Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Psychology Is the New Firewall: How Human Insight Trumps Every Trick
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Pete Gibson, former CIO at companies like Alamo, Wyndham Hotel Group, and Friendly's, shares his journey from liberal arts major to cybersecurity leader and discusses how psychology has become the new firewall in today's threat landscape.
• Started in technology after joining the Navy, eventually managing the Tomahawk cruise missile program
• Maintained impressive staff retention rates (up to 100%) through three company bankruptcies by focusing on treating people fairly
• Advocates transparent risk communication to executives through heat maps and best practice comparisons
• Shares how his team recovered from a ransomware attack without paying ransom due to network segmentation
• Emphasizes building a security culture where everyone contributes rather than relying on a few specialists
• Encourages security training that connects to employees' personal lives to create lasting behavioral change
• Uses rewards like gift cards to celebrate security improvements, not just perfect performance
• Believes in combining the "carrot" approach with occasional "stick" consequences for repeat offenders
• Recommends tailored training approaches for chronic clickers rather than one-size-fits-all policies
• Suggests including security awareness in new employee orientation to establish expectations from day one
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
This is the new firewall, where human insight trumps every trick.
Speaker 2We're not hacking systems, we're hacking behaviors, so you won't click.
Speaker 1No complicated code, just tried and true brain science at play. Social engineering for good. The best defense is in your mind today.
Phishing for Answers Introduction
Speaker 1Welcome to Phishing for Answers. The opinions expressed here are solely those of the individuals involved and do not reflect the views of their employers. Get ready, because the next live episode of Phishing for Answers is starting right now with your host, joshua Crumbaugh, the CEO of Phish Firewall. Psychology is the new firewall where human insight jumps every trick. We're not hacking systems, we're hacking behavior. So you won't click.
Speaker 2All right. Hello, Welcome to another episode of Phishing for Answers. Today we're here with Pete Gibson. Pete, tell us a little bit about yourself.
Speaker 1Sure Thanks, josh. Pete Gibson, the CIO at Alamo, national
Pete Gibson's Career Journey
Speaker 1CIO at Wyndham Hotel Group. Cio at Alamo, national CIO at Wyndham Hotel Group. Ran an outsourcing company in Shanghai and just got done being CIO at Fernandes and Johnny Rockets.
Speaker 3And before all before that did major programs in the government. Very cool, that's a lot of retail, I imagine you've seen. I mean retail just has a whole different set of threats than the traditional business. You know, or I guess you know, you've got things like QR codes.
Speaker 3You have to train your staff about times where they they'll go and put little stickers on top of your own qr codes internally. Um, you've got all of the many social engineering uh attacks that are gonna hit them, so, uh, yeah, I think this will be very interesting. Um, so how'd you get into technology to begin with?
Speaker 1really, it was really unfortunate. I was a liberal arts major in school. Uh came out and uh eventually joined the navy and the navy's infinite wisdom. They said we're gonna make you electronic warfare officer. So here's this, liberal arts major studying at that time the soviet navy and networking and how to defeat people in the electric magnetic spectrum, rose on up through the ranks. Uh did well and my last position was I was responsible for the US Navy's Tomahawk cruise missile program, the weapon system side of it. So we developed and we were the first commercial off the shelf Cox got government off the shelf weapon system that was certified. So it was uh an interesting experience, to say the least, and for me it was a great learning experience because as a naval officer you move every two to three years.
Speaker 1But when I was in this place as a 35, 36 year old lieutenant commander, I had 350 civil servants working for me and they were some of the brightest in the Navy as far as coding. You know, I learned how to develop defect free code because we believe not we were a CMM organization but we were, I believe, high in software quality assurance. I learned that. I learned system engineering, learned project and program management, and in that I couldn't really do a whole lot as a as an as an officer, because these guys were having in spades modeling simulation, had a map, 10 person math team and so forth, but I was able to grow the program by um, sell internal sales to the navy. So I was able to get other capabilities because we were truly open, architected system from software all the way up to the hardware side of it, and so I could bring our capabilities and so that we did, we sold capabilities and I was able to go grow that program.
Speaker 3Sounds exciting, yet not, I imagine, a typical course for most liberal arts majors. That seems unique.
Speaker 1Yeah, but I will also. People, all you know, they look at the resume and they go, oh, that's pretty impressive. Oh, in school you were a human relations major. I kind of go, yeah, and I would tell you that was probably an extremely good major to have Not so much the technical side of human relations but, as I say, folks, could I go in?
Speaker 1I do turnarounds. I get into some really tough business situations. We've got to turn the company around and people often ask well, you, well, how do you do it? You know, you do this, you do that.
Speaker 1I said the major thing is leadership, being able to lead people through change.
