How Do We Influence Secure Behavior?

We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark (@dspark), the producer of CISO Series, and Steve Zalewski. Joining us is our sponsored guest Jack Chapman, vp, threat intelligence, Egress.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Egress

Egress helps organization stop email security risks is by addressing both inbound and outbound threats together,. We recognize that people get hacked, make mistakes, and break the rules. Egress’s Intelligent Cloud Email Security suite uses patented self-learning technology to detect sophisticated inbound and outbound threats, and protect against data loss. Learn more at egress.com.

Full Transcript

Intro

0:00.000

[David Spark] We all know that our employees need to be more security aware, but what are the methods to get them there? How can we make our employees more security conscious?

[Voiceover] You’re listening to Defense in Depth.

[David Spark] Welcome to Defense in Depth. My name is David Spark, I am the producer of the CISO Series. We’re available at CISOseries.com. And joining me for this very episode, you’ve known him, you’ve loved him, I’m going to assume you’ve loved him. We all love him here at the CISO Series. It’s Steve Zalewski.

Steve, say hello to the nice audience.

[Steve Zalewski] Hello, audience.

[David Spark] Our sponsor for today’s episode, very excited to have them onboard, a brand-new sponsor with the CISO Series. It is Egress – stop more advanced phishing attacks. Do that with Egress. We’re going to talk more about that, and really, making people more secure-conscious with Egress today.

But first, Steve, let’s talk about the topic. You asked the security community – what does it take to get security to stick with your coworkers? There’s so many security training programs out there and regulations that require some sort of security training. While mandatory security training is a requirement, those once-a-year efforts don’t seem to have much of an impact.

Everyone seems to agree that micro just-in-time training is key. Plus, you need to make it personal and have leadership show the right way. Employees have to be training on all types of behavior. I’m just going to ask, I mean, we train people on lots of different things. Why does security remain so darn difficult?

[Steve Zalewski] You know, when I posted this, even in the last month or so, I’ve come to a different perspective, which is why it’s it so difficult is because we have to do it for five different types of audiences that are all over the spectrum of how they see security as either necessary for the job or a burden on the job.

[David Spark] Well, helping us in this very discussion on how to talk to all these different audiences and why it’s so darn difficult specifically for security is our sponsor guest. He is the VP of threat intelligence over at Egress, our wonderful sponsor of this episode. It is Jack Chapman. Jack, thank you so much for joining us today.

[Jack Chapman] Thanks for having here today. It’s a really exciting topic for us to really dig into.

What’s the optimal approach?

2:32.810

[David Spark] Mike Wilkes who advises over at Wallarm said, “Every organization has culture bearers who influence the rest of the organization. You need to have a security mindset practiced by the senior leadership all the way through the organization. It should also be treated as a ‘whole of person’ issue so that you are improving the skepticism and ability to detect malicious communications and links when they are at home or on vacation or visiting family and not just when they are behind the company laptop.” And Mike Van Orden of Emanate Security said, “People aren’t influenced by being told what to do.

They’re more likely to copy or compete with good behaviors they see in others.” So it’s really like lead by example, Steve, yes?

[Steve Zalewski] So, I’m going to start with this is 20 year old thinking and it doesn’t work. And so regurgitating 20 year old thinking is obviously, while it’s an interesting topic, I think the challenge we have is 20 years ago when cybersecurity was relatively new, and we had an audience that was just coming into its being, we did all this stuff.

Now, if you think about it, we’ve got five generations of people that are…been introduced to cybersecurity, some in their late 40s, others as early as they were born with this, right? The ones that are in there, you know, 15-, 18-year-olds. Very different.

[David Spark] Do you feel that training the cyber, or I’m going to say digital natives, not cyber, but digital natives, the people who grew up with technology, is easier or harder than those who did not?

[Steve Zalewski] It’s different.

[David Spark] In what way?

[Steve Zalewski] In it’s what we started with, which was this idea of contextual micro training, right? That is how you approach the newer generations that want it fast, fast, fast, and so they’re trying to think about how to address that. Whereas other generations, that is not how they want to be introduced or to be able to be reinforced for behavior.

