Securing the Human in a Digital World with James McQuiggan

Joseph Carson:

Hello, everyone. Welcome back to another episode of the 401 Access Denied podcast. I'm the host of the episode, Joe Carson, Chief Security Scientist and Advisory CISO at Delinea, and it's a pleasure to be here with you today. I'm really excited about today's episode. It's something I've been excited for a long time. I am actually joined with an amazing industry veteran, expert, and awesome person, and also one of the persons who I always enjoy listening to your talks. So James, welcome to the episode. Welcome to the show today. Can you give the audience a bit of introduction, background about yourself? And maybe you can even throw a few dad jokes in if you have some at hand.

James McQuiggan:

Oh, Joe, you're asking for a lot. No, man after my own heart. So hello, everyone, my name is James McQuiggan. I'm a security awareness advocate over at KnowBe4 and a regular contributor to Joe Carson's bank account now now that he's said all these wonderful, amazing things about me. I had to look around when he made the intro. But no, I appreciate the warm introduction, Joe. It's always a pleasure to see you out on the speaking circuit, and thrilled that you asked me to be here today to chat with you about human security and security awareness and everything else that we're going to talk about.

Joseph Carson:

Absolutely. I mean, we're in the world today, I think one of the things we've talked about for a long time is that it's no longer just about technology. I always love Mikko's comment when he did a few years ago, he talked about we're no longer protecting and securing computers today, we're protecting the society. I think that represents a shift in where we've really come over the years, where it's no longer just about the technology, it's about how it's all being used together. The human side of things is such an important part of the security strategy for organizations. And really, this is where we start thinking about, is what things can we do to better protect and make their lives safer? And it's not just about being in the office, but it's also when we have people working remotely, working from home, it's about how do we protect them in their daily lives. So what are some of the risks that face the human side of things? What are the challenges that we face when attackers are looking to compromise? What type of techniques do they use, and how can it be damaging for them?

James McQuiggan:

Yeah, so one of the things with KnowBe4 that I've always been very appreciative of and a part of, we're dealing with social engineering, we're dealing with the attacks against the human. The way that we do that is we help people make smarter security decisions every day. And that has been my mantra essentially for the last 13, 15 years and going around and helping folks be aware. I equate it to when you have children and you buy them a bicycle and you teach them how to ride it. You teach them how to ride it, but you also protect them. You give them a helmet, maybe some elbow pads, but educating them so that they understand the rules of the road, they've got to be looking out for certain things, for cars, for people, the way they ride it, and that protective gear as well so in the event they do fall off, they don't get hurt as bad.

And so when we look at the human when it comes to social engineering, because we still see that that is the majority of the attacks that are going on out there where the cyber criminals are successful, getting into organizations, getting into people's home networks, computers, devices, they're doing that through some type of social engineering, getting them to do something that they may not want to do in their own best interest essentially. Phishing is, of course, that big way, whether it's phishing with voicemail or text messaging, looking to gain that initial access into the system. A lot of the time it's going to be emotionally driven, people either in a rush, they are distracted. We're smart, we're educated people, we can walk down the streets of New York and if someone walks up to us and is trying to sell us a Louis Vuitton bag or a Rolex watch, we're going, "Yeah, no, I don't think that's real," and keep walking. But a lot of the time people with email miss that opportunity. They're distracted. Again, they're...

Joseph Carson:

You find that a lot of the times the most common time is the end of the day when you're trying to get away, you're trying to get home, you're trying to do your daily chores, or it's Friday afternoon. They really have optimized when you're most vulnerable. They also know what words to use as well to raise that sense of urgency or fear that comes with those as well.

James McQuiggan:

For years, we've always talked about, "Watch out for bad grammar. Watch out for bad spelling mistakes," because usually it's been written by somebody that doesn't speak English or has English as a first language. And that's in the English-speaking world. But now with generative AI booming in the last year, that takes that off the table. The cyber criminals have leveled up, so to speak, with regards to their attacks. So we as users, we've got to be able to do the same, level up our awareness if we're feeling rushed. Even a colleague of mine was in an Uber going to the airport and got an email that came from Uber. But it wasn't, it was a phishing simulation. For me, it was right before lunchtime. I was waiting on a call, and I got a Zoom email that said someone was connected. I ended up clicking on the link. Again, it was one of our internal phishing assessments.

But again, being distracted, not taking that time to go through, because it only takes the one time. We've heard arguments where people are saying, "Oh, well, then security awareness, it's pointless, it's useless if people are still going to click on the link." Security, and you know and your audience is going to know that security is all about reducing risk, whether cyber, physical, or whatever. We're looking at reducing that opportunity for cyber criminals to get in. If you don't do it, well, then you're looking at one in every three people that are going to click on that link in your organization. You want to be able to bring that down so it's one in every 20, 30, 40, 50, whatever, depending on the size. We want to reduce that risk. If in the event that it does happen, well, then you've got your incident response plans that are going to be able to deal with that. That is with technology.