Leadership in Technology Turnarounds
Speaker 1You actually get them to do things they wouldn't normally do. And when I speak, I said you know, systems don't build themselves, systems don't repair themselves. It's really technology is a people game and that has served me really well. So I've done three bankruptcies taking companies through that. The first one, I had about a 92% retention rate. Second one, I had a 96% retention rate and the last one, I had a 100% retention rate and the last one I had a 100 retention rate. And taking the organ, my team, through bankruptcy. And it's about treating people right fairly and not coddling don't say that, but about treating them right, recognizing they got families, recognizing they have career aspirations and dreams, all those type things, and have them just treating them right in a good environment to where they can excel and people stick around. I mean, you read it all the time, right People leave due to bad managers.
Speaker 3Well, let's be a good manager and stay for good managers too. Yeah, that's right, absolutely. So what are you up to these days?
Speaker 1I'm consulting. I'm consulting a lot on security, believe it or not. So I go into private equity groups and then I help them with our portfolio companies, either in the portfolio companies, adding value to, or the technology piece of it, adding value to the company to increase the valuation of it, or and to protect their brand from a really, really, uh, improving, greatly improving cyber threat yeah, uh, I I mean as a founder myself.
Speaker 3I can only imagine for those founders that don't understand cybersecurity that you know how difficult it must be, because, particularly if you've just gotten venture funding, the last thing on your mind is probably cybersecurity. And it's not a bad thing, it's just you've got a million other things that you have to worry about, and so I know about cybersecurity and the struggle was even real there. You know personally, but I could see that somebody that doesn't know anything about cybersecurity how it would probably largely get ignored often in a typical startup, am I right?
Navigating a Ransomware Attack
Speaker 1Oh, yeah, You're absolutely right. So at Friendly's they had not invested in technology since 2003. And they used to call me Like any technology, Any technology, Because they were basically a bankrupt company and so they didn't have the money to invest. And it's not like because they didn't want to, it was because they just didn't have the funds. And so when you got in there and started looking around, you kind of go, oh, this is a risk waiting to happen.
Speaker 1And so you know, as a technology leader, you kind of got to politely evangelize your situation that you are in, and so I'd go in and say, yep, we are extremely vulnerable in this area, and so I would evangelize.
Speaker 1And they used to my peers, the head of operations and HR, the CFO they always say, and they're used to calling me the Death Star because I would come in and say how bad it was and but that kind of and and you know you don't win those. I'll just be honest with you going as bad and there still may not be money for you to win it, but we got hacked, uh, in a really tough way and you're kind of glad that you evangelized along the way, saying we were vulnerable and as compared to, I see a lot of CIOs and CISOs. They kind of they mitigate it, they sweep it underneath the rug and then when it bites, it catches the entire executive team off guard and it's a really bad situation, At least if they know about it the CEO, CFO and all these folks. They have an understanding and again they may not be able to solve it because in those cases they're trying to save the company, but at least when it happens they are prepared for it.
Speaker 3Well, and I mean, you're not in the, whether you're a CISO or a CIO, you're not in that position, for you know sweeping things under the rug. I mean, I would imagine, at least personally, everyone I have in a position of leadership. One of the key reasons I have them there is because they'll tell it to me exactly how it is, and, and that's an important element, I know that, uh, you know people can be intimidated and sometimes not want to tell you the bad news, uh, but you have to have the bad news, uh, along with the good news, um, so that you can react and uh and make informed decisions yeah, and, and you don't have to do it.
Speaker 1When you do it, you don't have to do it. Oh, chicken little, the sky is falling. If I don't have to do it when you do it, you don't have to do it. Oh, chicken little, the sky is falling. If I don't have this, we're going to go whatever. But you just really have got to be able to send a clear and consistent message.
Speaker 1Falling and losing your credibility, and one of the things that I do is I go in there and say here are best practice standards. And then this is where we stand up next to it and a heat map. They're smart people. And so you go oh, there's a lot of red there. You kind of go yeah, yeah, we got some work to go do, right, but we're good over here, but they can get it. I mean, they kind of know oh, we're vulnerable.
Speaker 1And I said, and I said, as soon as we can get some capital, we need to go with. My first step would be this and we go to this and help protect us and my time being, we're going to do x, y, z, that if it does happen, we can mitigate it, and so forth. And they kind of go okay. Okay, you know, they know that you're trying. But everyone understands the situation. I mean, the other side of operations needs money too. Cfo doesn't have enough funds sometimes. So you still gotta work together as an executive team. But to your point you're spot on. You gotta get the situation.
