[Bee Cyber Fit theme]
Wendy Battles: Welcome to the Bee Cyber Fit podcast, where we're simplifying cybersecurity for everyone, where we cut through confusing cyberspeak and make cybersecurity simple and easy to digest. I'm one of your hosts, Wendy Battles.
James Tucciarone: And I'm James Tucciarone. Together, we're part of Yale University's information security, policy and awareness team. Our department works behind the scenes to support Yale's mission of teaching, learning and scholarly research.
Wendy Battles: Ready to get cyber fit with us?
Hey everyone. Welcome to another episode of the Bee Cyber Fit podcast. We're excited you're here and hope you are ready to get cyber fit with us. If you're a new listener, welcome aboard. This is the place to come for information and inspiration to stay safe online and outsmart cybercriminals. This podcast is one of the many tools in our toolkit that we use at Yale University to help our faculty staff and students build their cyber muscles. James, before we launch into all things cybersecurity awareness, I have to ask you, how was your Thanksgiving, and what was your favorite dish this year?
James Tucciarone: Wendy, my Thanksgiving was actually pretty great. I got to relax a little bit, spend some time with friends and family, and I did get to bake a little bit. To be honest, I wound up with a 40-pound pumpkin this year, so I was knee-deep in pumpkin puree and trying a ton of new recipes.
Wendy Battles: 40 pounds, James? How did you manage to get a 40-pound pumpkin?
James Tucciarone: I have no idea. It was an impulse buy, and then I didn't want to waste it.
Wendy Battles: Wow.
James Tucciarone: So I said, “You know what? I'm going to try to find something to do with this.” But I learned some new recipes, found some new foods that I liked and it all turned out okay. But how about you? How was your Thanksgiving?
Wendy Battles: Mine was really nice. We went to my husband's nephew's house. That was great because I used to do all this cooking, huge amounts of cooking and inviting all these people over. This year, I didn't cook anything. Prepared a couple of side dishes, but so simple. So simple. It was really nice to not be on so much in the kitchen and have this huge responsibility to cook all this food, which, by the way, I want to tell you, I always hate that people eat it up so quickly. Like, I spend days, James, days making this food, and it seems like it's gobbled up in short order. [laughs]
James Tucciarone: I mean, that's not necessarily a bad thing, but--
Wendy Battles: Not at all. I guess it says it's pretty good, right?
James Tucciarone: Definitely. And I agree with you though. Simple is the way to go.
Wendy Battles: Yeah, absolutely. Absolutely. I know on our work front, it has been a very busy year for us with our cybersecurity awareness program. We've done so much and engaged our Yale community in new ways. So I want to ask you, what has been a highlight for you in the things we've done in 2023?
James Tucciarone: Well, I really enjoyed our recent Would You Rather workshops. They were part of our Click with Caution - Recognized, Relaxed, Rethink campaign, which we discussed in our last episode and also wrapped up in November. The workshops were presented in a new format. The format was designed to encourage participation and really got us all thinking about some of the best- and worst-case reactions regarding how we might respond to common social engineering tactics. They really stood out for me because those in our community who joined us were really engaged. We all shared our thoughts and how we might react. Our attendees even shared some of their own experiences, which really, really enriched the conversation.
Wendy Battles: Yeah, it was pretty awesome. I was really struck by the level of engagement that you were referring to. People seem so jazzed about this and the opportunity to talk about these things. So I thought that was really cool.
James Tucciarone: I agree. And it's always so much more powerful when we hear the stories from those who are joining us. What about you, Wendy? What was your favorite thing?
Wendy Battles: I'd have to say that I've been excited about the increase in engagement overall this year from the Yale community. I saw lots of new names I didn't know, and faces in some of our virtual programs, people engaging in our online awareness activities. I thought it was cool too that we did a self-paced Kahoot. And if you're not familiar with Kahoot, it is easy to play a trivia game and you can play it with live with people or a self-paced version, which we tried for the first time. And I was really interested that so many people participated. We were keeping an eye on the competition because at the end of the day, we had five people that ended up at the top of the leaderboard. But I know a few people who were telling me they kept looking at it to see, “Am I still on it? Am I still on it?” So I think that things like that, James, where it's fun but also engaging, are really important components of an awareness program when we want people to make small changes, right, small changes to be more cybersafe. So that for me, was a highlight.