Joseph Carson:

You should have additional security controls behind the scenes that really mitigate the impact of clicking on something.

James McQuiggan:

Exactly.

Joseph Carson:

You reminded me, it's one of the things I remember recently when I was in Singapore International Cyber Week. There was the head of the National Cybersecurity Center here in Estonia was also speaking there. For years, Estonia has pretty much been isolated or protected because of the language. The language in Estonia is very complicated. It's a difficult language. There's no gender. There's no future tense. It's so complicated. It's very difficult language. It's been somewhat protected because of that for many years because it's hard to get proper language translations done in order that would actually take advantage. So people were easily detectable at those really bad created phishing attempts, especially when it was using the Estonian language.

It was really interesting to hear him speaking recently because he was referring to is that that is now no longer the case. Because it used to be where the good phishing campaigns were attackers who had paid proper language translations to do it for them. So when they actually had paid for language, not using machine-generated because they were horrible, but paying people to do the proper grammar translations, those are the ones that were actually the better types of phishing campaigns. But now with generative AI, the translation is actually almost perfect and sometimes even better than most people's grammar.

James McQuiggan:

Wow. You're right. Exactly.

Joseph Carson:

And that's where you get into is that now Estonia doesn't have that protection any more because of the language. And now generative AI is really meant that phishing campaigns can be much more accurate, much more difficult to detect the difference between those mistakes that you would've detected before are now being basically masked and removed from the new campaigns. And to your point, one of the things we discussed recently as well is they're also being where they're not being opportunistic in the first attempt. What they have is they created a campaign that's multiple communications that builds your trust, that makes it look like an authentic service. Ultimately, it's the third email or the fourth email that gets you to click on something or to enter something in. So it is becoming a lot more sophisticated, and generative AI has changed, I would say, the social engineering and phishing and pretexting to being a lot more, let's say, more accessible to more criminals. Because the criminals before, those who were more sophisticated and more advanced, that's what they were doing anyway, but it's not giving those who may not have the skills or resources to having access to this type of technology.

James McQuiggan:

I know we think of the script kitty, that entry level cyber criminal hacker we call it. For years people were like, "Oh, now it's going to make it easier." Well, we've already seen that it's easier out there because you've got phishing as a service, ransomware as a service. Essentially, cyber crime as a service where you can go out and pay a little Bitcoin and essentially get access. You show up with your list of people you want to attack, and they've got the platform and the infrastructure to be able to send all that off. So it's making it easier already for them. They're leveling up a lot. I know that within the defending space, looking at being able to level up as well using AI within the SoCs, and so forth, but needing to level that up, getting our users educated, getting the process, using the technology to be able to identify those emails that are coming in that are malicious and protect against it.

Joseph Carson:

Absolutely. It is a cyber weapons race for both attackers and defenders. We're trying to make sure that the gap is not widening. To your point, the entry level is lowering every single time, but we have to make sure that we're upping our game when it comes to the defensive side and strengthen that where possible.

James McQuiggan:

Depending on the size of your organization, you've got all those people, those users that have an email address. And for me, the way I look at it is anybody with an email address in the organization has that proverbial front door key, that electronic front door key to let people in. A lot of the time if they click on that link or open that attachment, they're not going to know they've let somebody in. And so it's crucial to make sure folks are aware of that as part of that training. It's not just, "Here, we want you to take this training so we can check the box and be compliant with whatever security regulation." No, we're looking at defending the organization and protecting it. A lot of people go, "Well, that's what IT is for. That's what cybersecurity is for."

And you're right, it is. They're there to help protect the organization, but while you have a key to the front door, you have a responsibility as well to be able to protect your inbox. That's why we're educating you on these. If you've got campaigns and organizations where you are doing those assessments, you want to make sure there are rewards there for it, whether you're doing a top ten phishing spotter or something like that. Being able to help the human aspect with rewarding them goes a lot further than blaming them because they click on a link and you call them the weakest link, which is the biggest pet peeve for me.

Joseph Carson:

Yeah, that's almost became such an evil thing in the industry these days. Which is correct, I think we have to realize over the years is that most employees, their intention is good, as wellbeing is to do their job, to get their tasks done. And they rely a lot, they assume that security is working for them in the background. They assume that the IT and the security team has their back, and then they find out that something got through, it's in their front, and it looks legitimate and they do something and all of a sudden it brings the business down.

It's really important to your point, this one is the education side and also making sure that... I remember years ago one thing I was asked, I was standing in an audience... Well, I was actually presenting to the audience, it wasn't in the audience. The audience was teachers, parents, and law enforcement. That time the discussion was around cyber-bullying and mental health issues. There was one person who asked me if there's one thing that I could ever say to the entire audience that would make a difference, what would that be? I was put on the stand, I'm like, "Okay, you've got the lights and you've got parents and teachers and law enforcement. What one thing would satisfy all of them? What would make it the most impact?" I was thinking about it, and I thought about, "Make sure that you're never afraid to ask for help. Make sure you're never afraid to ask for advice. If you see something, speak up something.

