Musings from the Cyber Trench
Musings from the Cyber Trench
Fixing Cybersecurity Awareness Training Through Behavior Change | Craig Taylor | EP 108
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Vishal Masih and Craig Taylor explore why cybersecurity awareness programs fail despite mandatory compliance requirements.
This episode focuses on phishing threats, behavioral psychology, gamification, and how organizations can build real cyber literacy instead of checkbox training.
Responsible for ICAM, Zero Trust, or identity security in a federal agency, prime, or large regulated enterprise?
If you’re trying to move from strategy to execution, start with Zephon’s Zero Trust Readiness Assessment: zephon.tech/zt
Questions or guest ideas? Email defend@zephon.tech
Here's your host. This one must be everyone.
SPEAKER_02Welcome to another episode of Musings from the Cybertret. My next guest today is a 30-year veteran of cybersecurity. In 2014, he founded a cybersecurity company called Cybercool to help SMBs and MSPs learn cyber literacy. During his career, my guest has led cybersecurity organizations in uh in web hosting, finance, and manufacturing. Additionally, he leads a cybersecurity consulting that has delivered virtual CISO services to more than 50 companies. He is also a Toastmaster and a fundraiser for cancer research, having raised $150,000 ready for the Panmas challenge in the past 11 years. With that, everybody please meet my guests today, today Taylor. Welcome to Musings from the Cyber Transfer.
SPEAKER_01Thanks, Vishhal. It's great to be here, and I'm really excited to be here today. I think this is a perfect topic and a perfect area for conversation that needs to be heard in the world today. So thank you for having me.
SPEAKER_02Absolutely. So let's uh focus on the topic of the day, which is cyber security awareness. And I know like you're you have been in this field for a long time. So my first my first question to you is if cybersecurity awareness has been uh has been mandatory for years, why are phishing attacks still the number one way attackers are getting in? And are they actually bidding people or just taking a boss?
SPEAKER_01So that's a great question, Vishhal. There's there's actually two or three different parts to answering that. You're correct, that awareness training's been mandatory from a cyber insurance and a best practice perspective. But I don't think everybody's been doing it for years. There's many companies out there, particularly in the SMB world, that aren't doing anything today, which is still still surprising to me. That said, phishing attacks, when you look at the literature and the studies, uh, Verizon puts out a data breach report that takes all of the breach data from all over the world and summarizes what are the trends, it continues to put phishing attacks at the highest uh threat vector of what companies are facing. And uh, you know, the answer to your question is if we're training people across the board and we're still seeing phishing attacks succeeding, what's the disconnect? Where is where is the failure happening? And I would say there's probably two or three areas. First and foremost, there is no educating program in in primary school, grade school, high school, university, where you graduate with cyber literacy skills having been taught to you. So any new employees that you bring into a company are on social media saying, Hey, I'm starting today at this company, I'm so excited. And they are targeted immediately because the hackers know they haven't been trained on anything yet. So when you're fresh out of college, you've got a great big bullseye on yourself. That's problem number one. And but it's it's a little bit more of an insidious problem than that, Vishal, because problem number two is that the cybersecurity industry as a whole has been focusing on punishing clicks. Um, I call it sticks for clicks, bigger sticks to wave at your employees to say, stop, or I'm gonna beat you some more if you click on more links. Uh, what psychology and educators have known for decades, if not longer, is that to change employee behaviors, to change anyone's behavior, you don't punish the bad behaviors, you reward and encourage and develop the good behaviors. Think about parenting or dog training. Do you train children by punishing them or do you train them by rewarding the good behaviors and acknowledging and discussing those things that they're doing well so that they do more of it? That is uh uh there's a fundamental statement from 75 years ago, B. F. Skinner, the father of operant conditioning and psychology, he said rewarded behaviors are repeated. He never went on to say punished behaviors are extinguished. That's not possible. It doesn't work that way. That's why there's a whole theory in psychology and in incarcerated adults in the penal systems, in the in the uh, you know, when you have crimes and punishments for crimes, there's a recognition that the punishments don't deter the criminal activity. It just takes it off the street, puts you in jail, and you can't commit crimes anymore. So there's it's not a deterrent, it doesn't change the behaviors, it just eliminates them from the public uh sphere. Dog training, you can train with a shot collar or you can train with treats. And I know so many dog trainers that are enormously successful with treats because the dog enjoys it, the owner of the dog enjoys it, and and they just want to do more and more of it. Shock collars, they don't work at all. It doesn't prevent the dog from going across the property line when there's a squirrel or a rabbit across the street. It just is a deterrent. It doesn't really, it's not really effective. So that's the second big problem, Vishhal, is that the method of training that we're using traditionally in cybersecurity is very focused on punishment theory, which doesn't work. And it's now coming to light in the last five years with multiple studies proving that the negative approach doesn't