I really think this conversation is so apropos of what we're going to be talking about today. We're being joined by our boss, Jess, and a huge cybersecurity awareness advocate, and we're going to be doing a fun year in review with her asking her some questions about the awareness program, what she thought about 2023, and some of her thoughts about 2024. But first, let's find out about our Buzzword of the Day. Domain spoofing, is sometimes called URL spoofing.
James Tucciarone: Have you ever encountered a URL that's close to that of a well-known website but slightly off? Maybe you've seen something similar with an email or perhaps, you've clicked a link that looked accurate but brought you somewhere unexpected. These are all potential examples of domain spoofing. Stay tuned to find out more about what that is, why it's so important to stay vigilant and how to avoid falling into one of these traps.
Wendy Battles: James, I'm so excited about today. It's taken until Season 3, which is so hard to believe for us to invite our boss, Jess Flower, into the Bee Cyber Fit guest chair.
James Tucciarone: It was definitely overdue, way back in our first official episode we mentioned Jess would join us from time to time and we finally get to deliver on that promise. I know we're going to have a great conversation. As an introduction for our listeners, Jess is the Associate Director of Policy and Awareness in the Information Security Office. She leads our team in overseeing Yale's information security policies and our awareness program, including our community outreach, our communications, events and this very podcast. Jess, thank you so much for joining us today and welcome officially to the Bee Cyber Fit podcast.
Jess Flower: I am so excited to be here. I think this is awesome. I love this podcast. I cannot believe we are on Season 3, and it just is my favorite part of the Bee Cyber Fit series and one of my favorite parts of the awareness program, which, as you know, is so near and dear to my heart. We launched it in 2021. It's come a long way, and I am just so excited to talk about what we've done this year and what's coming up in the years ahead.
Wendy Battles: Yeah. And you probably can imagine we have a lot of questions for you. Now that we've got you in the chair, we have to really dig deep. [laughs]
Jess Flower: Oh, no. The pressure's on.
[laughter]
Wendy Battles: But just like Jeremy, no pressure, no pressure. It's just all fun and inspiration for our listeners. And since it's about year-end, we thought it would be fun to take a look back at what's happened in 2023, and also look forward to what's just around the corner in 2024.
James Tucciarone: So Jess, tell us, what have you found most impactful in terms of our awareness program?
Jess Flower: James, I know it has taken a while to get me in the Bee Cyber Fit guest chair. But I think it all happens for a reason, because 2023 is really the year that I'm most excited to talk about. We launched our awareness program in 2021. When we did that, we did a lot of general cybersecurity awareness. We have the four evergreen topics that we talked a lot about and we explained how that applied to our users, both at home and at Yale. But in 2023, we made this leap about communicating real risks at Yale. And that was based on feedback we got from the community. They wanted to know what's going on here. What do I need to know in my everyday work to make sure that I'm working in a cybersafe way?
So we took that back to the Information Security Office and we said, “Okay, what are the top risks that people really need to know about here at Yale?” And that's how, for 2023, our Report an Incident campaign and our Social Engineering campaign were born. I really think that we are just starting to dip our toes into seeing what's going on at Yale, simplifying those concepts and giving our community simple actions they can take to combat those ever-- not ever-present, but top risks facing the university.
Wendy Battles: You know Jess, one of the things I think that's interesting in what you just said and comes up for me is how curious the Yale community is. I feel like they're really hungry for information about what they can do and to better understand what's going on, because sometimes it feels like those things are a mystery. It all happens behind some big curtain. I'm gaining just the insight from seeing all of the people that came and many new people coming to programs or participating in different ways that there is this curiosity about how things work and what can I do. So this idea of simplifying things, I think, is such a great direction for us.
Jess Flower: Yeah. I couldn't agree more. And not only are they curious, but they really are engaged. When we have these awareness events, we see people asking questions or jumping into the chat and saying, “Oh, my gosh, I didn't think of that, and how that applies to me?” So whether you're somebody that comes to our events all the time or you're on the cusp, “Should I go? Should I not go? How do I know if this applies to me?” Definitely come. You're always going to learn something new. Here I go with my shameless plugs. But more importantly, I think people are going to ask questions that are also on your mind, and you're going to see how level-set the community is in wanting to learn more and wanting to do the right thing. So we're very lucky here at Yale from that front.