James McQuiggan:

Say something.

Joseph Carson:

Because it reminded me of a... It was a phishing campaign, the penetration test I did not long before that, one that basically the employees, they talked so much to each other because of that communication they had, they were able to detect suspicious activity really fast because they communicated. They were not afraid to ask for advice or to ask for help. And I think sometimes that makes a big difference.

I think you mentioned something important, is make sure that they're equipped and they know who to communicate to, that they see something suspicious, that they're not afraid, they're not victimized, they're supported and can be rewarded in different ways. So making sure that they... That changes the culture within the organization as well to being something that people feel that they're all working together and you're not basically isolated. It's teamwork in many cases, and that's one of the most important things here.

In a lot of phishing campaigns, some can go really well and some can go bad. What's your recommendation in regards to what is the best practices or good tips and what things should organizations avoid when they're starting to think about doing a phishing campaign in their organization?

James McQuiggan:

A lot of it comes down to knowing your audience and knowing who your users are for your culture. You're going to go through, you're going to send phishing assessments out. They're going to be upset, because if they end up clicking on the link and they fall victim to it... I have this whole thing on four stages of phishing grief where the user's going to go through and be shocked that, "Oh my gosh, what happened?" And then denial of, "Oh, I didn't submit anything. I closed it down. It's not bad." And then they get angry because now they've been reported, they've now been told they got to do training. They're angry at the IT guy for taking away from their productivity. They're angry at themselves for falling victim to it. And then eventually you get into that acceptance phase where it's like, "Okay, fine, you got me and I'll do the training and I'll move on."

A lot of the time there's that misconception of folks thinking that it is a got-you moment. "Hey, we're trying to trick you. We want you to fall victim to it." It's an educational opportunity where we'd rather have you fall victim to our phishing assessment than a real one with the bad guy. We're looking to educate you. There's a point where a lot of people think that, "Oh, great, I'm going to click on the link, I'm going to get fired." And that comes from an organization's policy. What does your policy say? Yes, people make mistakes, it's a given, we're human, but how long does it take where they click a link, they get educated, they do it again, they have a chat, they do it again, and if it's habitual and continual, then there has to be the discussion of, "Okay, we need you to value the security of the company." And if they can't do that, then there's a separation. A lot of the time people think... There's been the misconception of, "Oh, they do it once and I fire them." It's like, no, you want to have a plan.

Joseph Carson:

It's an educational opportunity. It's an educational opportunity to highlight-

James McQuiggan:

Extremely educational.

Joseph Carson:

... and to show the areas that they potentially use to spot and be able to indicate. One thing I remember using in one of the phishing campaigns in the past was to make sure that the employee understands is that this is something that just doesn't help them in the workplace but can also they can take home with them to protect them in their personal lives and really expand it. Maybe they can go back and educate their family, their kids, their parents, and so forth. So sometimes it's important step is that we are here to educate you because cyber attacks don't just target the organization you work in, but it also targets you at home. They take opportunistic, and that could be, if you don't learn from this, what happens is what if it's your personal computer? What if it's your bank account? What if it's your identity outside of the organization? So obviously there's an opportunity that it's about protecting society, but it's through the business as a means of achieving that.

James McQuiggan:

Yeah. I did a presentation the other day and somebody was asking, "Well, this is great... " because of all the training information they had at this conference. They said, "This is great, but how do people that don't work are in those environments to get that training, how do we educate them?" Again, and going to your point, a lot of that is you need to be able to spread the word, you have to be ambassadors of it. This is to become the norms within society. Be aware of phishing links. I mean, my father-in-law will call up and talk to his daughter, my wife, and say, "Hey, I got this strange email today where it wanted me to do this survey to win some AirPods." He goes, "But I didn't do it because you guys have told me, 'If it's too good to be true, don't be following it.' And to question things if you're not expecting it or it seems strange or unusual going through and looking at that, but having to educate that."

But that's one person through what I do, through my wife, but there's thousands of other people that don't have that opportunity. And so it needs to be something where, yeah, we are learning it at work and it should be something we need to be sharing because everybody's got a smartphone... or pretty well almost everybody's got smartphone, got email, surfing the internet, buying things, streaming, list goes on and on and on. But it's like we've gotten the bike, we're riding it, but we haven't learned how to ride on the road. If something happens then we get hit by something on the road. So it's a matter of being able to spread that along and especially depending on the people who you're talking to, because a lot of the time we're trying to grow that security culture, that norm. Not only is it checking links, but making sure password managers or strong passwords, using MFA wherever possible. Having that mindset of protecting our accounts, protecting our data overall is what we're looking to do, but a lot of folks just don't have that understanding, that awareness of it. So it's a matter of getting them educated and then spreading the word through friends, through family, down to your kids so that they're aware.