change behaviors. In fact, in some studies, they say it actually leads to more clicks, not fewer clicks on phishing attack emails. So those are the big two. Um, the third is that phishing is getting better all the time, right? AI, artificial intelligence, is making you uh enabling more and more hackers to get involved in phishing attacks, who might not have been able to in the past, make better phishing attacks. You feed it a social media profile and you say, write me three or four attack emails to target this person, and you get these topics, right? Now you have to jailbreak the uh AI, but we know that's possible. There, the the guardrails are just not sufficient today to protect AI from being uh co-opted in those ways. There's sorts of attacks there. Um, even I've heard of you know, uh fraud GPT, and there's another one whose name I forget, but their hackers are turning AI's models into jailbroken models that they can use for attacking. So when you combine all of this, there's a clear and present danger for everyone in this world running a business, working at a business of uh very sophisticated, very prevalent, very common everyday phishing attacks that are more damaging when a mistake is made. The the outcome of a phishing attack used to be encryption of your files, and that was it. Uh about 10 years ago and five years ago, it started to exfiltrate the data so they could release it online as a secondary uh extortion attempt, right? If you could get your files back from a backup in a ransomware from a phishing attack, then you could also uh threaten the company with divulging their student records, their health records, their financial records to the public, their law firm records, their accounting records, and embarrass the firm losing goodwill and clients in the process. So that's double extortion. Uh about three years ago, four or two years ago, I heard of a triple extortion where if you're in a regulated industry, the hackers might report you to the regulators to say they didn't report this to you, did they? They had 30 days, 20 days, 10 days, 45 days to report you, to report a breach, and they haven't, have they? So you should go look at them because here's the evidence that we're in their network, and so they get fined by the regulatory authorities, and that's happening today. And there's yet a fourth way, which uh I won't talk about publicly, but after our call, I will tell you about it. It is just too diabolical, and um, I don't want to put more ideas out on the marketplace, but there's quadruple extortion methods now, too. So at the end of the day, all of those things are tying back to this, you know, cryptocurrency payment system that is less traceable than money or financial transactions, so it's just turned turned the world into a very um dangerous place.
SPEAKER_02Those are a lot of factors, right? But uh so walk me through how would you do positive reinforcement for say like someone clicks on a fishing email?
SPEAKER_01Yeah, so this is great. So if you if we all can agree, and maybe there's some people that still feel like sticks for clicks are are a good thing, and if you do go research, you know, the University of Zurich study, the uh the black hat presentation from 2025, you'll see that they couldn't find a meaningful difference for people that were trained with a negative or a punishment basis. So flip the script to a positive reinforcement and let's talk a bit about that for a moment. What does that mean? Well, rewarded behaviors are repeated. We know that. Psychology and educators know that in the classroom and in behavior change studies, people that are rewarded and engaged with gamification or certificates of completion or leaderboards, uh, avatars that grow in ferocity over time, all of those things cause engagement in your end users and a healthy degree of competition with one another to advance your avatar. No different than playing an online video game and you grow your character over time. Well, the best training products on the market today, in my opinion, use a gamification approach that creates engagement, that rewards completing your assignments with certificates of completion. Every most degree programs in the world have an ongoing continuing education component. At my company, Cyberhood, every time you complete an assignment, you get a 15-minute credit on a certificate towards your annual allotment of hours. And in our default program, you get six hours a year towards what is often 10, 15, 20 hours. That's an enormous benefit for people that are overwhelmed with work and too many things to do and not enough time to do them. If we hand you six hours of it, and it's a twofer because you get you get to be compliant, you get to learn cybersecurity that helps you personally and professionally. It's not just about work, folks. If you're listening to this and wondering why would I want to do this? You have a family to protect, you have personal finances to protect, you have a personal email inbox to protect. And if you do the positive reinforcement, you get people to buy into the idea of, hey, I can learn this. It's not rocket science. And once you see it and you start to piece it together with the reinforcement approach, people can actually learn this thing. I like to say, Vishal, that we at Cyberhood at my company, we teach people how to fish, feeding them for a lifetime. Uh, what you see with the industry as a whole punishing people is maybe they feed you a fish today and you're not hungry today or you don't click today, but tomorrow you need to be fed again and again, and it just is a never-ending battle. So I think the positive reinforcement is the uh proven approach from a science perspective, from a affect, how people feel learning cyber literacy skills without the fear of shame and punishment and embarrassment, they get involved, they start to care again instead of being apathetic, which is a huge problem.
SPEAKER_02So, what kind of uh rewards have you seen that multipleist?