Speaker 3You kind of politely gotta get your needs on the table situation, you kind of politely got to get your meetings on the table. Oh, absolutely, and and I think there's a lot that can be done without huge investments to from a cybersecurity perspective, one of the things that I'm always harping on is just hardening your systems, hardening your people. They, you know. Those are two things that that can be done very easily that really mitigate a lot of threats. I mean, I hear people worried about you know, talking about the zero-day threats, but they're not hardening their systems, which would prevent most zero-day threats from even being successful. And so I think it starts with just really good hygiene, and that hygiene is not just when it comes to our systems, it has to continue over into our people. That's correct.
Speaker 1And you know simple things like what is your network infrastructure? How well segmented are you that everything goes through the firewall, so how well segmented? Where are your subnetting philosophy and so forth well segmented.
Speaker 3Where do your subnetting philosophy and so forth?
Speaker 1and so um my experience are not segmented.
Speaker 3I've been a pen tester.
Speaker 1No one's segmented, that's right and it's and to your point, you're spot on it's really easy to go do. One of the ones that I like is real simple is just training, because I don't care how good you are, the threat is so sophisticated that if you're not training you're probably going to have issues, because it's going to be well beyond what your team can go do, and so I'm pretty open about it. We got hacked at Friendly's, and how did they get in? I'll tell you. They sent into the accounts payable mailbox mailbox. They sent an email and they made it look like it was a invoice for services or something. And of course they zipped the invoice up so that when it came through the email inspection which was kind of old it couldn't unzip it and take a look at it, and in in the body of the message they put a username and password. So what does the accounts payable clerk do? Well, it does what an accounts payable clerk should do Open it up, see what it is, try to get it into the system, to get it processed. Boom, and of course it was came in and then the package got in.
Speaker 1Of course the package didn't spawn for those 30 days later and of course, it's 10 o'clock on a Friday night when people aren't around, and so forth. But because of the network segmenting, they only got 12 servers and because at that time we IT was doing well and we did have some capital, I was halfway through an H. I'm not going to be, I don't want to be agnnostic here, but we had newer servers in place that would snap every five minutes and so we could take a look at when the package came in and you could examine the package and we had half our infrastructure back up and online within minutes. The other one was still the old stuff and we had to do tape restore. The good news is had to do tape restore. Good news is we were able to work our way out of it. We did not pay ransom. I did not pay Bitcoin or any other things.
Speaker 1It was back to your point with what we had, we could use it and we were somewhat prepared. I took us some work. That will be honest with you. There are some dark moments when you go through it, but it takes strong leadership, it takes understanding what's going on and so forth to get the organization out of it. It was hilarious.
Speaker 1We got some ransomware in CFO goes oh, and you have to go to them and say you still got a business. They are not even close to the revenue stream. They just got some reporting servers. And if you're not doing this, everyone said, oh, ransomware is bad and it is bad. But conversely, though, is you got to be prepared for it, and then you have got to be able to handle the challenge of the situation.
Speaker 1If you can't, you're going to get all types of help and they're going to come back there. What is this? What about that? What are you doing with this? What are you doing about that and so forth? If you're, you need to be able to run the situation. You're going to have all types of lawyers. They're helping you. You're going to have your lawyers. You're going to have your cyber security lawyers, because they don't want to pay you. Actually, they want money for cyber security insurance, but when it comes time to paying out, they want to make sure they will have their cyber guys in there. We have some. They brought in some good guys, and that was actually good, and then you got to get the pii guys.
Speaker 1You know how much you know the personal stuff going out, yeah, and so I had a team every afternoon, my four o'clock call, with about six or seven lawyers from different organizations. This is what we're doing. This is where we're at. That's what we're doing. This is where we're at. This is what we're doing. They said do you want to negotiate with these guys? And I said what happens when you negotiate? You normally end up paying. Well, we ain't going to go do that, guys, because we ain't going to pay.
Communicating Risk Effectively
Speaker 1You know, and you just got to be able to work your way out of it.
Speaker 3But the threat is really daunting too, and knowing what you're going to do if that happens, knowing where your sensitive information is to your point, you know. You have to know where those things are, and I think there's a lot of times where we don't have a good enough handle on where our sensitive information is maybe the structured but not the unstructured data, and that's what can lead to you know more impactful incidents. I mean, we've all seen them. We've seen them play out in the news, in fact, where they're the front page news for a week or two. While they play out and the different parties involved figure out what they're going to do, I'm a big fan of not paying them. I wish that everybody would take that stance.
Speaker 3But also I've personally had clients that have had to pay, and the reality is that there are times when I guess they may need to. But the problem is is when we pay them. Of course, we are funding the enemy to attack us. You are funding the enemy.