Because even my two daughters out there in the world, whenever they text me and go, "Hey, what's the Netflix password or the password for Disney Plus?" "It's in the password manager." And they're like, "Oh, right, okay," and then off they go and they check it. But again, and I've asked them, I said, "Do a lot of your friends do this, use password managers or MFA?" And they're like, "I think so." And then they come back and go, "Not really."

Joseph Carson:

They not using it, and they're using something simple. I think we're in the same situations, but even my kids as well is that I've got them hammered into password managers and the sharing and creating complex passwords and using multifactor authentication, they've got it driven into them. I get shocked when I hear that the things their friends are doing. I'm just like, "Okay, are you educating them?"

I think one of the things you mentioned really important is ambassadors. I used to call it cyber mentors, ambassadors, lots of different names for it. I think that's really vital for organizations to establish within the organization and even within peer organizations, across, is to really establish this cyber ambassador program as much as possible. One thing I remember when I was doing one of these programs many years ago, I was asked about who's the best people in the organization to become these cyber ambassadors? Sometimes it's the techies, the geeks within the community and the organization. But I actually find it was victims-

James McQuiggan:

Oh, okay.

Joseph Carson:

... previous victims because they know what it means to be a victim.

James McQuiggan:

For me, it was always the admins. The admins in the departments because they're always there, everybody comes to them with issues or questions, they're well-respected.

Joseph Carson:

The gossipers, the go-to that have the knowledge about everything that's happening within the department. Absolutely.

James McQuiggan:

But the victims certainly brings a unique perspective because, yeah, they've gone through that phishing grief or they've gone through that grief of an attack and they can share that experience. And when you share stories with people, that's how it sticks. That's-

Joseph Carson:

It becomes more impactful.

James McQuiggan:

It becomes more impactful.

Joseph Carson:

It really raises-

James McQuiggan:

The emotions-

Joseph Carson:

And also gets to the point where when people are telling this is what happened, it's like when you have a real-life scenario and they can tell you basically the challenges I went through, it really makes a difference when they have those examples. I always find it was one of the things that really raised the importance of people listen more and really took action.

James McQuiggan:

And stories have that emotional aspect to drive it home, and they remember that. They remember the stories over the facts.

Joseph Carson:

So we're going through phishing, I think, absolutely, social engineering, big topic, phishing, all of those things. For an organization, I think this ties a little bit into the ambassador side of things and the mentor side, what's some of the best practices for an organization who really wants to establish a cyber awareness program across the organization? I'm not a big fan of ones who just do it for the checkbox approach, to meet the compliance once a year. I'm not a big fan of that. I think sometimes it is just you're in that moment in time and that's what your goal is, but the rest of the year you're not paying attention. It's sometimes a bit like we have cybersecurity awareness month, and it's one month, but you should be cyber aware all the time.

James McQuiggan:

Exactly.

Joseph Carson:

What's some of the best practices for organizations who's gone down and thinking about an awareness program for the organization, what would you recommend that the things that they should prioritize and do?

James McQuiggan:

Yeah, certainly when it comes to your security awareness program, having a program that you're just not repeating every year, you're not having the same training every year, you want to be refreshing it. You want to be doing training throughout the year, do it frequently. One of my favorite analogies is the fact that you can't go to the gym one day out of the year and expect to have that muscular tone packed body, right? No-

Joseph Carson:

Six pack.

James McQuiggan:

Six pack, yeah.

Joseph Carson:

Beach body ready to go.

James McQuiggan:

But you've got to go to the gym like three times a week or four times depending on how fit you want to get. Because it's repetitive, you've got to go through... You can't learn how to play the violin in one lesson. It takes years because you've got to go through and repeat it. With security awareness, we want to be repeating it. We don't expect to make everybody cybersecurity experts, but by doing smaller training throughout the year, that's going to help keep it front of mind because of the fact that everybody has an email address. Yes, this is a reason why we need to keep it front of the security front of mind with you.

Joseph Carson:

Sometimes bite-sized and iterative.

James McQuiggan:

Little 10-minute videos.

Joseph Carson:

Little bits people consume.

James McQuiggan:

And doing that. So the frequency is one part. The other thing when it comes to security awareness that I always like to say is team up with your communications and marketing team, your PR team if you've got them, because their job is all about getting a message out, getting a word out, whether it's the product of the company or a service.

Well, you've got a service, you've got a product that you want to get out to your users in your organizations. Work with them, they're the experts on that. They can help you develop those campaigns of when are you sending out newsletters, when are you sending out emails...

Joseph Carson:

What language you use in the communication.