SPEAKER_01So you can oversize your rewards and it's counter and counterproductive. Let me explain to you a story that was told to me in psychology. A young man graduated high school and he was a struggling student. Uh, but his parents were so proud of him, they bought him a car, a really fancy car, and they said, You get this car for graduating high school. We promised it to you, you know, in 10th grade, 11th grade, or in junior and senior year, and you did it. You finally got it. Here's your car. And the what happens in that scenario for that young man is that they view the accomplishment as the reward they received. In other words, they did the schooling and they passed the grades only for the receipt of the car, not because they were a student at heart, that they enjoyed learning the materials, that they internalized the knowledge. And what that psychology uh background is, it says that if you give too big of a reward, it detracts from internalization, from the internal what we call locus of control. The individual did not motivate themselves from inside, it was a motivation from outside, this huge benefit of a car. Now, teachers and educators know this as well. Uh, cop coaches. I was a level four hockey coach under USA certification. Uh, little rewards that acknowledge both the action and an encouragement to try again if you fall down doing a crossover or if you uh maybe fail a test and you get a little encouragement. Like uh Johnny, you can do this. Let's sit down and where did you have your problems? Okay, I think you're just mistaken here. Let's try this problem another way. There you go. You did it, Johnny. That's a great job. You passed this test. We'll redo the test. And you give little rewards that don't undermine the uh control. Where the control lives is so important in any uh educational or behavior change um scenario. So if you give little rewards, they're meant to encourage engagement and participation rather than apathy, disengagement, uh, or not caring at all. And so the rewards have to be small, not huge. In the best programs that I've seen, you can do things like at an all-hands meeting in your company, hand out five gift cards for 20 bucks for lunch to the top five cyber uh literate employees or the ones that are most compliant. And hey, what? If everyone's compliant, even better, just do a random drawing and say, here you go, folks. We just like to recognize the great performance that everyone's doing because we're all in this together. It used to be years ago, and this is a message that everyone needs to convey to their employees and clients, that we looked at Mr. or Mrs. IT director as responsible for everyone's cybersecurity. It's their job to protect us, not mine. What we all know today is everybody plays a role because you can click on a link, you can download a file, you can do something that could lead to the, you know, a really horrible outcome for your company. So by getting everyone involved and building this culture of cybersecurity through little rewards, I mean, the gift card's one idea, another is just public recognition. Hey, on our bi-weekly all hands meeting, I'm gonna call attention to one person that's done a good job that's reported, you know, three phishing emails that turned out to be real phishing attacks in the last two weeks and share them with Bill. Now, John, what did you see in this email? Susan, what did you see in this email that tipped you off? And use it as sort of a secret training approach to recognize the person and learn what they looked at to see that it was a fake email. So those are all small rewards get you the most mileage rather than enormous rewards.
SPEAKER_02How would you handle uh users who don't care to even complete the training? Like, have you seen that?
SPEAKER_01Well, I have seen it, and yeah, sometimes if you think about dog training and a shot collar, sometimes the dog stops paying attention and not wanting to participate. They cower in a corner because they've been punished too many times. It's a terrible situation, and it's hard to overcome that. Many times I talked to one individual, a gentleman with a PhD, who said, you know what, Craig, I've been failed a fishing test three or four times in my career. I stopped caring about learning how to fish. I just forward everything to IT. I can't be caught out again. I'm not, you know, I don't think the training ever taught me what I needed to know. I've given up being responsible for this. I'm forwarding every single email that I get that is at all questionable to my IT team. That's apathetic. And it's a hard, it's a, you know, like there's this old saying that says it's very easy to lose trust in by making a mistake, uh, a trustworthy mistake. And it takes a very long time to earn that trust back. The same is true for people that give up caring about cybersecurity. It takes a lot of time and effort to bring them back into caring. Uh, all you can do is sit with them and explain how, you know, it's not rocket science, it's actually quite a bit of common sense with a few nuggets of knowledge and sit them down one-on-one, work through any of the assignments they're doing or not doing, and try to get them to a point where they can see, hey, you know, for example, in our in our case at Cyberhoot, we send out a hootfish exercise. It's a realistic phishing simulation on a browser window, on a website. So we're not sending an email to your inbox to trick you. You actually do this exercise and it's a wizard-driven approach, and it starts with the sender. Does this sender look safe or suspicious? And we might have one-letter differences in that domain name. And that is what hackers are doing. That is the realism of this approach. And if you sit with a person and you explain, here's all you need to know is that hackers can't typically email you from the domain