And so I think that’s why no one size fits all, and in some cases it’s actually directly contrary, depending upon the populations you’re trying to address.

[David Spark] So, Jack, you were nodding your head here. What’s your thoughts and do you agree this is 20 year old thinking, the way Steve was responding?

[Jack Chapman] I think so. I think just differentiate. Culture and organization from a cyber point of view is key and having hand raises and that, [Inaudible 00:05:24] coming forward. But this idea of having sort of culture bearers throughout doesn’t particularly work and especially upon different generations of how do we get engagement from them throughout organizations.

It’s really key to make it contextual. For those who are digital native, if you like, they’ve got the different [Inaudible 00:05:44] people they have on. This is all they’ve known. So, they believe that they’re not likely to fall for attacks, “Why am I getting this training? I grew up with this stuff.

I’m not going to fall for the latest phishing attack,” and so on. I think that’s a very different element to train in versus someone who’s like, “Oh, what is the latest attacks? Okay, I need to not give out my password, I need to check the links before I click.” So how can one size fit all, really?

[David Spark] No, and that’s a good point. And that’s how just modern education in general operates, teach to the person’s skill level. Not everybody is at the same skill level, and we’ve known that for quite some time. So, I mean, are we in agreement that micro training is the way to go? And by the way, I don’t even know, do these regulations allow for micro training?

Because it seems like you’re required X period of time of security awareness training. Steve, do you know?

[Steve Zalewski] So, many of the regulations require annual training, and we accomplish the annual training, the problem is it’s not effective. And so a lot of what we’re trying to do is to make the training effective to stop the attack, not to just meet the regulatory compliance. And that’s now the contextualization, the micro training.

The question is instead of once a year boring you, how do we put the right context at the right time in front of you as close to either after you made the mistake and clicked or before you’re about to make the mistake and click in order to just remind you, to reinforce the likelihood that you may be under attack rather than reinforce what good practice looks like?

Because nobody argues about good practice. The challenge is people make mistakes so how do we bring that up.

What are the best practices?

7:37.689

[David Spark] Brett Deroche of Lockstep Technology Group said, “Educate them on keeping themselves safe at home with things like bank account security and other general security tips to keep their personal accounts safe. It shows that you genuinely care about their security safety, and the teachings of their personal cybersecurity then bleed over to their professional world.” Jeffrey Wheatman of Black Kite said, “You have to show them what’s in it for them.

If it’s about you or the company, they don’t care. As an example, show them how, if they don’t protect their personal email, they will be scammed and lose their money.” And lastly, Merry Marwig of DataGrail said, “I would also give employee identity theft protection as a corporate benefit to every employee so they can get flagged when their creds are sold on the dark deep web.

It makes them as individuals more secure and the company more secure by association.” All right. This is something we’ve heard a lot, of train their personal security before their corporate security. Is that a critical step that must be taken, Jack?

[Jack Chapman] I think it’s all interlinked, especially if you look sort of left of the sort of phishing attacks we often see. It’s reconnaissance stage. How do I find out information about Jack or David in order to launch these attacks? And quite often a lot of that information comes from people’s personal accounts.

But I think the first steps really to look at the best practice in this space is to fall back on first principles. What can we do for people, technology, and policy? And [Inaudible 00:09:14] for an attack that does bridge across those is our solution has to bridge across those as well. How can technology and policy reinforce training and work with people on this rather than looking at them as sort of a disparate element?

[David Spark] Steve, is it critical to train at the beginning? I mean, Jack says it has to go in parallel here. Should I first explain, “Let me give you a password manager. This is how you write good passwords. This is how you do MFA for your own bank,” and all that stuff first?

[Steve Zalewski] So, on one hand, it’s a muscle memory thing, right? Which is we want to do this because every time we go through it it’s muscle memory to remind you. I think where best practices are coming in is we’ve got to get better at making it relevant to your job role or your job title or your function.

And again, if you start with the personal side, and we did this at Levi’s, for those folks that aren’t technologists that are just doing their job, they’re designing jeans or sneakers, then the personal side actually makes it more real for them, and it’s a two for one because if they’re doing it for their home, then they’re doing it for the business.