James McQuiggan:

What language, what culture. Right, exactly, what culture are you going to have? Are you a global organization versus just being a one domestic organization? But then have different trainings go out, different newsletters, videos. Stagger that, and then also have it specific to the different people in your organization. Your executives, their time is valuable, so you've got to limit that. You've got your practitioners, whether it's HR or your finance folks, they're going to be subjected more to those business email compromise, the vendor invoice, those kinds of things. But then overall for the users, you want to be going through not only with the training but then doing those phishing assessments as well, going through and making sure folks are being able to spot not only the phishing email but then reporting it as well.

Because that's the other key element a lot of people sometimes miss, is the fact that yeah, you're putting it out there, but they need a way to be able to report it back in, whether it's real or not, because that's a stat of showing the positive. That's showing people reporting it. They're doing the action. When you have that, what we call our phish prone percentage, it's your percentage of clickers, that can have that negative impact because then people are like, "Oh, I was part of that phish prone percentage, and then they feel down. But if they feel that they're one of the users that report more, then they're like, "Hey, I know I'm doing my job. I'm doing good. I'm protecting the organization." That carrot versus the stick goes a long way as well. So folks feel a lot more pride in their organization, and that helps drive the culture, helps drive those norms which are contributing to the behaviors overall to getting a stronger security culture.

Because people have developed bad habits, I hate to say, with regards to email and internet and not being as secure minded as they could be. And so having to change those habits, that's what takes time and that's what takes the frequency to be able to go through and do that continuously so that you build up that culture, build up those norms. So folks are like, "Oh no, you got to change your password, you used a weak one. Oh hey, you should use the password manager that we have in the organization." They're like, "Oh, okay, all right."

Joseph Carson:

Automate it and move it in the background-

James McQuiggan:

And than hopefully that-

Joseph Carson:

Let's stick with the pain of passwords.

James McQuiggan:

Sticking with the pains of passwords. Hopefully then that carries home. It's like, "Oh, I get a password manager here at work and I can use it at home. Okay, well I like using it here."

Joseph Carson:

It's such an important thing. I always say that expanding your security solutions to people's personal lives goes a long way. I always remember, somebody mentioned to me, a really wise person quite a few years... even similar to going back to what Mikko statement that I mentioned about we're securing society these days, not just computers, it was also about we're only secure as a social sphere around us. The more we push that social sphere outwards, the more secure society becomes.

James McQuiggan:

Society becomes, yeah.

Joseph Carson:

That means that security doesn't just start in the office or with your employees, it starts with their family and the people around them. The more you can push security into those environments, the bigger impact you can have.

That's what we're also saying even in supply chain, many organizations are going, "Well, if you want to be a supplier, we are going to expand our security solutions into your environment as well," so that they can make sure that they're getting that supply chain and social sphere again. Because they know the more they push the boundaries outwards, the more difficult it is for attackers to be successful.

James McQuiggan:

Exactly.

Joseph Carson:

You reminded me-

James McQuiggan:

You're only as strong as your weakest vendor security program.

Joseph Carson:

Exactly. You reminded me an interesting one. When I did phishing campaigns many years ago, one of the things I always wanted to know as well was not just focusing on the people who clicked, because I understand, because that was the initial intent, is to do it such a way that you're playing on time, fear of doing something wrong, the urgency, sensitivity and all of that stuff. There's techniques and really well-constructed methods to get it and looking very authentic as well. I always wanted to also ask the people who got it but didn't click on it because I was always curious, "Did you see it? What did you identify? You maybe didn't report it." So also going through that, I think it's really important to also get those who did see it, didn't report it, and understand the reasons and intentions behind that as well, because that can also be a powerful measurement into understanding about what was the thing that you did that made them not interested.

James McQuiggan:

Sometimes it could be a matter of they forget. I know for me, when I'm on my phone and I get an email that comes in and it looks a little suspicious or something about it, I'm a little hesitant about trying to preview the link on my phone because you got to hold it down to pop it open.

Joseph Carson:

Yeah, it's more tricky to, let's say, look for the indicators of compromise in mobile devices than it is on traditional laptops and desktops.

James McQuiggan:

And so my rule to myself is, all right, if there's something weird, I'm going to look on it on my desktop computer through a browser and I can hover over and I can check it." And other times emails come in and it just gets weighed down and then it goes on the next page and then you forget about it. I know for me, sometimes if it doesn't get reported, it's because it's out of sight, out of mind.

Joseph Carson:

You get so many emails, you're so popular that it's hard to keep up. So I think popular people who get so many emails, it's hard to keep track of them.

James McQuiggan:

Or it's all the vendor emails from the conferences.

Joseph Carson:

Possibly. That reminded me as well, one of the things getting into... I remember talking about the cyber awareness training side and going through into that whole social sphere side. One thing that was really interesting is many years ago I remember doing this... I was there to do a risk assessment and do a strategy for improving it. Every different team that come in, they had their part to do. I was looking at patch management and looking at the inventory of those and how much systems had been up-to-date patched. Others was looking at software programs and password management stuff. There was lots of people working in different areas. And ultimately we realized that we need to do security awareness training program with certain high risk users, was ultimately one of the goals.