they're impersonating. That's not outside of business email compromise, which is a rarity, it's not unheard of, it happens a fair amount. But outside of that, there's usually a domain name switch that happens. They'll turn an M in Amazon, Microsoft, Marriott into an R and an N. And it looks very similar. But when people, the light goes on, they're like, how come nobody ever taught me that? Well, because we were sending you fake emails and we couldn't send a typosquat a domain name in attackfish because it would be banned by the vendor who gets hold of one spam report and sends you a cease and desist letter. We've had that happen to us because we still do attack fish. Sometimes our clients, we have one the other day from a bank in the United States has sent us a letter. I don't have it at my desk, it's downstairs. But stop impersonating. Well, the vent the client set up the fake email phishing test from the bank, got it out, one of their employees reported it, and we have a problem. So we have to take it down and stop using it. But what that is indicative of is the tests that we've been doing with the punishment approach have been inadequate, dumbing the end users down to see a very obviously wrong domain name. But in our hootfish exercise, it's exactly what a hacker will do. They'll change one letter and hope that you don't pay close enough attention. So, but you sit down with that individual and they you show them these nuances, and it's not Again, it's not rocket science. It's pretty intuitive once you see it and you understand it. And then that becomes a 10-second exercise in subsequent assignments because once you know the rubric, you can go click, click, click, click, click, click, done. And you get the certificate. You have passed the test. Your avatar grows in responsibility and it's defensiveness. We put armor on it. We give it a sword and a shield and all these things that grow over time. You sit on a leaderboard in your organization. You can climb up a few levels of the leaderboard if you do your assignments on time and you get perfect scores. All of that is designed to make it a game and fun. So you forget that you're actually learning cyberliteracy by doing these things, right? It's one of the reasons I love hockey, Vishal. I don't like to exercise. I don't like to go for runs or you know work out at the gym. But if I go play hockey, I'm a Canadian by birth. I don't think it's exercise. It is, but the fun of it far outweighs and outsines the effort of exercising. So it's not a workout to me. It's time with my friends, it's a lot of physical activity, a really good sweat, but it's buried underneath the fun and excitement of a of a game.
SPEAKER_02That really helps, so the question I was I had mine was so again, you like talk about fair, yeah. Like if they are scared, they don't trust themselves or they don't trust the actual training. But what about scenarios where where people just don't care? Like uh would you uh let me uh change the way I am asking the question. So would you put a would you put a deadline for someone to finish their uh their their clearing?
SPEAKER_01Yes, I absolutely would. Here's the flip side of all of this. Is there a place for consequences in cyber literacy education? 100%. Absolutely. The cost of damages from a mistake is so great, you have to hold people accountable. And you can put it to your employees this way. I could treat you like a dog and put shock collars on you and beat you when you make mistakes, or I can make it fun and entertaining, and you could still learn how to protect the company. I've chosen the positive responsibility, responsible way that makes it fun and enjoyable and gamified. I've done everything I can to bring you to this table of cyber literacy education. You have to do the work. And if you don't, there's no raise for you if you're not compliant. There's um potential consequences with HR if you continue to be non-compliant. The consequences to our company of a mistake are enormous. And listen, if you're 100% compliant and you make a mistake, there are no consequences for you. You're going to be uh a get out of jail free kind of card because you did your assignments, you engaged, you did your best. And what I used to tell my kids on the ice was this if you're not falling down trying things that are hard, then you're not trying hard enough. I don't want you to practice what you're good at. I want you to practice what you're not good at so you get better. That's the approach with employees. Have consequences, have deadlines, have have uh you know conversations with them, but tell them that basically we're giving you the most enjoyable path to knowledge that you can have with a positive reinforcement work error work area. If you don't take it doing it this way, God help you, the next job you're gonna get is gonna be doing it the old way, and you're not gonna enjoy that at all. But it is very dangerous for mistakes. So please do your part, and there are consequences if you don't.
SPEAKER_02Fun, but if you don't even uh try it, there will be consequences.
SPEAKER_01Right. And the opposite is also true. If you're compliant and you make a mistake, the consequences should be greatly reduced because you did everything you could. Look, people will always have accidents. That's why we have insurance, car insurance, life insurance, cyber insurance. No one is perfect. We don't expect perfection, no one is expected to be perfect here in our company and you extrapolate to all your companies. But the reality is if you fail and you were never compliant to begin with, man, you are being irresponsible, and we're gonna have to treat you as an irresponsible employee.
SPEAKER_02When it comes to cybersecurity training, how do you see it being handled or performed differently from us from an SMB point of view to say a large enterprise?