Speaker 1And on the other side of it is yeah, you got pressures, though, to get your business back up and online, and so you are spot on. You have got to be prepared the best you can now you can go do tabletops and all these other things. That's good to go do, but until it comes, you don't exactly know. But all that stuff, you kind of get your house in order to some degree to go do it. Yeah, so I do. I'm a firm believer in that.
Speaker 3So it starts with a really good incident response plan, which everybody should have, and you should have exercised it and you should have done tabletops so that the first time you're trying out your incident response plan hopefully, is not when you're having an incident or, God forbid you don't even have an incident response plan and and you're having an incident because I've been brought in after the fact, and a few of those as well, and it's you know. The problem is that they have no internal expertise, so they're 100% reliant on people that are getting paid a lot of money to help them out.
Speaker 1And they don't know your infrastructure and they don't know where it's stored and they don't understand your vulnerabilities. Because once it's there, you know it's there. Then you try to find the package, but then you really try to do the damage assessment and that's where it starts getting sketchy, because how much information did they get out? How much Whatever? A lot of speculation, customer notification. That takes you down a whole litany of things and and sometimes you got to be realistic about what it is so for us. I had an accounting team that loved to keep their spreadsheets for years and years and years.
Speaker 1And every time I would say, well, you know, we're going to have electronic document retention policy. Oh, no, can't go do that, we need it all. And I kind of go, oh, I don't know. So they had years. I mean, they had probably 14, 15 years of files on it, and my biggest vulnerability was that because the systems weren't really tightly integrated.
Speaker 1Coming out of HRIS, going into payroll, which wasn't integrated together, you would do a spreadsheet, and the key indicator field on that spreadsheet was, of course, your social security number. That being said, though, before I got there, they were past the spreadsheet, unencrypted. It would never be coded, it would never be enough. My biggest vulnerability on the other, so that we need to protect that's people, because this day and age, yeah, they want ransom to unlock your server, they want ransom for your data, but now they're also ransoming, uh, executive information how much was he making? And things of that nature, and you don't want all that stuff to get out.
Speaker 1But on the other side of it, so we had company financials, and all the lawyers were saying, well, what are you going to do about company financials? Aren't you worried about that getting out? You know, I kind of you got to be rational about this. You kind of got to say um no, and they go. Why? I said everyone in the world knows we're basically a bankrupt company. Friendlies is one of those brands that everyone loves. Everyone has great memories, everyone just loves the brand, but everyone knows it's on hard times and so if they was to get out that, hey, we have no money, it's kind of like so, yeah, tell me something. You don't know so and you do your risk analysis of what information did they get in that organization? My finances weren't too important.
Speaker 3Personal information was extremely important yeah, and they'll come back in 40 days or less sometimes. I mean, you don't have long, even if you do pay them before they're right back at their same game and uh, and I mean I think that's another part that people don't get. I mean, you, you better be very quick to move and react and fix
Building a Security-Focused Culture
Speaker 3things, or you're going to have one after another. My parents every time I talk to them, it seems like they're telling me that their local hospital was ransomed again, and I know there's been like four, at least four different times it's been ransomed now, and I mean, being a cybersecurity expert, I know exactly what's happened.
Speaker 3They're not learning their lesson each time and reacting strongly enough.
Speaker 1So I guess and 10 years ago it was ransom and issues and so forth. But now there are companies because they did not prepare and you talked about startups in the beginning that cannot recover and they're out of business.
Speaker 3Oh, yeah, and a startup. I mean they've got limited runway. I mean, a lot of startups are only running on a couple, a few months of capital right at certain times, and so if you were to take that that startup that's already running running very thin and has very little room for error, they could be under just like that. I think a lot of them probably don't have that cyber liability insurance either, because funds are tight. Where are you going to spend it? Are you going to spend it on insurance or on customer acquisition or building your dang?
Speaker 1product. You're there, you don't have enough money. Fair, are you going to spend it? Are you going to spend it on insurance or on customer acquisition and or building your down product? You know, you're there, you don't have enough money. And so it's tough decision for the, for the leaders. But if they haven't at least given it five, ten minutes thought and they say, hopefully more than that, vulnerabilities of what they, what they can go, do you know? So let's just say they got a you know uh, office 365 and a couple of servers. If you're not using it to the full capability that you, that you're paying for, well, then that's kind of shame on you, right, if? And then, like I say these guys, the threat is smart, but if you're using it to the best of your ability, it's fine.
Speaker 1It's like a lot of times in cyber security, it's not what you know that you have trouble with, it's what you don't know, what you have trouble with. So I went into one organization and of course we always said well, how good is uh, how good is your antivirus? Oh, it's good. So what's the percentage? I've checked in this week. What percentage is this? What percentage over two weeks old? Uh, let me go pull the report out of it. So they pull the report and get it again. All right, they're over two weeks old. Lock them out of the network, pass the ticket to the help desk, get them getting to come in right, but then you. Then you ask the question and you go all right, what's the last time that we get this? The difference between what we have in iVirus and the assets we have in Active Directory, that's right, everyone always go.