Wendy Battles: Yeah, so we can really all learn together. It's a safe environment to learn. You can't really make mistakes when just finding out more information that can empower you, your team, your colleagues to be cybersafe.
Jess Flower: But coming in at a close second is how we've really thought about the human emotion element to cybersecurity awareness and how people feel can be a real tell into, “Hey, something's not right.” And that's really the first pause that people need to take in making sure they don't fall victim to different cybersecurity attacks.
Wendy Battles: Jess, it's really interesting that you're talking about this idea of emotion because, as you know, we've just wrapped up our Click with Caution - Recognize, Relax, Rethink campaign, and we spent a lot of time talking about human emotion in that campaign. So I'm curious to know why you think human emotion is so important when it comes to cybersecurity.
Jess Flower: The human emotion is so important because it's the single evergreen piece. The tactics of cybercriminals is always going to change, as we as cybersecurity professionals or even end users learn and adopt new technologies to stay safe. Those hackers or those cybercriminals are also learning those technologies and figuring out how to break them. So the technology piece is not always evergreen, but that gut feeling you have, your intuition, that never goes away. And sure, it's not always foolproof, but it's better to be safe than sorry. We say that a lot.
But the Recognize, Relax, Rethink campaign really gave three easy repeatable and dare I say, easy to remember steps, so that when you get that feeling in your gut, it's like, “Okay, something's not right. It reminds you something's not right. It's not that I need to react to what we've talked about, the FUDGE model. I don't need to react to this urgent message. It's making me feel afraid or nervous. I'm having anxiety about it.” That should be your first sign. In my opinion, it's the sign that's always there. It's ever present. So we used to talk about look for typos, or look to see if the email address isn't what you're expecting it to be, or is this usually somebody you get an email from or not? Those pieces aren't foolproof, but that, “Hmm, this doesn't seem right,” that piece, that emotion, that's never going to go away. So I think trusting your intuition can really help you get in front of falling victim to a cybersecurity attack.
Wendy Battles: I think you're right about that. I think sometimes we question that gut feeling. Well, is that really, right? I'm not sure. I bet we all have experiences in the past where we didn't trust our gut feeling and then regretted it. So I think that you're right when we can lean into that feeling and we sense something's a little awry, it might mean something. And what it means, who knows? We have to explore that. But at least using that as a jump off point, I think, can make a big difference.
Jess Flower: Yeah. I'm not sure if any of our listeners attended our Would You Rather workshop that you and James put on a few times this year, but that's really the key question. Would you rather trust your gut and be wrong and maybe take, I don't know, 5,10 minutes to make sure something is either right or not right, or do you want to take the hours, days, weeks, months it could take to recover from falling victim to one of these cybersecurity attacks? And that also gets me thinking about our earlier campaign this year, Report an Incident which wasn't so obvious that we were talking about the human emotion, but we were really trying to get to that piece.
A lot of times, people don't report an incident because they're afraid they did something wrong, or they hesitate because they're not sure, or they're embarrassed that they possibly received or even clicked on this phishing message. It's those pieces, that hesitation, that embarrassment, that worry, that fear, that ignore those that that's not important. Telling us that something may be wrong, telling the Information Security office, “Hey, this doesn't feel right.” So again, just trusting that gut over the potential embarrassment or fear, that's the most important thing. So I think I guess one of the key takeaways from 2023 is just trusting your gut in an effort to be cyber fit or cybersafe.
James Tucciarone: I think that's really some great advice. I'm so glad that you mentioned this, because I'm sure that not all of our listeners are aware that our emotions are such a powerful indicator of a cyberattack and how much these social engineering attacks have evolved that the triggers or the red flags that we might see have evolved as well.
So now, that we've talked a little bit about 2023 and some of the things that we did, let's pivot to 2024, which, unbelievably, is right around the corner. But I love this time of year because I always get excited about the possibilities a new year brings, especially in terms of our awareness program and engaging with our community. Jess, what are you most looking forward to in 2024?
Jess Flower: There's a lot I'm looking forward to, James. I'll just start by piggybacking on what I said before. 2023, we jumped into communicating real risks at Yale. I'm really looking forward to continuing down that path and finding even more ways to simplify the risks that we're seeing here in the information security office and how to help the community, not just understand them but take simple steps and have a toolkit in their back pocket to defend against those risks in their everyday work, and finding more ways to embed cybersecurity into the culture of the organization. So at a high level, that's what I'm most excited for.