So we went through and we had a plan, it was a six-month project. They put all the things around it, all the resources, and they went through and started doing this awareness training. And it was a disaster. Employees hated it. You're taking them away from their job, they're not able to do tasks. They were unhappy. They weren't listening. We had all of these very well-legally-drafted policies and messages, how important it was, and it was just disaster. It was huge fiction between the employees and the security team, and it was just basically turning into just mayhem and chaos.

I remember one of the days we were sitting and we were just going, "We are failing. What are we going to do?" It was an interesting time because at the same day it was actually bring your child to work day. So it was like a parent bring your kid to the office. And we're sitting there and we're all out of ideas, and somebody came up with the idea, says, "Why don't we ask the kids? Maybe they have a better idea than we do." It was interesting because what happened was we went and got permission can we go and present to the kids. It was a bit of an awkward moment because when you go and present to these all different ages of kids. You have really young kids and older kids. We went in and we presented our awareness program, and they were just looking at us in shock. It was complete disaster and we were looking for ideas how can we make this better. One of the kids raised their hand and said, "All this text doesn't make sense to us, it's already complicated." The words are way beyond their understanding. They said, "Why do you do it in comics, like graphics and images?" We thought, "That's an interesting idea."

So we're like, "Okay, this is something we haven't tried and something is interesting." So we ended up creating a series of little comic stories that highlighted the different risks and issues with some of the techniques, phishing, plug-in USB sticks, entering credentials, and changing passwords. But we create all these little storyboards and ended up we realized that actually this is fantastic because we don't have to go through all the translations in all the different countries that this organization operates in, 115,000 employees across many countries. You're going, "This storyboard actually was much cheaper than our original plan that we were going forward." And then it was interesting. So we're actually impressed. We're going, "This is amazing. Let's keep this going. Let's find out more ideas. These kids are actually educating us way beyond we ever thought it was even possible."

And then we were going, "Our way of communicating... " We sent this through email, we had an internet webpage and all of this stuff, and they were just like, "Huh." And another kid raised their hand and said, "Why don't you put it on the back of the bathroom doors because everybody needs to go to the bathroom at least once a day. We know we do." And that was another moment of realization was like, "Huh, that's quite interesting."

James McQuiggan:

You have a captive audience in the bathroom.

Joseph Carson:

So those kids were well-treated at the end of the day with plenty of candy.

James McQuiggan:

That's awesome.

Joseph Carson:

But it was realization that we had the program, we put in comic stories, we had those on the back of the bathroom doors. We changed them every couple of months. We also put them in the canteens because they also said, "We need to eat." But it was amazing how you can erupt traditional thing that you used to and really open your eyes to other possibilities. And that was a moment of realization that diversity was so incredibly important.

James McQuiggan:

And kids see the world a little simpler.

Joseph Carson:

Yes, they do.

James McQuiggan:

With any type of project, when you can simplify the process and explain it to a child or explain it to somebody, senior citizen, somebody that's not in the tech world and they can understand it and get takeaways, then your message is communicated effectively.

Joseph Carson:

Yeah, actually the whole session, it's like just a half a day just sitting and just really opened our minds. For me, it was always one of those enlightening moments I always say in my career. It changed me as a person as well, just listening to the feedback. It made that program successful even to the point where that was actually the cyber mentor program also was part of that initiative. And also expanding security to that whole thing with the kids also made them realize that security starts at home and expanding security solutions to their families. So they even paid for things like antivirus software, password managers for them to use at home. I thought that was an impressive way and a really, let's say, modern way of thinking of things.

James McQuiggan:

Right. That's awesome.

Joseph Carson:

So quick, one of the big things in the news recently is around liability. It's been happening over the years, we saw it with the Uber incident and we've saw it with a few cases, and most recently, of course, now with the SEC charging CISO from SolarWinds all about transparency. This all happening, is it something that we start to have to realize it's not just about the employees who you're becoming victims of incidents, but also now as a result of incidents, now the executive team and the leadership of organizations are also. What's your thoughts around the whole liability from CISOs and leaders in organizations, especially when it comes to security these days?

James McQuiggan:

Yeah, it's really interesting, and I've had many of these types of conversations over the years. One of the statements that I always heard regarding somebody that would communicate between the C-suite and the business was the fact that the board of directors, your C-suite team, they have a larger risk appetite than we're willing to take on ourselves. And that's why they're in that role. However, I think because we've had so many data breaches, it's so nowadays, it's like, "Oh, another company got breached. Okay, all right. There goes all my data and information in the wild," that now the government has realized, "Okay, too many of these organizations have been hit." I think it's because with SolarWinds and the supply chain and the downstream and all that-

Joseph Carson:

The impact and the government is also significantly impacted as part of that as well.