[David Spark] And this is the whole idea of you got to speak to different audiences – those who do know and those who don’t. Set the education levels differently, yes? And I’m going to go to Jack on this one.

[Jack Chapman] Yes, absolutely. There’s no point on sort of helping our users in different organizations to go on a journey, that cyber maturing, unless you start at their level. I think the other key part of the conversation however is not just what level are users at, but what threats and risks are they facing on a sort of day-to-day basis, and sort of educate at that level as well.

[David Spark] Right. So, for example, the people who are in accounting or finance who are dealing with money, they need a certain level of education versus the people that are making jeans. Right, Steve?

[Steve Zalewski] And there’s another, and I want to say facet to this, that I’ve seen relatively recently that’s got me excited about best practices which was base it on aptitude and puzzles. Don’t base it on rote behavior and use case of your role so that you can address all of the different types of learning styles and engagement when you kind of are puzzle-based aptitude.

And so therefore if you’re in finance, it doesn’t mean, “Okay, here’s the threat against somebody trying to change the routing numbers of a bank,” but it’s more like, “How would you see this behavior introduced as a form of unique use case, maybe customize and use your own company’s names, so that what you get in that puzzle mentality is a much more dynamic kind of real experience for that individual to address their learning style, their age group, their job functions, and the specifics of the company.

So, it feels like they’re now in the envelope, you’re in that VR envelope of, “Okay, this is actually what it’s like for me,” to make that experience much more real for them.

Sponsor – Egress

12:41.292

[David Spark] Before I go on any further, I do want to talk about our sponsor Egress who’s so much helping us out for this episode and many others. As you know if you listen to our programming, I talk to a lot of CISOs, and I’ve yet to meet one who feels fully at ease with their email security. Nobody does.

So, at Egress, they believe the only way to stop email security risks is to address both inbound and outbound threats together and put people at the front and center of the solution. That’s why we’re having this discussion today. So, as advanced and persistent cybersecurity threats continue to evolve, Egress recognizes that people get hacked, they make mistakes, and break the rules.

Egress’s Intelligent Cloud Email Security Suite uses patented self-learning technology to detect sophisticated inbound and outbound threats and protect against data loss.

In particular, inbound email threats have evolved. Oh, yes. We’ve all seen this, as we know this whole cat-and-mouse game that keeps going on. Account compromise and advanced phishing techniques mean that increased number of attacks get through signature-based detection. You can’t rely on that alone.

So, Egress takes a zero-trust approach to inbound threat detection, inspecting every email into your organization using AI models and natural language processing to detect anomalies to protect your organization from the attacks that matter most, including business email compromise, supply chain compromise, invoice and payment fraud, and ransomware.

So, go to their website, go to egress.com to learn more about Egress’ Intelligent Cloud Email Security Suite and start detecting email threats your existing solution is missing today.

What are the elements that make a great solution?

14:27.798

[David Spark] Stephen Bainbridge of your company, Jack, Egress Solutions Technologies said, “Traditional security training alone won’t stick as general content doesn’t meaningfully engage people to effectively lower risk over time.” And Eliot Baker said, “We’ve seen that it comes down to sustained motivated engagement.

The science of behavior change brings behavioral conditioning back to practice relevant reward and friction. Prompt people into engaging with training via a super-simple hassle-free action that focuses on the behavior you’re trying to change, and remember, punishment doesn’t work!”

And lastly, Andrew Wilder of Washington University in St. Louis, my alma mater I should note, said, “Remember Clippy from Microsoft Word of yore? A Clippy-like popup that says, ‘Hey, are you sure you want to enter your corporate credentials on this suspicious site?'” I’ll add, “Do you also want to write a letter?” “Take this training now to learn how to spot things like this in the future.” Just-in-time training, it just makes sense, doesn’t it, Jack?

Because when you have that required one hour, two hour, God knows how long it is, nobody’s looking forward to it, nobody’s excited about it. I remember just asking an audience, and I asked, “How many people have done security awareness training?” and the loudest groan I’ve ever heard in a room was [Laughter] made.

