Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Social Engineering for Good: How Psychology Beats Technology
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Psychology has become the new firewall in our digital world. When sophisticated security systems block 99.9% of attacks, hackers focus on the fraction that reaches humans – making your brain the ultimate cybersecurity tool.
Cybersecurity expert Tate Jaro shares his journey from Army infantry officer to Secret Service special agent investigating major financial crimes like the JP Morgan intrusion case, which compromised over 100 million records. Through these experiences, he developed a critical insight: while technical defenses are essential, human behavior ultimately determines whether an organization stays secure.
The conversation reveals how traditional security awareness approaches often fail because they focus on compliance rather than behavior change. Most people want to be secure but struggle with complexity, lack of immediate consequences, and competing priorities. The solution? Treating security awareness like marketing – focusing on influencing behaviors and capturing attention through psychology rather than technical jargon.
"We're not hacking systems, we're hacking behaviors," explains Jaro, highlighting how simple changes like enabling captions on training videos can improve effectiveness by 35%. Controversial practices like "gotcha" phishing simulations that trick employees often backfire by creating distrust and fear rather than building security confidence.
Building a security-minded culture requires creating social proof – demonstrating that security awareness is valued and expected within an organization. When employees who report potential threats are celebrated, vigilance becomes part of the organizational identity. Equally important is destigmatizing security mistakes by discussing incidents openly, removing the shame that prevents people from reporting problems.
Want to strengthen your personal digital defenses? Check out onlinesafety.substack.com for weekly, actionable privacy and security tips from a true expert. Remember that small improvements in your security habits create ripple effects across both your personal and professional digital life.
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Psychology is the new firewall where human insight trumps every trick . We're not hacking systems , we're hacking behaviors . So you won't click no complicated code , just tried and true brain science at play . Social engineering for good . The best defense is in your mind today .
Episode Introduction
Speaker 2Welcome to Phishing for Answers . The opinions expressed here are solely those of the individuals involved and do not reflect the views of their employers . Get ready , because the next live episode of Phishing for Answers is starting right now with your host , Joshua Crumbaugh , the CEO of Phish Firewall .
Speaker 3All right . Hello , welcome to another episode of Phishing for Answers . Today I've got Tate Jaro with us . He is a cybersecurity extraordinaire . Been at this for quite a while . Tate , why don't you introduce yourself ? Tell us a little bit about yourself and how did you get into cybersecurity ?
Speaker 4Yeah , my pleasure . First off , thanks for having me , Josh . Yeah , it's my pleasure . Well , you know , I built myself as an expert in cybersecurity , privacy and identity and right now I view myself as a product executive helping companies build products to solve those problems , both for consumers but also the enterprise . So both a B2B and a .
Speaker 4B2C context . But I got into this basically by accident . My career started . Everyone gets into cybersecurity , that's a fair point . But yeah , for me . I mean I was in the Army , I was an infantry officer , I did five years and then I left the Army and I went into the government and I was a special agent in the Secret Service . And when you start , you go out into a field office and I started in the New York field office . I'm from New York State , so I wanted to be there . But when you're in the field as an agent in the Secret Service , you split your time between protection and criminal investigation , because the Secret Service has jurisdiction over financial crimes . Secret Service has jurisdiction over financial crimes , yeah , and so this was back in the early 2010s and I got pulled into the Electronic Crimes Task Force , not because I knew anything about cybercrime , but because I was young , I was motivated .
Speaker 4And I had a computer science minor . So they were like , oh , that's good enough , come do computer crimes . And then , through that experience , I did investigations when bad actors breached companies . I was a case agent on the JP Morgan intrusion case back in 2014 , which at the time was the biggest hack in the United States history . It was over 100 million records . I investigated the guys who created Liberty Reserve , which was a centralized digital currency that predates Bitcoin . All the bad actors used Liberty Reserve to do transactions . We shut it down . Then they all migrated to Bitcoin , where it's decentralized A government entity can't shut it down .
Speaker 4So anyway , through that experience , I got into cybersecurity and then , along the way , I got an MBA and decided I was going to go into the private sector , and so I transitioned , went over to Google , was doing behind the scenes cybersecurity things at Google , and I had this insight that Google does a great job of behind the scenes protection with all the algorithms and all the machine learning .
Speaker 4But even if they block 99.9 percent of spam , there's still that 0.01 percent that gets through to a human , and human behavior dictates whether someone's going to fall for that like what how well the person is protected , how well they know what to do , and so I had this insight that Google really needs to like we're missing focusing on the human .