Speaker 3Oh, I'm guessing there was a giant gap in coverage, of course there is. I mean, that's one of those metrics you have to watch, because I mean, when it comes to my EDR, I care more about coverage than I do any other metric I want to know how many systems are missing, and why is it missing from them?
Speaker 3Because often then you're going to find out well, it's missing from this one because we're still running Windows 98. Well wait, why are we running Windows 98? And that's where that rabbit hole because we're still running Windows 98. Well wait, why are we running Windows 98? That's correct.
Speaker 1And that's where that rabbit hole. Yeah, why are we running it? Get it. There's a capital project because it's a server or something that you strategically need. You get it rewritten. Yep, I get it. It's a vulnerability.
Speaker 2It may not be the top order.
Speaker 1I mean, part of the CISO's job is, you know a lot of CISOs they kind of go in, they forget the certain thing and the CISO will say, well, we can't go through that security issue. Oh, I can't go through that security issue, oh, I can't go through that security issue. And then you kind of got to look at them. You kind of sound like a hopefully I'm not offending anybody here you kind of sound like a lawyer and I said what do you mean? That says you know, if we used to laugh all the time in restaurants and in car rental, you know if lawyers, if you were a lawyer in a car rental company, you wouldn't.
Speaker 1You wouldn't have a car rental company because you got other people come on, they're running your vehicle, they're going to crack them up, it's going to be risk, and so fire, so forth. In restaurants, hot food could burn people, food allergy issues and things of that nature. People aren't vetted and so forth. You wouldn't have a dang gone business. And so CISOs, they've got a big area, they've got to have the right tools to go do it.
Speaker 3They may not have all the tools, but they have got to be able to measure and quantify risk, I think, and communicate risk. I think that's one of the biggest things that a CISO has to do is let the board know, okay, hey, this is. Or the rest of the executive team hey, here is our risk, here's what we need to be concerned about, so that the rest of the team can make informed decisions about those things. And when you're just saying, no, we can't do that, you know, in your example here, the problem is is you're not helping the business's core mission, you're just getting in the way. And honestly, I think that it's our job to communicate risk, more so than anything else. And from that communication, of course, management happens naturally, but I think it all starts with communicating risk. Before we even start trying to worry about mitigating that risk, let's start by communicating it, and you may be surprised at what options for mitigating the risk you learn about that you weren't even thinking about. Okay.
Speaker 1Okay.
Speaker 3Yep. So let's talk about training people. So that's one of those things that everyone, I think, wants to have better success at,
AI and Voice Simulation Threats
Speaker 3and so one of the things I like to just dig into is what are some best practices that you've learned over the years to help make your training more effective?
Speaker 1So the training that I like is organization training. I mean there's training on the internal team and security. It's got to be along with product development implementation and I'm a firm believer, and they are in the process and all the training of the new tools and stuff like that.
Speaker 2But the best training I have is the organization training.
Speaker 1It is weekly, weekly email is going out, security bulletins, the bulletin boards. There is also, um, uh, the bulletin board. There's also the, you know the penetrating email type thing. You always subscribe to those and so forth and of course we're not really part of training but pen testing and all those type things and the.
Speaker 1And then the other thing is you, in that you this is where your team, you got to build the culture in your team that you will get a person that goes oh, I think I got a suspicious email. And then your team kind of says to you well, you know, mary lou has a suspicious email almost every day and it turns out to be a, you know, a false positive, and you kind of go, yeah, and that's when you know you have a culture problem, because you in the IT world need to know that that person took time. That person doesn't understand everything, but they let you know and so your culture has. We're going to down to mary lou real quickly every day and, yep, set your watch 805 every morning you're going to run down there, but we're going to go down there and then you're going to say you're fine, it's good and oh, by the way, thank you, yes, and then you have got to champion this in a greater sense of our.
Speaker 1You know we had this many security incidents, vulnerabilities, whatever how you report it out this week. This is how many were false, positive, negative all due to training Every one of you department heads in your staff meetings five minutes talking about cybersecurity. Just don't do it from. You know you can use my bulletins that we put out. Just don't do it from the organization point of view, but do it for their personal, for at home and so forth. That we start making this top of mind. Okay, and you're not going to win. I don't want you to understand that You're not going to have zero vulnerabilities, but you might be able to not get a 10% improvement and 12% improvement by this culture and by people saying security is important to us. Next time there are organizations, threat assessments for legal and for your board and so forth. Cyber's on that. It's kind of a little bit painful, but it's kind of good too.
