not fear focused.

00:28:53.345 --> 00:28:53.855
Thank you.