Speaker 4So within Google at the time , they had a internal incubator called Area 120 and I , where anybody in the company could apply to be a founder to solve a problem and start a company to do that . So I applied on the hypothesis , or the investment thesis , that we need to build a tool to help people protect themselves , and so I got funded , built , the company got reacquired back into Google One and that kind of got me on this product focus how do we build things to help individuals journey ? To help individuals journey , and along the way , I've advised lots of different startups in this space that do various flavors . I've worked for a privacy and security-focused cell phone company provider company , an identity verification company , and then the only other thing I'll say is I am really proud of a sub-stack that I publish , which is onlinesafetysubstackcom , and every week I just post really actionable things that anybody could do to improve their privacy and security . So , for example , this week I published a guide on how to lock down your Google account .
Speaker 3Yeah , I checked it out to maximize it quite extensive . Uh , I was impressed . I was actually asking him about his uh , his research , uh how he was doing it .
Speaker 4So , yeah , continue and so like , uh , if people are interested in getting safer , I really , you know , check out that sub stack . That's like I'm really proud of it , uh . But but yeah , other than that , I'm here to talk , uh , about the human element in cybersecurity and how we can protect people .
Speaker 3So you brought it up . You said it doesn't matter if we stop , you know , 99 or 99.9% uh , some elements going to get through . And I would say , even if you stop 99.99 or 99.999 , there is always that element that will get through . Because when we're talking about email , we're talking about billions of fish a day , and when we use billions , things get through . And so I think that we do have to train our users and prepare them and help them not click . So I've got all my theories on this , but I'm curious what your theories are . But I like to call this social engineering for good . So how do we get our users to be more secure , even if they don't want to be ?
Speaker 4Yeah , I mean , I think that is the core challenge of because , if you ask people , everybody wants to be safe , right , like conceptually , people like , yeah , of course I want to be safe , like I want to do all the things to protect myself .
Speaker 3It's more about laziness than it is about lack of wanting to be secure . That laziness and ignorance , because often people don't realize that the threat is as real as it is or that they will get targeted themselves . They picture it as this abstract thing that can never happen to them .
Speaker 4Yeah , I think that's right . I mean , I think there's a lot of different psychological factors that play into . Why do people not do simple protective measures ? And you pointed out a couple of them . I think some other things that are interesting are the complexity right . It's hard for people to understand the cause and effect , or I should say people will see an effect but they don't necessarily understand the cause . So I hear all the time people are like my account got hacked . Well , your account could be hacked because you clicked on a phishing email . It could be hacked because you downloaded malware on your computer by accident .
Speaker 3It could be hacked because your password's password .
Speaker 4Right , exactly , and so I think it's hard for people by the way , rightfully so , right . This is a complex space , it is , yeah , and so it can be hard for people to understand the link between their behavior or lack of behavior
Journey into Cybersecurity
Speaker 4and the risk that it poses to the outcome they want to avoid . And when you get into this over , and I think that can overwhelm people and make it really hard- Well , I think .
Speaker 3Hollywood makes it worse . Look at every time you see cybersecurity in the movies . It's this genius hacker doing something cool , but they make it out to be something that the average person just isn't going to understand , when the reality is is that I don't need you to know anything about ones and zeros . I don't need you to know anything about writing code . I don't even need you to know anything about how to configure your computer although that helps a little bit , like privacy settings . But what I do need you to understand is how authority and urgency and things like that are going to be used against you , how the more time you put into something , the more likely you are to ignore red flags that will be used against you . So I think things like that are the core things that we've got to train our people on . But I think that's a big question as well is I think too often we don't plan our messaging ahead of time , and what happens is we , may , you know , we and even if we do , maybe we over plan it then , and it's either we just go with the sort of generic boilerplate this is what everyone's done , you know , for years , this is so we're going to do the same , or the opposite , and we over plan and we just go through way too much . But to me , I think we got to treat it like marketing , and I went to school for marketing and one of the things that stood out to me is that the goal is the same between marketing and cybersecurity , and I don't hear enough people talking about how we need more marketing there . But what do marketers want ? They want you , or they want to be able to influence people's behavior , get them to do things that they might not have done otherwise and get them to pay attention to messaging that they're generally trying to ignore . Well , that sounds exactly like security awareness training to me , and so I drew those parallels , partially because my background was as an ethical hacker , and so I broke into all of these big corporations and I found out really early that I was great at social engineering , really good at it . The first ever engagement that I had that was a physical , where I got to just try and break in . It was a bank , got into the bank vault and and it just sort of kept on going on like those that and and . So when I set out to do this , I was like , well , how do we use social engineering as a form for good , and I don't think it's social engineering it's . It's a lot of fields that we've studied for a long time Psychology of how people learn and why they make decisions , behavioral science you know , there's all kinds of different principles there that are taught in marketing , by the way , and , of course , just some simple marketing and advertising principles , and I think that's how we make it more compelling .