This is the way to do it, isn’t it?

[Jack Chapman] I think it’s the natural outcome of sort of this journey we’ve been on of, really, how can we use technology to work with people at their level in that moment of, “We’ve detected a threat, let’s stop that. And this is why it’s a threat. Here’s the information about it.” Not in technical language that only one in a thousand people understand, but in the everyday person’s language.

[David Spark] Well, I’m going to pause you right there. That’s a good point of explaining why you’re doing this behavior. Why am I reporting this phishing email or why am I being aware of not doing this? Because this can happen or this kind of attack goes on. It’s not a “do what I say,” just period.

Because people don’t change behavior because of that. Jack?

[Jack Chapman] Absolutely. And I think the only way to get meaningful change in behavior is to bring people with us on this journey. And that’s the why. That is why that’s so important. And especially where criminals are using behavioral psychology to target people, to trick them into this. We have to use the same to bring them out of that mindset, and especially to make the most out of training opportunity, to use it on real threats that people receive.

That’s almost a asset to us on the side of security, taking things that criminals did try to target organizations with and turning it about to enable that in-depth training that’s meaningful. If I asked yourself, David, of this is an attack that was personally targeted against you, you’re suddenly awake as an individual user.

And that’s where combining these things, again, I think we can unlock a lot more value in security as a whole.

[David Spark] I was just thinking of an analogy of this is that the way the attackers are going after us, it’s kind of like an endless game of Simon Says, right, Steve? I mean, the whole point of Simon Says is to trick you to do the thing that you shouldn’t be doing. And what the attackers are doing…

And it’s persistent like, “I’m going to keep doing it until I get it,” kind of a thing. And that is essentially what’s happening with the attackers. And if the audience realizes they are being sort of often toyed with and to be alert, like you would be in a game of Simon Says, you’ll be better to protect.

Is this an appropriate analogy, Steve?

[Steve Zalewski] I think it’s an awesome analogy because that I also think it realizes we can never win in that game.

[David Spark] Right. Because the whole point of Simon Says is everyone gets out eventually.

[Steve Zalewski] Right. To a certain extent if we play by those rules they win, bad guys win because they’re the one calling out the rules and we’re all going to eventually fail. So, if we stay with that game and that analogy, I have two choices. Either acknowledge we’re always going to fail, kind of where we are today, or I have to take that and decide I’m going to change the game.

I have to change the rules. And what I would argue if we use Simon Says, that we have to stop thinking about ourselves and how we win the game. What we have to actually do is use more of a shared responsibility where our job is to not let anybody lose and to remind each other before, “Hey. Don’t do it because it’s bad.” Okay?

And that the game is not about yourself but it’s about making sure that everybody stays in the game, so therefore there can be no loser because it’s a shared responsibility where we all win or we all lose.

[David Spark] What if you were playing Simon Says and others could speak up and say, “Don’t do it! He didn’t say Simon Says!” And then that is the shared responsibility. That’s the why you report the phishing attacks, you let other people see how someone… Or like, “Hey, I just got attacked. Someone just tried to send me this phishing email.

Be aware of it as well.” And that would be changing the rules of the game.

[Steve Zalewski] That’s changing the rules of the game, where what you realize is you’re not trying to protect yourself, you’re going to click. What you’re hoping for is somebody else that didn’t click will allow me as the CISO to understand that campaign’s coming through and either rip it out before you get it or be able to realize you’ve clicked sooner to able to remediate, and I think then we have a chance.

[David Spark] Jack, I’ll let you have the closing comment on this micro training and sort of changing the rules of the game.

[Jack Chapman] I love that analogy because it’s so true. And I think it’s all about how we can enable and empower users at their level sort of to get the most out of that human element while still having multiple safety nets underneath for that security in depth. And I think that really is where that people element, the technology element, and even the policy element all have a role to play in that depth to change the rules as you said, Steve.

[David Spark] Yeah. Because if you think about it, the rule of Simon Says is one person playing against individuals. But it is a group, and what if the group played against the individual? Which we don’t do when we play that game and we could change the rules and get them back.

Why are they behaving this way?