Speaker 3A couple of things there.
Speaker 3Number one I think pen testing should be a part of training, where you're getting that purple teaming happening for your red teamers I'm sorry for your blue teamers so that they better understand how the attacks are going to come in, what to look for things like that, how the attacks are going to come in, what to look for things like that, but also within your staff.
Speaker 3One of the things that stood out to me in my career was this time that I had tailgated in four consecutive years in a row off the same person and how it never made its way to the individual who was actually in the report letting this happen.
Speaker 3Because if even once he had been made aware of his mistake, it wouldn't have happened three more times, right? So I do think that there's also takeaways of hey, we did a penetration test, you don't point at anyone, but maybe you tell the story about what happened. But maybe you tell the story about what happened, because when you can use real events that happened at your organization, it really does help to make it more real and to that point about connecting it to their personal life. I think when we give people homework and we send them home and we tell them hey, go teach your kids about this threat, and maybe we even take and look up something you know, threats that are targeting kids on Roblox or something and give them something specifically they can take home to their elderly parents or to their children. But what happens is when they go home and they're teaching their family about it, they become the expert at home and it really does shift their mentality coming back into work and so I think that's one of the best things we can possibly do.
Speaker 1A couple of years ago, when two-factor authentication was rolling out, you tell you got to do it. And most people are at first, are going to be imposed by the extra stuff and you kind of go, okay, that technology has improved. But then you kind of say you know, if you do online banking at home, turn on two factor authentication and protect your assets. They kind of go oh, I didn't look at it that way, Do you have any investment accounts, turn it on there. Yeah, that's right and it's a pain.
Speaker 1I get it and the technology is getting a whole lot better now with the authenticator apps and so forth. But you know, when you start saying, yep, go do it here and it's good, but oh, by the way, do it at home, then they go, ooh, yeah, and then it becomes a way of life for them and it's not, they're not going to be happy, but there should be a little bit more tolerable because it is the way of life and to your point. I think it's a great point to just start teaching the kids now Two factor authentication.
Speaker 3Yes, they are one of our most vulnerable like elements entering the workforce is the youngest people. It shouldn't be that way and I think that we can start fixing that right now and make our future selves lives easier, a little bit easier, just simply by telling people to go home and take that knowledge home to their kids, because that will, in a few years, be entering your workforce and working for you and hopefully it has an impact on them while they're young and they get that ingrained sort of gut reaction, if you will, the same as looking both ways before you cross the street. In fact, on that point, I have this theory of rebound phishing, and it's not really just phishing, it's any social engineering attacks in general and even some just human error, common human error stuff like using bad passwords, for example. But I have this theory and it's so a, a, uh, sorry, give me one second to gather my words here.
Speaker 3Okay, so if I'm going to go get a vaccination, what they do is they give me a weekend uh, I guess a weekend version of that virus. They inject it into my body and it teaches my body, in a way that's safe, how to fight against that virus and protect myself against it. So I believe that's what we're doing with phishing simulations and really any simulation that we would run. This could even be tabletops, because what happens is that when that user learns through the simulation, is that when that user learns through the simulation that urgency and authority and other things like this are going to be used against them, and when they learn that tactic really well, um, they become much, much less likely to fall for it and, in fact, their their gut, uh will trigger on it and say, hey, this is a threat, and people will often even move on.
Speaker 1Yeah, I had a couple extra minutes one time and so, yeah, and again, you know you're, you hit it right. And also I would include in there your processes and procedures. So a lot of times we look at cyber security as just the computing systems and so forth, but I'll also say it's in your process procedure. So how do you pay someone? You know is there the approval process and so forth. But I'll also say it's to your process procedure. So how do you pay someone? You know is there the approval process and so forth.
Speaker 1And so our uh, a cfo spoke at a conference and so I downloaded that video of him speaking at the conference and then I ran it through an ai generator, voice generator and I said, hey, mary, this is todd. Now we just got an invoice. There's an invoice coming in for xyz. We need to pay that real quickly, and so forth. And then I I didn't send it to her phone, I did send it to his phone. And you start looking at it real quickly and you kind of go, oh, that's the new threat. And so now you start looking at the deep fakes, you start looking at ai, you start looking at these things and again I honestly say it's an unfair fight. You got one guy, two guys. Well then, your cyber team is and they're working really hard and they got hundreds of systems they need to lock down. You got the one guy on the other side. It's like one vulnerability to get inside ie the accounts.
Speaker 3Yeah, and it's not one guy on the other side, it's millions of guys on the other side constantly attacking you. It really isn't a fair fight, but I think that is the reason that we have to get really good at the basics, and that is empowering our people, hardening our systems, hardening our networks, understanding what the attacks are going to look like and what our vulnerabilities to them are.