Speaker 3And in marketing , we may have all these things we want to say , but then we're like , well , we're got to boil that down . And you continue to boil it down and you continue to refine it and make it better and shorter and more effective . And I'll give you an example . Everyone has been saying security is everyone's responsibility forever , right ? So the other day I had a guest on the show from a big enterprise . They have done this and she says well , our big thing this year is we're changing it from security is everyone's responsibility to security is your responsibility . I'm like , oh my gosh , that's brilliant , I'm stealing that , I'm taking it . But that's the type of thing that I think is critical when we're trying to get you know , impact and change behavior .
Speaker 4Yeah , I mean , I think I agree with all of that and I think the marketing angle or the marketing comment is very insightful , because you know when I think about when is it not ? When is security awareness education not effective ? It's when it's compliance based , when it's a check the box , when it's Well , cybersecurity in general is not effective when it's compliance based .
Speaker 4Right , yes , exactly right , yeah , totally , totally fair . So I think it's , I think , like , I think that's an interesting way to think about it , right , like , because really what you're selling is you're selling people on changing their mindset . And I think , like , for me , you know , if , if I could say there's one thing that would protect organizations or people could do , it would be the index of suspicion , right , you ? Just , if we just get everyone's index of suspicion like a little bit broader and well , I don't even think we need to make it higher .
Speaker 3They just have to pay attention to it . Have you ever been involved in an incident where people didn't say , oh , I knew better , and they start talking about all the red flags they ignored every single time ? Or at least that's been my experience . You've been involved in more , because you were an investigator .
Speaker 4I mean that's a hundred percent , especially for yeah , especially for social engineering attacks and earlier on you were talking about . You know position right and you know every , every company , from the smallest company to the biggest company . As soon as an employee gets hired at LinkedIn sorry , as soon as an employee is hired and they put it on LinkedIn , they start getting generally dismissing messages from their CEO saying they need XYZ , taking advantage of the fact it's a new employee , it's someone with authority and these text messages come within hours of updating their LinkedIn .
Speaker 3Often it's incredible how quick it is and it's from a local number most of the time too , so that it's not just some random phone number . No , it's a local number , like it makes sense .
Speaker 4Well , I mean , I've seen cases of spoofing the phone number , right , so it appears as if it's coming from actual the CEO's number . But the other aspect right is this multimodal approach , where maybe it comes in on a text and then they switch over to email , or maybe it comes in on email and it switches over to text or WhatsApp or different . And that makes it really hard for defenders because when you start switching modalities , generally speaking , you lose insight . If I have an email program that's looking for stuff and you go to text message , my email program isn't covering the text message .
Speaker 3I personally built an email security tool and I can tell you , second you switch modalities , it's gone . We're not going to be able to track it when it moves into your WhatsApp and I don't think anyone can track it when it moves into your private WhatsApp or uh or signal .
Speaker 4Not gonna make any jokes but this speaks to the importance of the human making a right decision , because that's the commonality , is the brain , that's , yeah , interacting . And so I think like , um , and so yeah , like getting people aware and how , like again I call it index of suspicion I think is absolutely critical . And the other thing that I think is so interesting is people know that , like scams exist , but they don't often don't know these specific things that happen , right . So like they're like , oh yeah , I know , know a scam exists , but I had no idea that . Like it was a thing for people to fake being a ceo and tax me gift cards , or like I didn't know it was a thing that like , gift cards are , like , really scammy or I didn't know .
Speaker 3They'd offer me a fake job and tell me I had to pay uh , you know a background check fee oh my gosh .
Speaker 4I just had a great example , one of my former colleagues . She wrote me on LinkedIn and she said hey , my son is asking me if this job is legitimate . And the job was basically you had to pay this guy $3,000 for a training course and then you'd be like ready to go in the job . I'm like if you're paying to take a job , it's a bad sign but what's interesting if it's legitimate ?
Speaker 3I that's shady exactly .
Speaker 4But what's really interesting is and I and I think , by the way , the ftc sentinel report has the data to back this up people have these misconceptions . They like oh , I'm young , I'm not going to fall for it .
Speaker 3And in fact it's the opposite .
Speaker 4It's actually the most vulnerable .
Speaker 3It's the oldest and the youngest in every organization that click on the most fish get the most malware , you know infections . Even if it's just a little adware stuff , that's just a little cleanup , it's still a nuisance that you have to deal with , and it's primarily those age groups that do it , and I think we've clearly done ourselves a disjustice as a society , because why on earth are we as a society , as parents , as school systems , letting them go all the way through and have no clue about phishing , no clue about the dangers online ?