James McQuiggan:

So with that, it's like, "Okay, organizations need to start taking a little more responsibility." It would drive me nuts because you'd get the letter that would say, "We take security seriously." My response was, you're missing a word, we don't take security seriously enough. And so now it's putting the feet to the fire of the organization's directors themselves, whether it's the board of directors, the owners of the company, whatever it is, but putting their feet to the fire going, "Okay, yeah, you took a hit because you got hit with ransomware, you paid the ransom, you had to spend $15 million to recover, but you made 125 million last year. For you that was like, 'Okay-

Joseph Carson:

It was a blip.

James McQuiggan:

"You took a hit on the stock and you kept on going. It didn't put you out of business, where you've got smaller businesses, some of them, they get hit and down the road they end up having to close the doors." Getting breached when we've got all that PII out there, finally it's like, okay, this is unacceptable. We have to start protecting it more. And so by putting in the regulations with SEC, because that impacts stock price, okay, now you have to do a filing, the AK filing and then the 10-K for the annual event regarding any type of cybersecurity incident. And you've got to do that within 72 hours. I remember people freaking out going, "Oh my God, 72 hours, it's not enough time." Where in the rest of the world they got less. So you've got three days. And of course it's down to the wording and what you declare as an incident when you do that. And so now it becomes you've got an event, okay, well we can carry the word event for a particular time till we declare it an incident, then we have 72 hours. So they get their ducks in a row.

It's regulation and loopholes, and we've seen it go on for years, at least I know I have with other compliance regulations. But for me now it's looking at, okay, now, yeah, your risk appetite might be a lot bigger than what we're comfortable with, but now it becomes the fact that if we have an incident, you can't sweep this under the rug. If there's material ability impacted by this where it impacts our PI information or our customers or organizations or could impact stock price, now we're going to be held accountable for it. And so I think this is waking up a lot of board of directors, a lot of organizations where they don't understand it and they would just be like, "Cybersecurity, that's an IT thing or an information office thing." And so they wouldn't take it seriously. And now it's something where we need to have more technology-minded people on those board of directors not only from a risk standpoint, a governance standpoint, but also from a technology in getting them to understand that down the road.

Joseph Carson:

I think it comes on to as well as, we as an industries has been pushing the CISO to be on the board to get that visibility. It also realizes and it highlights to me that are most CISOs ready to be on the board from an experience and knowledge perspective, because ultimately it's very different. To your point, it's shifting the risk, and we are not always willing to accept risk. It also gets into that CISOs who are on the board who sign findings and papers that they want to make sure that as they're signing it that they're able to back it up. And also then the question is that, from a security perspective, because a lot of times the CISO's put under a lot of pressure in order to make sure they're able... Sometimes their hands are tied in regards to make actions and make changes, to the point were, does anything the CISO signs, does it have to be backed up by other board members so the CISO isn't the only one being held responsible?

James McQuiggan:

Right, we don't want them to be the scapegoat.

Joseph Carson:

Correct. The CISOs tends to be as a result of this being the one that's liable and the rest of the board not. This is where it gets into that whole association side. So for me, it is something that I think we've been pushing our way down, but we have to make sure that we're also backing it up with the right training and expertise and that CISOs are getting the right knowledge and support when they're getting those... Because I think a lot of CISOs, it's first time board, let's say-

James McQuiggan:

There almost needs to be a training course for them to what it's to be like on a board. I know they're out there and they can go and find other things, but yeah, rather than make your... I think I heard the title of a presentation recently in a conference was the chief information security officers, the chief information scapegoat officer. But it shouldn't just be them. If they're not doing their job and they're not pushing to get more the technology training and processes in place and the people, then yes, then that's a failure on their part. But if they're pushing it through and they're not getting the budgets because the board recognizes the risks aren't that great for it, then it becomes a whole board.

But even with that, and let's say they get the budgets, there can still be that breach, you can still have a data breach that can occur. But if you've got the processes in place in being able to mitigate the risk overall-

Joseph Carson:

Correct.

James McQuiggan:

... then it may not be as bad. But it's like I said with the security awareness training, yeah, you're still going to have people that are going to click on links, it's now if you've got the technology and you've got the processes and the people that can handle that in place, and that goes a long way in mitigating and reducing that attack surface that they gained access into and limit what they can get to.

Joseph Carson:

I completely agree with that statement. It's absolutely really about making sure that you're being honest with yourself when it comes to your security capabilities. It's hopefully what you're getting to, is that I understand the risk in my environment and I'm accepting them as they are and I'm presenting to the board and they're accepting them and we have shared responsibility when it comes to it.

James McQuiggan:

Exactly.

Joseph Carson:

And then you're not falsifying your capabilities to your customers. I think we've a lot to go when it comes to making sure that the CISOs out there are ready and have the knowledge to make sure that they understand what can come as accountability.

James McQuiggan:

Exactly.