21:14.148

[David Spark] Yashvier K., CSO over at Sendbird, said, “People in the company need to trust you and not see you as someone who’s set out to make their life miserable.” Oh, good point. And John C. Underwood over at Big 5 Sporting Goods said, “I have found that most people want to do the right thing and want to do their job well.

If we want to make security stick, we must architect or implement solutions that are as invisible as possible to the employee.” So, we talk about the need to motivate, to get behavioral change. The thing is your employees are on your side but if you make it not a good experience, they’re not going to be on your side.

Jack, you’re nodding your head.

[Jack Chapman] Absolutely. One of those elements, if we’re honest with ourselves, a lot of security can add friction to our employees’ lives. And quite often it’s needed but it’s conveying why is the security needed, to actually make their lives safer and better, both personally but as an organization.

And I think one of the key parts is where I disagree with a couple of these comments actually is making security invisible. Security should be invisible in the background, but when it’s needed it should be very visible and articulate. Going back to that why again of working with the user on this. Because if you hide all of the threats away from the user completely, it’s like wrapping them in bubble wrap where they’re safe, they’re safe, and then suddenly they’re incredibly vulnerable.

They’re not aware of the everyday threats they could be facing. So I think there’s a fine line to tread there.

[David Spark] Steve, I mean, how do you make it like – because you want to ride that line of they want to do this, they keep wanting to be a part of this – how do you sort of ride that wave, I guess?

[Steve Zalewski] So, I’m going to argue 20 years ago, we had to get people to believe that security was everybody’s responsibility. I would argue at this point that’s been done, 99% of the people are going to go, “I get it. I understand. I’ve seen all the bad things. I know somebody. I’ve seen my company get hit.

I’ve been impacted.” I think that’s what we’re talking about. It’s not that they’re behaving this way, it’s that the bad guys have gotten so good that we cannot know bad from good anymore. And so it’s taken out of our hands to be able to prevent, and now what we have to do is contain. We have to get better at understanding that people are going to fall for it.

We have to do the best we can but we have to be much better at being resilient to it and being able to recover and move forward.

[David Spark] The thing is that even though you are a teacher, both you Jack and Steve would be teaching this kind of stuff, you are just as susceptible, right? I mean, there’s no one that’s impenetrable to these kinds of attacks, and I think that kind of needs to be made clear. Right, Jack?

[Jack Chapman] Absolutely. The awkward question I like to ask the colleagues at conferences is, “Put your hand up if you think you’d be resistant or invulnerable to these types of attacks.” Everyone nervously looks around, where we half-think we are but in reality, we’re not. We’re human beings at heart.

At the end of the day, it’s social engineering. All of these sort of attacks boil down to the Simon Says. Can you trick someone when they’re having a bad day with the right context? And the answer’s always going to be yes. And it’s how many layers, both on the preventative side, that proactive approach, and then on the other side, that mitigation after the fact we can have in place.

So no one’s invulnerable here.

[David Spark] I was just at the Verizon store dealing with changing my billing situation, and the guy started giving me more access without verifying me than he should have. And he says, “Oh, well, you just came off as so believable,” and I go, “That’s why you shouldn’t. That’s exactly the reason you need to still verify me.

That is the technique that is used.” He was using the reason why he was giving me access, and I’m like, “No. That’s the reason you shouldn’t. You should verify with me.” Steve, you’re nodding your head.

[Steve Zalewski] Yeah. Customer service and people want to trust. Understand we’re trying to change an inherent behavior – people wanting to trust each other, support each other. And so here he is doing the right thing and then do you call him out because he’s trying to get his customer service scores up high?

And you’re basically saying, “You’re doing the bad thing, you’re putting your company at risk.” It’s an impossible situation. You basically put him in a situation where there’s no right answer, okay? And that’s why when I get back to the resilience, and I’ll quickly say this.

I was in the situation where I had auditors in and we had phishing, we were doing an audit, let’s just say against SOC 2 Type 2, for example. We had all of our social engineering attack [Inaudible 00:26:23] equipment, we had all of our evidence. I’m literally in my office and the guys are in here, we’re reviewing that and I’m telling them, “Look.