Speaker 4Because last I checked , you've got four-year-olds on Roblox and there are scams on roblox , so it's something that affects people at a very , very young age yeah , I mean , I think , uh , I mean that's absolutely correct and and and this you know , there was this theory that like , oh , maybe digital native kids growing up will be protected because they're just numb to it yeah I think , and I think that's yeah , that's not correct , right , like yeah , um , and in fact I think it can be worse , because people , I think , like the worst mentality is to think that you can't , you can't be scammed , or to think that , like you know too much and I mean , uh , you saw it , uh , I'm sure the founder of have I been pwned , got pitched
The Human Element in Security
Speaker 4for uh , his mailchimp , uh mailing list . And you know this guy his career has been about . I got that pitch by the way okay , okay , yeah , I was like .
Speaker 1this is odd why am I getting this ?
Speaker 3I didn't click on it , but yeah .
Speaker 4And it speaks to . Like it happens , it speaks to you can't ever be done , right ?
Speaker 3Well , I don't think you can't ever be got is a thing , and I feel like a lot of big egos in cybersecurity and more particularly the social engineering side of this field have you know , have from penetration testing or social engineering was a time that I got caught and and so we had it's this major multinational law firm .
Speaker 3I believe we were doing the assessment for DHS and anyway , so we were working with them , DHS and anyway , so we were working with them , and and three of my co workers had struck out on the physical they couldn't get in this law firm had really good cybersecurity and physical security and and so , anyway , I we had gotten domain admin within minutes of starting the assessment and it was because I had called up and just said hey , I called the help desk and I said , hey , I'm this junior partner . I gave him the name , gave them this story about why I was trying to run this application on my computer and just said , hey , it keeps getting blocked by BitNut . We had done our research on this law firm and knew they had it .
Speaker 3And so this guy says , yeah , just use my password , and he gives me his username and his password and he's a domain . By the way , that was one of the easiest , quickest ways we had ever gotten it , because we were only calling to just learn a little bit . Never expected to get that phone call . But so now we have domain admin and so we always like to demonstrate impact . That's the number one reason we're there , because it really helps to spread words , spread awareness and a lot of other stuff within the organization .
Speaker 3So I say hey , guys , just find the gatekeeper , put it on the calendar and I'll go stop by Kinko's and print out a business card . So I walk in , I say hey , I'm , I normally went with Jason . I say I'm Jason , and I give it to her . She says , yes , we've been expecting you . Here's a visitor ID , here's a badge card to get in and out of the office and here's a physical key to the server room . And so , sure enough , I'm getting right in , get in there , log in and start going at it and doing some work .
Speaker 3And at that point somebody walks in and they say who are you and why are you on my network ? Well , I say I'm on your network because of latency Corporate sent me . I would always go with latency because it's just something . If you talk about milliseconds , people's eyes glaze over and they just let you do whatever you want . And so I try that and he leaves and I'm like , oh , ok , cool , it worked . No , it didn't work , because five minutes later these really , really big dudes come and and they know none of them now at this point look like they're from the IT team anymore and they say , sir , would you come with us ? So I walk out into the hallway with them after I packed up my laptop .
Speaker 3The whole time saying hey , this is a misunderstanding , you know you're going to force me to work late , my anniversary . I'm going to have to work late , just already making excuses . But when I get into the hallway I see that word has spread they caught somebody in their data center and and he's being escorted out because the hallways are just , I mean , lined with people . I mean it's packed shoulder to shoulder both sides of the hall , and so I'm feeling immediately like a little bit of a spectacle as I walk out and I'm like , okay , I can use this .
Speaker 3And this is how I discovered what I like to call the denial of thinking attack . I just made a scene , and I made a scene until I was out of there , and because of it they never thought to detain me . They , uh , they never thought to follow me , and I was able to get out of there free and clear , without ever having to produce my letter of authorization or , as we like to call it , the get out of jail free card . So I don't think it's so simple , because emotions are the core of social engineering and , if done right , the victim , even if they're aware of it , still should fall for it . Hate to say it , I , I I'm not saying that you don't get better with awareness , but it's nothing's perfect and there's a lot of different flavors of these games .
Speaker 4Yeah , I mean that's a great story . Um mean , you're right . Like the best scams tug at the emotions because when you start getting into that part of the brain that people's , you know , the logic gets worse . Right , and I think the most , the example that I hear the most are , and the most devastating , are these family emergency attacks where , um , people call up and they say , hey , I've kidnapped , or I mean that's the most extreme version , but you know , I've kidnapped your daughter , your son , and now , with generative ai , it's pretty trivial to put together a clip of someone's voice that's very believable or a picture .