SPEAKER_01Oh, great question. So I was involved in a big debate on Reddit the other day, and uh we were both right. The gentleman I was talking to was correct, and so was I, but we didn't know we were talking about different populations of users. His or her argument was that the biggest source of breaches today is a lack of um privilege account management and asset management. And he wasn't, he or she wasn't wrong because he was talking about enterprises. And enterprises today have the the biggest problem they have is all the um what you call uh tech debt of accumulated hardware, software, unpatched systems, forgotten systems, asset management, and then the privileged account management as people move between roles and jobs and all the different privileges that they have and managing that. And that is how uh Verizon in their and Mandiant in their reports say large enterprises are more often breached through a lack of asset management and privileged account management. I was arguing, on the other hand, that it is, you know, hackers follow the the least path of least resistance. Let's put it that way. I think of a river flowing and water flowing, and there's rocks in the river, hackers just go around the rocks and come back, keep going, right? They want the easiest way to hack a company. And if you look at SMBs up to mid-market, it's phishing attacks, it's social engineering attacks, it's password hygiene attacks, right? And then mid-market, you know, 5,000 employees, 500 to 5,000, they're in the middle. They have asset issues and privileged account management issues and patching issues. They also have social engineering issues as well on the other side. And so they straddle both sides and have arguably a bigger target on their backs because they have more money and they're less hard to breach than the enterprises, uh, and they're less and they're more profitable to breach than the SMBs. Does that mean hackers don't target SMBs? Heck no, they target SMBs because it's fish in a barrel. There's some that are not doing any training, right? And so, you know, that's that's pretty much depending on what target audience you're trying to protect, you need to focus on different areas. And by the way, let's put it clearly: all three require awareness training and positive reinforcement and gamification to keep people engaged and participating and learning and moving forward, especially when they hire brand new graduates out of universities that have no training. You know, so everyone needs to do the awareness part, everyone needs to do the fishing part, but you also have to add on those other layers.
SPEAKER_02So from the enterprise part of things, you focus more on uh on uh on privileged access management and access management. The SP fair is more uh more society engineering and fishing. I agree, yes. So for like uh uh CISO or a CEO like what thing they could change tomorrow to make security uh ministering actually stick?
SPEAKER_01I think we've covered that one uh for quite a bit of this call. The positive reinforcement would really is what makes people behavior change. Think of a slot machine. Slot machine is the most powerful and addictive um tool on the that the humans have ever created. Pull the lever, pull the lever, pull the lever, eventually you're gonna get a reward, right? It's called an intermittent reward um schedule of uh reinforcement schedule. And I trained rats to press a lever in college in my psychology degree to get a piece, a pellet of food, and you start with a one for one. Press the lever, get a pellet, press the lever, get a pellet. But you quickly move from a one for one, meaning meaning a fixed schedule, you know, an intermediate is press it five times, get a pellet, and they know they have to press it five times. If they're getting hungry, they go one, two, three, four, five, and they grab it without even stopping. They just know it's coming. Then the most powerful reinforcement for behavior is the intermittent. So you can press it five times, ten times. You don't know. It could be on the first press or the tenth press, you're gonna get a reward. That's what a slot machine is, and that's why people get addicted to them so badly. Uh, but it changes their behavior because they're searching for that serotonin fix of a win, right? Just like scrolling on our phones is little tiny dopamine hits all the time. It's really addictive because it it's a reward mechanism. Our brains and our bodies were designed to reward that attention to something, and it gives us a chemical benefit. So uh that's what would make the biggest change in security awareness and have it actually stick is to keep small rewards engaged in the program, public recognition, free pizza lunch. Like if in our company at Cyber, we have the ability to create tenants, and we have a lot of school districts that use our platform, and they have multiple schools in the platform as individual tenants, and they compete with one another to get the highest scores across the school district, and then they get a free free lunch once a quarter or once every six months, and they get bragging rights, right? The middle school was the winner of this quarter's, you know, cyber literacy, cyber smarts, and we thank them for all pulling the line because schools, let's face it, they've been targeted a lot by ransomware because they carry cyber insurance, they have mature processes around handling ransomware events, they call uh certain um law firms to help protect them from disclosure laws, they've got it all dialed in on how to handle these breaches, but why have so much time and energy spent on recovering from a breach? It's not a bad idea when you should maybe just put a little more effort into not being breached to begin with, right? That would be that would be amazing.
SPEAKER_02Let's change gears a bit. So, like uh, how does Cyberhoot does it? Like, do you have like video trainings? Is it like a portal or is it in person?