Diving a little more into the details, I know some risks that we talked about this year are going to continue and roll into 2024. Like, our social engineering campaign, we're going to see a lot of awareness and some change around that. We're going to see more about this, how does cybersecurity fit into your role? So I think we're going to be looking at how to target communications and make them more applicable to people based on the work that they do, which I think is exciting. There's always that how does it apply to me question lingering in everyone's mind. So I think really honing in on that for some target audiences is something that I'm looking forward to.
And then diving down just a little deeper into the weeds, I'm really excited for our New Year, New You campaign this year. We're changing it up. We're not just saying, “Hey, come to our events.” But we're doing a 21-day challenge to get the new year off on the right foot to help people stick to their resolutions, where each day is a simple step that they can take. I'm sure we're going to have some great cybersecurity exclusive swag for everyone if they complete the challenges. So again, I think we're just always looking for ways to keep things fresh and exciting and do different things. I'm looking forward to all the new ideas we come up with going into 2024.
Wendy Battles: Well, I love the idea of the New Year New You challenge too, because I can't tell you how many habits I've tried to make that don't always stick. I don't really stick to it, but then there are other things that I do. And so getting into the habit, this cyber habit, through the 21-day challenge, increasing people's awareness, I think it's just going to be really fun. I don't know about you two, but I think we're coming up with some really creative and fun things for the community to do.
Jess Flower: I agree. Since we're just talking about a year-end review and looking forward to resolutions in the new year with the New Year New You campaign, I think it's important to just say that building your cyber muscles, being cyber fit is baby step after baby step after baby step. I know, Wendy, you said, “Sometimes I stick to my habits, sometimes I don't.” Same. But the habits that I don't stick to are because I make unrealistic goals. I'm like, “Okay, I'm not a morning person. So starting tomorrow, I'm going to wake up at 05:00 AM and I'm going to do 17 things before I start my day.” No, you're not.
I think sometimes cybersecurity can be overwhelming and it feels like that like, “Oh, my gosh, I have to inventory all my accounts, change all my passwords, do all this.” Yes, you do, but one step at a time. I think you, both James and Wendy, do such a great job in breaking that down for people. I think the New Year New You 21-day challenge for anybody, somebody that's participated in our program before or hasn't really simplifies it in a new way for people to start building their cyber muscles. So I'm really looking forward to it.
Wendy Battles: You had me at that. You can't do 17 things before 05:00 AM, [laughs] because so many of us are overly ambitious.
Jess Flower: Yeah. It sets us up for failure.
Wendy Battles: Right. It sets us up for failure, and we want everyone to succeed. So I love the little baby step idea, little bits here and there as we build our muscles.
Jess Flower: Absolutely. It's what it's all about.
Wendy Battles: Okay. So I want to put both of you on the spot. I know you don't know any of these questions in advance, but we did a year end review. We're talking about 2024. Jess, you talked a little bit about what you're looking forward to. But I'm going to ask both of you. If you had to think of one out of the box idea that would be totally different that we could bring to our community, not saying that it's going to happen right now, but if we can wave our magic cyber wand and anything could be possible to help our community grow with their cyber muscles, what's one thing that you would suggest or what's one thing you would want to do?
Jess Flower: If I could wave my magic cyber wand, which for everyone listening, absolutely does not exist, but if I had it, if only I had it, I would find different ways to say some of the same messages that we're saying in our communications. So I know that we have our newsletter and our monthly tip, and we try to pop in other newsletters like Business Update and IT Update. But if we could find a way to go on video and make little clips that people could watch, I think that would be another step in just standing out and finding new ways to tell people our messaging, which I think can be really effective. We're also buried in email all the time. If there was a quick video I could watch, it may be easier for me to digest than just reading another email. So I love our emails, I love our monthly tip, I love our newsletter. I'd like to enhance those moving forward with new ways to spread those messages.
Wendy Battles: I love that idea. I love that idea. And I love the idea of the video, adding video in. That's brilliant. James, what about you?
James Tucciarone: Yeah, I definitely agree. I think finding these new ways, these new channels or taking a multimedia approach is so powerful. One of the things that I think we've talked about before, Wendy, is this idea of cybersecurity escape rooms. That's something that I would love to potentially see us investigate and see how, if at all, that could fit into our program. I think it's just another exciting, new, fresh way for people to engage with us and for us to give people other options on how they might want to learn a little bit more about cybersecurity.