Speaker 3Hear the new OpenAI voices came out . Oh yeah , it's incredible . Like they can get mad flirt . The flirting is weird and a little bit creepy , but like it's . They can whisper , they can yell , they can sound like they're in duress , and that's the part that's a little bit scary when you think of what can happen with deep fakes . So let's talk about that . Ai changes awareness and what our users need to be aware of . What are you focusing on as it comes to AI ?
Speaker 4Yeah , well , I mean , I think what we know is that AI is expanding capabilities and making it cheaper to do pretty sophisticated attacks . But what I worry about is you don't need sophisticated AI and these sophisticated scams where you're generating somebody's daughter . For the vast majority of attacks , you don't need to do that ?
Speaker 3People falling for gift cards ? Yes , exactly .
Speaker 4Exactly , and so I think that I think there's a danger in getting too focused on generative AI and shifting everything to that , because it makes people think that , oh , these other ones aren't a problem anymore , and that's just not true , oh yeah absolutely . And so I know in terms of like what , what am I doing about it ?
Speaker 3There are more , better and better technologies defensive technologies that can be employed , which we don't need to get into , but companies that are trying to figure out . How do you detect an AI video in real time ? How do you detect , like ? What are the different signals that you can look at ? I think it's going to be effective , because most of the people that come on this show don't think that they'll work and they're highly skeptical , and I fall on that side too . I know they may work now and they may be able to do an amazing demo , but AI is skyrocketing and what we can detect now and what we'll be able to detect in a month are two very different things .
Speaker 4I mean it's a classic , I mean it's a continued
Marketing Approach to Security Training
Speaker 4cat and mouse game right , it's going to be a continual evolution . I'm a little bit less pessimistic , I think , but maybe I'll answer it this way . I think the answer is you have to have holistic protection , right , you have to rely very much .
Speaker 3You can't have one control that right , the one thing that we're depending on and , honestly , you never get to your last line of defense . Reevaluate your defenses , because that came way too close .
Speaker 4Right , and I think that's where exactly if people , if you're like oh , we have the best anti-generative AI detector , we're going to put that in my call center and I'm not going to have to train my agents to detect weird things because we have this tool , like you're going to lose , right ? I ?
Speaker 3actually think we saw that play out with the voice recognition . Oh , we won't have to train them . Oh , that failed miserably . The voice recognition didn't work , it wasn't half set up at the time . And what you know , where did a massive amount of fraud come ? From those , you know call centers , those telecommunications groups . And because the problem with call centers is is there is no Well , there is no well there is now , but there wasn't any authentication at all just a few years ago .
Speaker 4Well , I think call center authentication is a really interesting and evolving you know sub problem that .
Speaker 3I just see it as the same type of thing you know .
Speaker 4Yeah , I mean . Well , what I was going to say is that , at the end of the day , everybody has to have a fallback right . Like , oh , this technology is not working . I need you to like , I need you to go to the fallback . And so companies need to serve customers and they have to have these fallbacks , because most companies are not going to be like oh , you failed this challenge , like you're out forever . And bad actors exploit those fallbacks . And those fallbacks are often very simplistic , you know , and subject to social engineering , like the example you gave um with the it support desk , and so like , yeah , they might have some really fancy tool , but like , oh , it's not working . I'm on a train . Like I'm in another country , you can't hear me ?
Speaker 4whatever oh , okay , well , let's do this other thing , right ? Um , and so I think , like , again , this goes back to the human element . You're not gonna , I don't ever believe the human element is going to be cut out of these , of these problems or these solutions , because the technology is only going to go so far and the human element , honestly , should be your greatest defense anyway , or your greatest asset , in my opinion .
Speaker 4Well , I think that's right , and I think that's particularly correct for learning about what kind of attacks are happening in your organization . People who are aware notice stuff , and if you don't have a culture of reporting and sharing , then , like all that stuff just gets hidden and then , like security , people have no insight into what's happening , and so I think like that's the other part .
Speaker 4You want people to be talking about this stuff and have channels to report . Like I saw something weird , like don't make fun of me that I report it , like I should be complimented , I'm reporting weird things , and then those weird things in aggregate across an organization tell stories about attack factors and risk that defenders can then react against , and so I think we got to praise people when they report .
Speaker 3I don't care if it's a false positive . One of my pet peeves is when you know people or stock analysts get annoyed with the you know user-recorded spam and you know can't they tell the ?
Speaker 3difference between a phish and spam . I've heard comments like that a lot of times throughout my career and you know I'm . The only thing I care about there is that the user report . Now are there ways to go back and tell them to you know , or , I guess , give them feedback to improve their reporting ? Yes , but you have to be very careful because it all starts with you're a rock star , you report it , and if it doesn't start there , then you're you're you know , sort of pressing the down button on the elevator .