We have multiple successful attacks a day, can’t stop it. So what do I do?” It turns out I had just fallen for an attack and put my credentials up on the net and didn’t realize it.

While I’m having this conversation with the auditors, one of my guys is knocking on my office going, “Steve, I got to see you, I got to see you,” and of course I said, “Hey, my guys come first. What’s up?” They go, “You have to change your password. You just fell for an attack.” I’m like, “Really?” I said, “Okay.” I walked back in, I told the auditors, “I just want you to know I just fell for an attack 10 minutes ago while I’m working with you guys.

I got to set my password.” Because it’s inevitable that everybody clicks, and so I want to demonstrate just how good we are at being able to identify the attack and then recover from it rather than believing we’re just going to prevent it. So you have to be vulnerable and demonstrate that it is inevitable, and so what are we doing to get better at resiliency, and I think we have a better chance.

[David Spark] Good point.

Closing

27:27.732

[David Spark] Well, that comes to the end of our show right now, and the portion of the show where I ask you which quote was your favorite and why. And Jack, I’m going to start with you, which quote did you like the most and why?

[Jack Chapman] I’ve got to shout out Yashvier K. from Sendbird with the, “People in the company need to trust you and not see you as someone who set out to make their life miserable.” Because I think this is a great epitome for cybersecurity and part of our mission to work with people. And just [Laughter] the thought that there’s someone there going, “Please don’t make my life miserable,” it cracked me up indeed.

[David Spark] Yeah. Well, a lot of security people have this sort of Rodney Dangerfield, “I don’t get any respect,” attitude and they want to be seen as someone who’s coming there to help, not to make their life miserable. Good point, and I like that quote too. Steve, your favorite?

[Steve Zalewski] I’m going to go with John C. Underwood for Big 5, “People want to do the right thing and do their job well.” That’s what we talked about. If we want to make security stick we must architect our implement solutions that are as invisible as possible to the employee. And so what we want to be able to do is not constantly be in their face, but now put a safety net under them so that the security training is just a small component and they’re understanding that we have a shared responsibility.

It’s actually the fact that everybody else has my back, not just me.

[David Spark] Good point. Well, that is now officially the end of the show, but I will let you, Jack, have the final word here. I want to thank your company, Egress – stop more advanced phishing attacks. We’ve been talking about security awareness. Well, having Egress, obviously, as a part of this whole equation, will make you more secure, and essentially the idea of having a safety net of some sort.

So check them out at egress.com. Steve, any last thoughts on our topic today?

[Steve Zalewski] I want to thank JC, and why is this was a topic that’s been talked about a lot. But for Defense in Depth today, I think we’ve actually been able to address some of the forward-looking thinking that we have to put into the process, and I feel like we’ve actually been able to offer some additional views of where we see the capabilities.

Not just the technology but the people and the process. We’ve got to change the game.

[David Spark] All right. Good point. Jack, your closing thoughts, and by the way, does Egress have any specific offer for our audience?

[Jack Chapman] It’s been fantastic to be here today and really talk about what is at the heart of a lot of the challenges we face as an industry, really, of how do we make things work for our people and put them at the heart of everything we do. Do definitely [Inaudible 00:30:17] this is an ongoing problem to come and check us out at egress.com and really see how we combine that technology detection with that real-time teachable moment to help people.

[David Spark] All right. So, please check them out at egress.com. Thank you very much, Jack. Thank you very much, Steve. Thank you very much, Egress as well. And I want to thank our audience, as I always do, for your great contributions. And again, if you see awesome discussions online, we can often turn those into an entire segment of this show, so please let me know.

Just send me a direct mail of just that, or if you see somebody else just tag me in it, that’s totally fine as well. We greatly appreciate your contributions and for listening to Defense in Depth.

[Voiceover] We’ve reached the end of Defense in Depth. Make sure to subscribe so you don’t miss yet another hot topic in cybersecurity. This show thrives on your contributions. Please write a review, leave a comment on LinkedIn or on our site CISOseries.com where you’ll also see plenty of ways to participate, including recording a question or a comment for the show.

If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to Defense in Depth.

David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.