Joseph Carson:

I attended a great session recently, and there was a couple of CISOs who was on that CISO summit that I attended, and they were talking about even liability insurance the companies taking out, just in those cases that it's now becoming a top discussion.

I got a question from one of the things I've got as well, is what do you see some of the future trends? Where do you see the future of this area going when it comes to the human security? I love the whole CISO secured by design and shifting left and all of those things, and we got a lot of initiatives, but what can we do to really accelerate this? Is there initiatives that you're seeing? Is there anything that no before is doing around this as well? What's your thoughts around the future trend?

James McQuiggan:

Yeah, I mean, from the security awareness standpoint, we're always having more content and having that available, so different aspects. We know AI is playing a huge role with organizations having training surrounding that. But then also from phishing assessments, we're utilizing AI in a new capabilities. But also in how you deal with those phishing attacks. And so we have a product called PhishAR, PhishAR Plus that handles the triaging of that, being able to remove it from everybody's mailbox, flip it around and send it back out with your own links to assess folks because it's a real live phishing email.

So yeah, we have our product platform that we've got is the industry leading with regards to sending out the phishing emails, dealing with phishing emails, the training of it overall, the security coach, having those little bite-sized training programs. If you're plugging in a flash drive and your policy doesn't allow it, those kinds of things, get a little quick three-minute video to help the person understand the risks and what they need to do moving forward.

So yeah, overall here at KnowBe4 continuing to focus on the human, getting the security culture raised up within organizations, keeping security top of mind, doing it so that we're looking to change behaviors, but overall we want to reduce risk within organizations, so reduce that attack surface where we hear so often that they got in through social engineering. If we can get it so that folks are like, "Yeah, no, I know that's not real," and not believe everything that comes in on your phone, have that little healthy level of skepticism with regards to your phone, your email, voicemails, and so forth.

Joseph Carson:

Fantastic. It's ultimately making the world a safer place for us to live in. I mean, that's ultimately the goal. Is there any resources or any places that you would like to point people to that can help them?

James McQuiggan:

Sure.

Joseph Carson:

I know Perry has numerous great books. I've got quite a few of them on my shelf as well. And Stu is also a great advocate also. He's always sending out his-

James McQuiggan:

The Cyber Heist News. Yeah, we have the blog site, blog.knowbe4.com. We have multiple stories coming out every day. The Cyber Heist newsletter that comes out from that, that's now on LinkedIn. They were real excited, they got-

Joseph Carson:

Fantastic.

James McQuiggan:

... the LinkedIn newsletters out there every week. But going back to what we talked about earlier with regards to getting the word out to people, KnowBe4 does have a home course. You go to knowbe4.com/homecourse, and it's a home security awareness training program that people can take. Now, it is password protected and the password for it is homecourse, all lowercase. Don't come at me because of the password we use, but that's just to prevent it from being scraped, I believe. And so you've got to have some sort of human interaction. But yeah, you can go out, and that's got training for people and families to be aware of with regards to security awareness. Share it with your grandparents. It's a series of videos so they can go through and watch that. Again, get that awareness to hopefully make them think a little more when it comes to those emails and not believing everything coming into their inbox is true.

Also from a security professional perspective, I produce the Security Masterminds podcast, so we have our own podcast out there. Every month we interview a new security mastermind that's out there. We're wrapping up on season two, and I'm already lining up guests for season three, which looks real exciting. Looking forward to that. So definitely check out the KnowBe4 website and for all of the products and services, the blogs, the information, and the home course.

Joseph Carson:

Fantastic. I'll definitely make sure as we go through all of this gets added to the show notes as well so it's easier accessible for everyone on the show. James, it's been awesome. I always enjoy having you on and always enjoy speaking with you and listening to your talks. It's always great to catch up and chat with you. Let's make sure it doesn't go too long for the next chat. Any final words of wisdom that you would like to share with the audience before we close up today's episode?

James McQuiggan:

Yeah, just stay safe out there. Have that healthy level of skepticism. We need to have that. We can't just believe everything that we see. Yeah, now that we got the holiday season coming up, we're going to see a lot of scams of shipping deliveries.

Joseph Carson:

Absolutely.

James McQuiggan:

Don't freak out if it's delayed.

Joseph Carson:

Christmas presents and holiday seasons.

James McQuiggan:

Christmas presents, yep. So we got to elevate up just a little bit. If all else fails, ask somebody.

Joseph Carson:

Don't be afraid to ask for help.

James McQuiggan:

Don't be afraid to ask.

Joseph Carson:

That's the key part.

James McQuiggan:

It's a good message to have.

Joseph Carson:

James, it's been awesome having you on. Many thanks for joining me for today's episode. For everyone, again, tune in every two weeks for the 401 Access Denied podcast, here to bring you educational knowledge, news, trends, things that really help make the world a little safer place. And James, you've definitely brought it to the show today, it's some great knowledge and contribution. Thank you very much. So everyone, stay safe, and take care.

James McQuiggan:

See you.