SPEAKER_01Yeah, so Cyberhoot was designed first and foremost to remove all of the different points of friction in delivering awareness training to your employees. What's that friction? Well, from the end user's perspective, it's having to remember where to log in to get your training. We send assignments via email to your inbox. We remind you when you forget, we keep reminding you until you do it. And if you didn't do last month's, when you do this month's, we'll tell you at the end of your training this month, it could be a video assignment, three micro trainings, by the way, Vishhal. We don't do 45-minute trainings, we don't even do 10-minute trainings, we only do three-minute trainings at most, often two minutes and that sort of thing. But we remind you when you finish your video this month, we'll pop up both screen and says, Hey, wait a minute, Vishhal, you didn't do last month. Here it is, here. Click now and just get it out of the way. And so we give your every opportunity to be compliant. And then when you finish, we give you your certificate of completion. We tell you your avatar has grown from level one to two to three to four to five to six. And by the way, those all those avatars are in high-resolution images of owls with armors and and and it's kind of a cool little side note. We didn't think people would care, Vishhal, but we got support tickets almost every month saying, How come my colleagues ahead of me when we've done the same scoop, we've done the same exact assignments? And we go and we look and we say, Well, Susan or John, you did your assignments late. And just like in school, you got less marks when you turn in your assignment late. And oh, by the way, you got 90%, but your colleague got 100%. So that's why they're a little bit ahead of you. But you're doing great, keep it up, and maybe you'll grow up beyond them in the future. Uh, we have a uh leaderboard now where it's an anonymous leaderboard. You can say, Oh, look at Fishal can look at his rank within the company of 50 people, 70 people, and you're at spot number seven. Excellent. You're seven points off the lead, you know, or seven spots off the lead. But this is what the you know how you have unintended consequences in life, Vishal. I'm always thinking in my head, what's the unintended consequence of this? Managers who typically ignore training because they're too busy. They see their their uh leaderboard status at 38 out of 40, and they suddenly start doing their training because they can't be a leader in the company and be dead last in the leaderboard, right? What if somebody finds out? So it has this magical ability to boost everybody's engagement, having that leaderboard in there. It's an a magical thing. So those are all different things that we're doing at Cyberhoot to reward, but not too big of a reward that we take the focus from inside the individual, learning these skills, a lifelong learner, a cyber literate person. I'm learning this because I think it's important, and putting a reward so big that it just becomes, I'm only doing it because they give me free lunch every Tuesday. Yeah, that's not gonna work. They're not gonna pay attention, they're not gonna really understand the concepts we're teaching.
SPEAKER_02So, how long does a typical program last? Like, is it like continuous or is it annual?
SPEAKER_01Awareness training is like physical fitness, Vishhal. If you try to go once a year to the gym on January 3rd and do a six-hour workout, the best thing that could happen is you get really sore muscles and you never want to go to the gym again. The worst thing is you hurt yourself because you pull a muscle because you just worked out for far too long. If you try to do awareness training, this is one of my big pet peeves, in a one-hour a year sit-down with everybody, it's useless. I mean, for 20 minutes after it, they'll be talking about who was snickering and not paying attention in the training, not about the training. And then it's lost. You need to do periodic training. And what we found as a really, really good periodicity or frequency is a once-a-month video of two to three minutes and a once-a-month hoot fish exercise because phishing is so prevalent, to just practice that muscle memory. So when you go to your inbox and you see a real an email goes, huh, this doesn't look quite right. You go immediately to the sender, aha, delete or forward to IT and delete because you've confirmed it's a phishing attack. So that is the frequency that really works well, but you can't stop because, like physical fitness, you become out of shape if you don't keep going to the gym. So it doesn't take a lot of time. And this is something we've learned in physical fitness too. You can do high-intensity interval training, H-I-I-T, for three to five minutes, three or four times a week, and you can stay in shape. Oh my God, for 20 minutes a week, I can stay in really good physical shape, or stretching, or that's why yoga is amazing because you do these little yoga stretches and you're all the your limber and your, you know, it's a wonderful thing, but it doesn't take hours and hours and hours. So I think that is the best frequency for anyone listening to this. You have to do it every month, once or twice a month in different modalities, right? We have videos, you read the questions after the video, you get an explanation of the context of the questions in an email that gets sent to you afterwards from Cyberhoot. We're trying to give you as many modalities, visual, audio, read written, to teach you these skill sets so that it sinks in and you can digest it, but always in little micro trainings that don't take too long, so you you feel like it's just a burden.
SPEAKER_02I'm curious, like, how do you handle deep fake print?