Speaker 3I mean, it's not just about the perimeter, it's also about, well, assuming compromise once they are in, ever want that to happen, but let's assume it does happen, and now look at different ways that the attackers are going to be able to move around our network or escalate their privileges, and and so you have to look at that from all of those different perspectives to really understand what is. You know what is my risk here, and and you know how do I, how do I protect myself against it, and you know how do I, how do I protect myself against it. So we are actually running a little bit low on time here, but before we wrap up, I do want to ask you about your take on the age old argument of carrot versus stick.
Carrot vs. Stick in Security Training
Speaker 3So what is your thought? If you could really only pick one, what would it be and why? Oh, maybe pick one.
Speaker 1You kind of heard me earlier, so I guess I would lean more into the care world, ie the training and rewarding people and trying to build a culture, which I kind of consider. If you can build a culture of the care, it's a force multiplier for you. Ie, everyone in the organization gets 1% towards cybersecurity is much better than you having three people in your cybersecurity or whatever it might be, and so I'm more of that. But I'm firmly also convinced that you need to have I'm going to break your question here but you need to have a little bit of a carrot too, or a little bit of a stick too.
Speaker 1So one time I had a person go to mexico and so what does he do? He puts his laptop in the luggage. Okay, he comes back and he said, oh, lost, it got stolen, and so forth. We can't, don't, ever do that again, don't ever do it again. And so you know it's bad. Now we lock it down, all the just the issues we get it got to do to remediate a little bit there. And so then he does it again and he puts the dang on laptop in there a second time. Yeah, you know there I hate to say that world. There are stupid questions and there are. So he did it again and so at that point I said I warned you, I said don't do it. You put vulnerability here is let's go to HR. You need to be gone. Okay, I think I just lost your, your voice there, oh, I accidentally clicked.
Speaker 3Uh I while was talking, I used my hands and I got my keypad right here. But I do agree with you that there are times when you do have to utilize or resort to the stick. I also think that it's often used far too much and we resort to it too quickly. And the example I'll give is a three strikes and you're out policy. So you click on your first fish, you get remedial training. You click on your second one, you get double the remedial training. You click on your third, you get fired.
Speaker 2But what's your?
Speaker 3thought of a policy like that.
Speaker 1I think they're coming, I think it is, but you've got to have the safeguards and the tools that the individual kind of understood that, yeah, I shouldn't have clicked it. I would also start looking at other organization type of approaches, like make sure you, you know zero tolerance and you say like now, we're not going to let emails go into your inbox, everything goes into junk, and you got to white list it. So if you're having a white listed at that point and then you do it, and then you do it three you know several times, whatever, yet you need to go home. So there's an organization element of this associated with it to help protect the entire base. You know and I'll go back to the accounts payable clerk Right, clearly a phishing issue. Did she do anything wrong?
Speaker 3No, she did her job in that case and I think that's part of the reason we we have to understand where we have vulnerabilities and processes so we can put uh controls around that or or mitigating controls around that that's correct, yeah, and those type things.
Speaker 1And then how are we sweeping, uh, how are we checking for it? So, um, and you know, again, we had vulnerabilities too, uh, because we didn't have a lot of capital for the security tools and so forth. So, you know, the carrot and the stick is that tough one, you know. And I would tell you, you're gonna run into some users I hate to use the term, but you just like, how the hell did you even come to work today?
Speaker 3you know, and you just I will say I I got an opportunity to speak to one of my chronic clickers not too long ago and uh, and you know, she right away says well laura hates me. That's our cyber coach and I say well, why?
Speaker 3And anyway, she proceeds to be like well, I'm trying so hard, but I keep accidentally clicking on stuff and I knew who she was because of how much she had clicked on, but I will say that it was mitigated not as quickly as most of the other users, it took a lot longer for her, but it was eventually mitigated. And what it taught me was that some of the people that click on everything just it's their process, it's their way of doing things and they just need a little bit more time and the ability to fail on a few more of those, those simulations. So my opinion is yes, there are times when, when you do have to do things to a fish, we're going to hit them or target them with a higher frequency of them, to give them the ability to fail a bunch of times, but also give us the ability to, you know, mitigate that risk in a timely manner.
Speaker 3So I think there's ways we can handle that as well, where you know it doesn't have to be just. You know, if we're doing the same thing for everyone, it's hard to do when it's all this, when it's one size fits all. But if we're making it a little bit more unique to the individual, then then I feel like we could just adjust it. Or even just if we have a high, medium and low risk group or a chronic clickers group, whatever it is, you know, there's ways that we can do more there, I think but then also Reward the behavior and that's behavior clicking Behavior.