Speaker 4Well , that's , by the way . That's why , um you know what I call it ? Gotcha phishing emails you know I hate it .
Speaker 3I don't think we should do those at all , yeah no , I mean , I think .
Speaker 4I think it's the opposite effect , because then people distrust and and they feel like , oh , I'm under attack , I'm doing the wrong thing , what ? And so , yeah , I'm totally against .
Speaker 3So let's talk about phishing methodologies because , to me , I look at how we've done this as an industry and you know all of a sudden , uh , years back or a decade ago , vendors first and then insurance companies and then advisors you know , hey , you need to run phishing simulations . And , by the way , I completely agree with that suggestion . I just want to give that disclaimer before we go forward , but it came with no other suggestion . None of the frameworks addressed how to go about doing this . None of the frameworks addressed how to go about doing this .
Speaker 3There weren't really any best practices that people could go out and read , and so it's been done very ad hoc . And I really do think that a lot of these features baked into these tools lead to a very punitive type culture and it's often , you know , seen as a game of well , what can I get the most people to click on ? And I do not think that it's about tricking people . I think it's about catching people doing things right and praising them and , and for those few people that you're not praising , using that as a not as a learning experience for them to go through a hands on learning exercise . And in a hands on learning exercise there's no tricking .
Speaker 4Yeah , the tricking is , yeah , it's very problematic . I mean , when I was in the government because , by the way , most of the in my opinion , a lot of this is because of the compliance right it's like oh , I'm required to do this test to comply with XYZ , so I'm going to run this test and I did it , I'm done , and they're not thinking about like , and this is to your , your point . You're like compliance , if that's how you're running cyber security , you're you're not going to be doing a good job . And I agree , because if you're only focused on compliance , you're missing the point , which is you're trying to reduce risk and just running a couple of emails , phishing simulations , to , for compliance sake , you might be increasing your risk . And so , yeah , when I was in the government , we had I remember it specifically because everyone was outraged it was like a payroll thing and they sent it from the payroll department and basically , if you took reasonable precautions , you would click on this link .
Speaker 4And basically , if you took reasonable precautions , you would click on this link . And then it turned out it was a phishing thing . I'm like if you send a phishing email that looks so real and all the indicators that you teach people to do to check and it's still a got you . You've now taught people that all of the indicators to look for are not valid and therefore you shouldn't click on anything in any email anyway , and now you've disrupted your operation unnecessarily .
Speaker 3Well , not only that , but you've potentially caused long-term damage to your operation because people are afraid to click on things Exactly .
Speaker 3Back to marketing when we would . You know , one of the things we learned , or I learned in marketing and when I would set up marketing campaigns , was that you start with defining your goals . What are our goals that we want to accomplish ? And why that is applicable here is because the goal should not be to trick the employee . The goal should be to provide that learning exercise , and it's a different set of methodologies that you're going to employ , and I'll give you an example .
Speaker 3I don't want people to be scared of their inbox . I want them to know how to use it securely , inbox . I want them to know how to use it securely . I want to teach them how to . You know the best practices . You know the simple things like pay attention to the sender , trust your gut , be wary of anything that causes emotions , and you know a few other little things like that that I want them to learn , but we , I think we define what we want to accomplish with that that I want them to learn , but we , I think , if we define what we want to accomplish with that , we have much less of a likelihood of having an incident like that , where so many people are upset and , by the way , I've sent hundreds of millions of fish in my career now and I have made that mistake firsthand and had people get upset , not where it was , you know , literally no indicators there's always been some indicator but where it was so timely and on topic that you know we got it . We had a fish in a pen test once go viral actually but that was a . That was a penetration test . That's a little bit different goals . That is what we wanted Well , not really because we had to shut down our seat too .
Speaker 3But I mean knowing what you want to accomplish and then defining what those you know what message you want to convey I think is a really , really important element . And you know you were talking about AI and how we don't want to just you know , move to AI so they don't think any of the other stuff is important anymore . And I was thinking , you know , when we really boil down to the core messaging , what do we want to accomplish with training this user ? It's really simple things that apply on AI just the same as they apply everywhere else Trust your instinct , be careful where you upload company data you know like it's basic things . Be aware of your privacy settings . There's basic things that we want people to learn .
Speaker 3So I just think there's so much that we can learn from other industries , and it's not just marketing Behavioral science . There's so much about how we learn and how we process information and how we can make that more effective . Like you can make training videos 35 more , 35% more effective just
The Power of Social Proof
Speaker 3by turning on the captions . So all of our trainings force the captions . Why ? So they read it and hear it at the same time . It's called dual code . Little things like that make a big difference at the end of the day .