SPEAKER_01Well, it's a it's a knowledge thing, right? Look, deep fakes are not something many people have experienced yet, but they are coming. Uh, if you watch videos on YouTube or Facebook Reels or any video program, Vine and all those different uh TikTok, I I think the number is 40% of them are AI generated. So it's not a real um, it's not real life that happened in front of your very own eyes. Uh, sometimes it's obvious because there's like whales floating above the ocean and swimming around, but other times it's very subtle, right? The reality is the our reality as humans is going to begin to blur more and more between real life and what can be created with AI. Deep fakes is one of those areas where a little bit of knowledge goes a very long way. What is the ultimate purpose of a deepfake? It's some form of financial gain. It could be through notoriety on your YouTube channel because more people watch your YouTube, so you get to charge more for advertisers and you make more money. It's money-driven there. If you're trying to extort people, right, there's a new brand of deep fake hacking where people will call or get, you know, video or uh voice uh capture of a CEO or a CFO in a company, and they'll put it into an AI tool that can mirror that voice and create an identical sounding CEO, CFO who calls the other party up and says, I need a wire transfer for that purchase. Remember, we were talking about purchasing this company? Well, it's going through, and I need the wire to go here now. Do it immediately. And the simple fix for that, and everyone listening to this should take a moment in your next team meeting, your next leadership meeting, establish a safe word for financial transactions and a secondary method of a forced phone call back. So when your CFO calls you up and says, I need to wire money, you say, sure, what's our safe word for financial transactions? Don't share it with anybody, don't even tell the person on the phone if they plead and beg for it. Don't do that. Just say, Well, I'm gonna have to call you back because you don't know the safe word. And they'll do everything in their power to not let you hang up. But you know it's a fake at that point, right? And this is also true for families. Don't miss out creating one with your spouse or your significant other because someone's good. This happened to my my um stepmom and my uh my nephew. She got a call from her nephew saying she had had a car accident and he needed $10,000 to get out of jail. And could she bring it to him? Uh, could she wire it to him? Not bring it, but wire. So she went, she asked her my my brother to go to the bank with her, and she wouldn't say why. And he was very suspicious of her. And finally she said, Because your your son has had a car, blah blah blah. She explained what was going on. He's like, Well, let's just hold on a moment. And he called his son, her grandson, and he picks up, he says, Hi dad, how you doing? Having a great day here, how are you? And her face drops. She's like, What do you mean? I thought you were in jail. No, no, Graham. I'm just uh dah, blah, blah, blah. You know, what he's doing. It's happening, and this was a year ago. This is happening more and more. So you have to have a safe word with your family members too. You, you know, make sure it's not something that comes out in everyday, you know, conversation. Um, and then call that out when someone has a an accident or emergency. Do this with your you know with your um you know, romance scams too, right? Oh my goodness, there's that as well. There's all sorts of different scams. We cover that by the way, Vishhal, in all of our videos. We we produce 12 new two to three minute videos a year at Cyberhoot. And we had one last year on ishing attacks, so phishing, smishing, quishing, and vishing. That's voice, QR code, SMS text, and email. Then we had another one on financial scams, like overpayment scams. You sell something on Facebook, marketplace, someone sends you $300 when they only want you only wanted $100, and then they immediately send you a note. Oh, can you wire back or give me back $200 because I made I overpaid by accident? No, they didn't. They used a fraudulent card. You're not going to get paid the $300, so don't send anything back. You know, romance scams, um, charity scams. You know, if there's a tragedy in some area of the world, suddenly websites pop up all over the place. Donate. To the cause, you know, be a good human being. And if you don't check that charity out, it could be a scam. They're just pocketing the money. So we cover all these kinds of personal and professional um problems, threats that we all face in our annual videos, all automatic, 12 new videos a year. You never watch the same video twice, but we cover the emerging threats, all kinds of things we could talk about.
SPEAKER_02But my thought you will also focus on the post-nower of things besides just work or uh just being yeah, because you know, as you're an employee for eight or nine or ten hours of the day, the other 14, you're in a person, right?
SPEAKER_01You could be attacked, and if you if your identity is stolen or you have a financial crime, you're not gonna be a very good employee. And what's more important though is it builds engagement because I'm learning things that don't just protect my company, it's protecting my family, and that buys engagement. It I shouldn't say buys, it encourages engagement because the employee says, I'm not just doing this for the company that doesn't pay me enough, that works me too hard, all those things that people go through people's heads. I'm doing this because I'm gonna protect myself and my family and learn these really important skills that no one else has ever taught me. And and most of all, it's fun to do it, so I don't mind it.
SPEAKER_02So this has been a very interesting conversation. Now I would have to shift, and it's time that my audience and I get to know you a bit better. So, where did you go up? In Canada?
SPEAKER_01I grew up in Canada in St. Catharines, Ontario. It's actually a much smaller town than that, but that's the only place anyone will ever find on a map. And I've spent the first half of my life in Canada going to the University of Guelph, have a degree in psychology, but I quickly learned that my degree, uh, in order to get a job in psychology, you need a PhD. And I was tired of school. I was a uh uh, it was a lot of effort for good grades for me, right? I got good grades, they were A's and and B pluses, but I took so much effort. I was always jealous because my brother's a lot easy. He barely worked hard at his school and he got A pluses all the time. He was super smart. Uh, he turned into the clinical psychologist, right? But um uh so I spent the first 25 years, 27 years in Canada, 26 actually, and then moved to the States uh when my now ex-wife got a job at the Mayo Clinic. I was able to move in that direction. We had to take that opportunity, it was an amazing opportunity. And uh, we moved to the U.S. 27 years ago and had two kids, and they put down roots in the U.S. And so now I am always uh tied and locked in as a U.S. citizen, I am a U.S. citizen now, uh, to the United States and supporting it and helping companies succeed here.