Speaker 1Say, hey, you fail this one, you failed three months in a row. Hey, you passed one. You know we reward the guys that are always the best, but we say, how about the guys that greatly improved? Because that could be mary lou that, to your point, is always clicking on stuff. She didn't click on it. Hey, mary lou, this is great. Now I used to like give out um 25 starbucks gift cards, whatever, to staff that does great things. Just a nice way of personalizing and you kind of like fishing tournaments.
Speaker 1Uh, yeah, there you go. Thank you very, thank you very much. I mean, I know it's not a lot, but here's a little gift certificate for you. I know you're trying and I appreciate it and, more importantly, the organization appreciates it and it goes back to what is that culture of doing that in the organization? Yeah, you got to work on the remediation side of it too, but if you can lay out the program where people are improving, if you can lay out the program we sent a hundred emails and we had, you know, 20 that took it and the next time you only have 15 you gotta champion that. You gotta champion always. Look at it. Oh, by the way, it goes to junk. Don't look at the from, look at the information as do you recognize that, the address on it and so forth. And then you know you, slowly but surely. Then also you got to get into hr new employee orientation. This is important to us. This is why it's important to us, as well as all the other stuff.
Speaker 1Cyber security what do you do? Help desk, and I love my help desk. I could never be on the help desk because you know 50 of the issues are user error, but people call it. Hey, this is mary lou, I think I got a bad email. Hey, we'll be right down there. Thanks, mary lou.
Speaker 1And yeah, 805, right on time and um, but you just go and it's not not a silver bullet, but you, I always have my, you know, as you manage it and cyber security is a tough one to manage, but I kind of build, always build out my kpis and how do we do this month and so forth? Are we progressing in the right direction and those type of things, and that needs to be won. But you, you just don't champion that you're 100 safe, because you're not. You're championed that we are improving among the journey. Mary lou, you are important part of it. You do a great job for us and your account's payable, whatever, and you're doing a great job of trying not to open every dang gone email. You see, you know, not everything is that special on sale this week.
Speaker 3And when you give Mary Lou that gift certificate,
Rewarding Security Improvements
Speaker 3I think that's an area where we almost need to be like these social media influencers where we almost need to be like these social media influencers, make sure everyone in the company knows about it, because I want them working for that gift certificate next month that we give to them. And not only that, it makes Mary Lou feel good to be praised as the cyber hero this month right it does.
Speaker 1It does make you feel good to be praised, and you can't always do it, but it's the old adage, praise in public, condone in private. And you just got to live that as the leader to go do it. I mean, half the job of a technology leader isn't inside the organization, it's actually outside the organization, espousing the importance of it, and a lot of times it's. I went into like going to a lot of organizations and the it guys kind of sit in the back corner. They are the prickly guys. They are the guys that always say, oh, can't go do it, don't got the resources, don't got the money, don't got whatever. Then I go in there and I kind of say, yep, true, true, true, but it's our job to figure it out and when we do it becomes a lot of fun because you're the ones that will save this company. And that's actually what happened again. The last one was we started laying in a few systems and they were the prickly group. They went into a meeting one time and says, yeah, we don't have that, but this is what we can go do, and the chief operating officer almost fell off his chair. He said I've never heard that from this group before and so, and then a year later we had laid in some systems that were generating revenue for the company and it turned out to be 20 of the revenue. You know, it's just enough to take us from not being profitable to being profitable in this. In the chief operating officer and the ceo leaning across the table and says you know, while we're why we are, why we're positive, I kind of go no, because you know I'm heads down running and thinking you know poop all over the place and the reason we're profitable is because of IT, and so it's your same thing about security also goes for the IT team. If they start saying we're not losers, we're not the ones always getting blamed, but we are. Now have a winning philosophy, it becomes a little bit easier and they want to engage more in their job and in their position.
Speaker 1And you go down the person that goes down to see Mary Lou at 805 every day and say, yeah, I know it's a pain, but we really do a good job of handling her. You know, we had some tough customers and I got a little Irish in me and I don't say you know, I don't have a lot of tolerance for that stuff, but I got a guy over there, my project manager, you know. Guy's name was Joseph. He could just take some of the toughest customers and talk to them and get them going and get them going in the right direction. So every time a tough customer comes down, you you know you don't play to your weakness, you play to your strength. Hey, joseph, I need you on this one. Buddy, you're good, he goes okay. Same thing with security. You're good at handling Mary Lou and you've done a good job of helping to change the culture in the organization. So just minor points, but let's go.
Speaker 3Awesome, well, hey, pete, thank you for joining me today. We're at time, but it's been a pleasure, and for everyone joining remotely, we will see you again Friday. Thank you, okay, thanks.