Wendy Battles: I am all in James on escape rooms. I think that's a great idea for us to explore. And knowing how curious our community is as we've been talking about in our conversation today, I think that's something that they would love, I think it's something that would be new and different, I think it would be a new way to engage our Yale community and continue to help them build their muscles. So I'm all in on both your ideas, yes to video, yes to new multichannel communication vehicles, and yes to escape rooms.
James Tucciarone: No promises though.
Wendy Battles: I know. We're in our wishful thinking mode, but that's okay. A broken dream, right?
Jess Flower: Yeah, it is the season we're planning. So I would encourage anyone listening, you can also email information.security@yale.edu with your ideas for the awareness program or even more topics you want to hear about on the podcast.
Wendy Battles: Absolutely. Jess, we cannot thank you enough for gracing us with your presence, for sharing your insights, for finally making it to the Bee Cyber Fit guest chair.
Jess Flower: This is my first podcast, and I forget that people cannot see that I'm laughing at you. But yes, I am so grateful to be here. This has been a ton of fun. I love the podcast, and I definitely look forward to sitting in this chair again. So thank you for having me.
James Tucciarone: Here's the buzz on domain spoofing. Before we dive in, let's talk about what a domain or domain name is. A domain name is the primary part of a website URL. For instance, cybersecurity.yale.edu. It's also what we call the portion of an email address that comes after the at symbol, like, @yale.edu. Now domain spoofing sometimes also called URL spoofing is when cybercriminals try to fool us by using a fake website or email address domain. These fake domains are designed to closely resemble the legitimate one it's impersonating. For example, the L in yale.edu or @yale.edu might be replaced with a capital I. If we're not closely examining the domain, we might be tricked into thinking it's the real thing.
Cybercriminals use domain spoofing for a variety of goals, including collecting our sensitive information, installing malware on our devices, or stealing our money. And that's why it's so critical that we use caution when we're clicking on links, especially links that aren't from a trusted source. As with many other tactics used by cybercriminals, we can protect ourselves from domain spoofing by staying vigilant and clicking with caution. As always, be wary of unsolicited links and attachments or those from an unknown sender. Whenever possible, use multifactor authentication for accounts that contain sensitive information. Trust your gut, if something doesn't seem right. It's always better to be safe, not sorry. And don't forget to keep listening to the Bee Cyber Fit podcast, where we simplify cybersecurity and help you to be aware, to be prepared, and to be cyber fit.
Wendy Battles: Ooh, this was a good episode, James. I really enjoyed the opportunity to look back and also begin to look forward to 2024. Of course, as you know, this would not be a Bee Cyber Fit episode without some calls to action for our Yale community, and we have three of them. First, we've just released our winter newsletter, and we'd love for you to read the latest cybersecurity awareness news at Yale. We've linked to it in the show notes. It's full of all kinds of helpful information. You know what else? We want to hear from you. We invite you to take our community survey, weigh in on all thing’s cybersecurity at Yale, what's working, what do you want to know more about, what can we do better, all of those things are included in this survey. And your opinions matter, and they will help shape our future programming.
And finally, we're all about building healthy cyber habits that support cybersafe behaviors. Ready for a little fun and a roadmap to greater cyber fitness? Our Bee Cyber Fit 21-day challenge kicks off in 2024. Get the scoop and sign up now to join us and build your cyber muscles with us. It's going to be so much fun. There are going to be some cool people that complete all 21 days who are going to be entered to win some very cool cybersecurity awareness swag. So I have a hunch, James. We're going to have a fun little competition going on. I know we're going to get some diehards that are totally into building those habits and they're going to stick it out and continue to build their muscles. So I'm excited about that.
James Tucciarone: Me too, Wendy. I cannot wait for 2024. We've got so many cool things on the horizon. And with that, that's our show. So until next time, as always, I'm here with Wendy Battles, and I'm James Tucciarone. We'd like to thank everyone who helps make this podcast possible. We'd also like to thank Yale University, where this podcast is produced and recorded.
Wendy Battles: Thank you, everyone. We love that you are listening. We are excited to see you in 2024. And remember, it only takes simple steps to Bee Cyber Fit.
[Transcript provided by SpeechDocs Podcast Transcription]
[Transcript provided by SpeechDocs Podcast Transcription]