Speaker 4That's really interesting . I didn't realize there's data on that . That's pretty cool . I love captions . I always use them myself , so I'm an anecdotal affirmation for that . Yeah , you know the basics . I wholeheartedly agree . If everyone did the basics , everyone would be like it levels up everybody . Actually , if like just most people did the basics , everyone would be like it levels up everybody . Actually , if like just most people did the basics , it levels up everybody , because then most people are going to be protected .
Speaker 3And they talk to each other , to what you were talking about , you get that cultural shift . It's almost that . Well , you know , when COVID came out , you heard a lot of people talking about herd immunity , but I truly believe that's a real thing in cybersecurity too , that when you can get 90% of the people caring about cybersecurity , the rest follow along , because they're the oddball if they don't care .
Speaker 4Yeah , and it's probably not 90% , it's probably . You know , I'm sure it's a lower number when , when you get that community but somewhere in there , yeah , but yeah , the concept I I agree with and I think um , I think that like people , the , the social , um , the social affirmation right Is like really important . Like , oh , the social affirmation right Is like really important . Like , oh , this is expected , like this is what in my community , in my organization , in my family , in my company , in whatever department , this is what's expected . That is so critical to build .
Speaker 3And it becomes a sense of pride . Oh man , we win all kinds of contracts just because of our security , like , and that's what the end end user and employee is saying , that's when you really know you've made it from a cultural perspective .
Speaker 4Yeah , and I think there's some really cool gamification tactics that can be done . I once was advising this company and they basically had a scoreboard for training where it's like people who score the best and do it quickly in terms of you know , it's due on Friday , you get it done by Tuesday and then have a leaderboard and you know , and so like you don't need technology to build like leaderboards like that , Like if you have Slack , you can have like a Slack channel and then recognize people you know . So there's all these techniques where it's like how do you just build this social proof , that having this right mindset , pointing you know , pointing things out , talking about it , that's healthy , that's good , and like it's expected that you do that . I think that's really important . And again , the human element , and you said social proof .
Speaker 3One thing I think is critical is making sure that you're constantly building out that social proof . So when you have somebody report a threat , something that they saw internally , share it with the entire organization . Because when they know that it's not just some anonymous threat targeting other organizations , but it is a very specific threat targeting our organization and it hit Joe in accounting last week it changes the people's perspective entirely . It's a real threat all of a sudden , instead of a fake threat . I mean that's the best way to put it . It's perceived as a fake threat until it's real .
Speaker 4Well , and , by the way , that kind of information sharing is . I mean , if people don't know the threats and the risks that are happening to their company , they can't , they're not thinking about them . And therefore , they don't have the right index of suspicion . So it's so funny because there's like the NCFTA , there's organizations where information sharing about indicators of compromise and bad actor tactics that are shared between companies to make it harder to you know , sharing that information is so valuable , but then within their own company they're , they don't share .
Speaker 3We don't share anything . Yeah , I know it's like oh , we live on that threat , intelligence data , I mean . I so I was just going through and uh and checking our MITRE ATT&CK framework coverage . What ?
Speaker 3is that threat intelligence data , that that I can use , and so I mean again , we live on that data , so why wouldn't the rest of the staff be just , or find it just , as helpful ? So I agree , and , by the way , when we praise Joe from accounting to the whole company , he gets a really big ego boost and becomes a little bit of a cybersecurity expert himself Not that he's really an expert , but you're positioning that and it switches the mindset .
Speaker 4Yeah , you know and , by the way , I think it's also really important to share the failures , and that , I think , is actually the things that do get put under the rug that people are afraid to Like . When I was at Google this is amazing I had this person who reached out to me on a personal level . They're like I almost fell for this . I just stopped , but it was the classic . My VP needs $5,000 of gift cards as gifts for some event . He wants me to use my corporate card to do it because his is not working , and they fell for it , and then they were able to cancel everything in time , but that never got reported .
Speaker 3That's basically a successful campaign Ran against this and people are embarrassed to talk about it , and so you have to figure out a way , like when somebody does something you gotta destigmatize it yeah 100 I had a student reach out to me that they had uh fallen for the , uh , the job application or the job background check fee , uh , whatever it was , and it was a substantial amount of money . Well , the reason she reached out was she was saying we've got to demystify this . As I started talking to my peer group , almost every one of them had fallen for the same scam same person , same email address .
Speaker 3If any of us had even said anything , we all could have avoided it and I agree we've got to take that stigma out of it . Honestly , I fell for a scam before I was ever even in cybersecurity and that led me to learn about cybersecurity and really develop a passion here . So you know it's going to happen . Just the other day I made a comment to my team . I'm like you
Destigmatizing Security Failures
Speaker 3know , the only way I would ever ask anyone for gift cards like jokingly is like if it was a conference . And within just a few weeks we start seeing the text getting hitting my people saying hey , I'm at a conference need some gift cards .
Speaker 3I'm like , okay , so they finally figured out that if they just tie gift cards to a conference they'll get better results . And now no one fell for it , but it's just , it's it's . It's crazy to me that we still have people that aren't even aware of the basic gift card scam . And if they're not aware of that , how do we protect them against so much else ? So I think it starts with we've got to also demystify , to take down those , those , you know those barriers where people think it's too complex , it's not . Let's make it simple , make it easy to understand and be the friendly department it simple , make it easy to understand and be the friendly department .
Speaker 4Yeah , I mean I , I agree , I think simplifying this complex space is so critical because I mean you don't have to be a doctor to understand that you know smoking has negative health consequences , right , like and , but like what ? The actual health consequences are extremely complicated and how that all works , but like you could just make a clear rule or have a clear understanding . So I think , like we need to do that too in cybersecurity . You have to demystify and simplify complex costs , concepts , complex cause and effect relationships , so they're consumable and able to be understood . And again , like this is why , like you know , I really like the consumer space , because I like how , figuring out , how can we just help normal people get better and understand like a little bit more ?
Speaker 3And oh , I was just . One of the problems is that we take our worst communicators and put them in charge of our biggest communications problem . As a rule , I'm not saying that every company I've actually run into a lot of enterprises that do have somebody dedicated to learning , management and even security awareness specifically , but there's a lot of others that don't have that deep expertise . And nothing against technology people , but a lot of us tend to have poor social skills . We love our technology , we're a little bit antisocial and I'm saying us because I mean that describes me a little bit , I guess too so but at that exact same time that also makes us not the best person to create the security awareness .
Speaker 4Well , I also think you also have the um . The other dynamic at play is , I mean you alluded to it where , like , the analyst in the sock is like I can't believe they did xyz , or you know , the tech person's like restart your computer , like I can't believe you don't know that , and I think , like that arrogance , I mean it's know that you have to fight against that , because it is easy to be like , oh , I understand this so perfectly , oh , it's so clear , like gift cards , it's so obvious . But again , exactly , exactly . And I think and you're right like I think there's something about being humble and thinking about having that empathy . I think that's really critical and we didn't really talk about it . There's a big problem industry-wide on the consumer side , around victim blaming .
Speaker 3Not just on the consumer side , in the enterprise too . I mean , I see victim blaming where all of a sudden , this victim of a horrible crime is a bad guy . You know , essentially I agree , We've got a lot lot more empathy as a society and as an industry , as a society and as an industry , but certainly not getting into social issues . Sticking to cybersecurity within our industry , I do think we do lack that level of empathy .
Speaker 4You're spot on . Yeah , I mean , yeah , and I think that's actually really critical because it's such a complex area . I mean , if I think about enterprise , I mean the worst job in the industry , the best thing ever , and then you're responsible for everything , but you also might not have the authority . But the reason I was bringing this up is that it's easy to assume like oh , the CISO should know everything .
Speaker 3And it goes both ways right , like no one can know everything in a company I mean I'm the ceo of a company .
Speaker 1I know almost everything but there's a lot of stuff that doesn't boil its way up to me .
Speaker 3I don't care where end of the totem pole or what end of the totem pole you're at .
Speaker 4You're not going to catch ? Everything period yes and yes , and there's expertise that you lack , and so I agree . Anyway , empathy is , I think , a good soft skill for cybersecurity Empathy and just learning , learning knowledge .
Speaker 3But with that we are out of time today . Any last bits of wisdom before we wrap up the show today .
Speaker 4Any last bits of wisdom before we wrap up the show today . I think I'll just say that you know , helping every person get a little bit more private and secure in their personal life also translates to their work life and all aspects of digital life . So I think I urge everybody take some steps to get a little bit more private , a little bit more secure , and if you do that in one place , it's going to have dividends elsewhere as well .
Speaker 3So that's my final advice yeah , go through your security settings . That little profile or , I guess , gear in the top right-hand side or profile picture in the top right-hand side . Most often that's where you'll find your settings and your privacy . So go in , take a look at them and make your own decision . Because when you look at all of these AI models just about by default use all of your data for training . So if you don't want an AI to know about your favorite everything over to some weird questions you might have , it's good to go through those privacy settings for sure .
Speaker 4Yeah , oh yeah .
Speaker 1All right .
Speaker 3Well , this has been a fabulous episode . Thank you for joining us . For those of you joining remotely , we will see you again next week , thank you .