SPEAKER_02So I guess you played a lot uh of ice hockey.
SPEAKER_01Yes. Yeah, I did, and I still do. I could have played this morning, but I I didn't. I I skipped today. I played yesterday, I'll play Friday and Saturday. So I play three or three or four times a week. I like to mountain bike. I do, I like to do um fundraising for cancer research. There's a really good fundraising activity here in the uh northeast of um particularly in Massachusetts called the Pan Mass Challenge. And my son and I get to do this together. Uh, over the first weekend in August, every year, we jump on a bike. Well, we prep we prep for it for many months, riding many, many miles on our road bikes. But in that first weekend in August, we get on our bikes and we ride 192 miles in two days. That's all it takes. The first day is 109 or 10 miles, and it takes about seven or eight hours. There's a lot of riders on the road, like 6,000 of us, 7,000 of us. So it's not something where it's a race to the finish line. We are socializing while we ride and talking and really trying to just make it through the 110 miles. That's a long way. Your tush gets a little sore by the end of that. Getting on the bike on Sunday, oh my goodness, it is so painful. But we do that because number one, I'm healthy enough to do it. But I've I think my son and I, we've raised over $150,000 for Dana Farber, and they have created novel cancer treatments, and they've created ways to reduce the negative side effects of cancer treatments over the last 25 years. The PanMask Challenge has raised over a billion dollars since 1980 when it started. And all of not all of that money, I think there were multiple charities in the beginning, but most of it has gone to the Dana Farber Cancer Research Institute. And they've come up with groundbreaking treatments for everything from some of the more stubborn cancers to the less well-known or less common cancers. You know, it's it's really a tragedy when a young kid gets an unusual cancer and there's not a lot of options for treatment. And those are the things that some of the funds that we raise help to um develop new treatments for those kinds of uh situations. So it's a really it's a you know, you try to give back to the community a little bit. I think that's what life's all about.
SPEAKER_02Why do you think that particular uh charity?
SPEAKER_01Um I have to blame one person. My one of my one of my best friends was doing it for three years on his own. He joined the Boston Bruins Foundation team. That's the uh former Boston Bruins hockey players, you know, from the NHL. They had a team and they were always looking for additional helpers to jump on the team and raise funds. And we once every October, we give a check to the Dana, uh to the Panmas Challenge, which then turns it over to Dana Farber, somewhere around 250,000, 300,000 each year. But they do that through 30 or 40 riders. And Sean, my buddy Sean was on that on that team, and he looked at me one day and he says, Hey, why don't you do this with me? You like to ride. I like mountain bikes, actually, much prefer mountain bikes than road biking. And I said, Well, I don't know the first thing about fundraising. But then I found a way to raise the money. I run a hockey tournament for 150 hockey players one day, usually in May. And oh my gosh, everyone is so generous during that tournament. They're buying tickets and they're paying an entrance fee, and we raise $20,000 every year, just about. And uh, and the rest is history. That's why it was my friend Sean who got me involved to begin. Then his son joined him, and my son joined me. And what a wonderful family uh event. And we have multiple teammates who have their father, daughter, father, son riding on that Boston Bruins Foundation team.
SPEAKER_02Uh, that's very nice. Yeah, I think it's nice to like uh also clear uh clear uh that bond with your son, too.
SPEAKER_01Like it is, yeah. It's important. I think it's my dad was my hockey coach growing up, and I was his hockey coach when he was growing up, and my daughters as well. And it's important to give back to the community because what you don't maybe what some people listening to this, well, I don't have time to donate to the community. I'm a Rotarian as well. Uh Christmas tree sales just last month. The the what you get back far outweighs and and outshines what you put in. In other words, the 192 miles was really not that hard physically. At the end of the day, I mean, I'm in pretty good shape and so is my son, and we can do it without too, too much struggle. But the amount of goodwill and uh companionship and friendships we build out of this, uh, it just far outweighs what we've put into it. It's like what goes around comes or comes back around tenfold. So I guess you could say I'm a little selfish doing these community service things because I get so much more out of it than I put in. I don't know. Is that is that fair?
SPEAKER_02That is a good way of being selfish. Yeah. Yeah. Uh okay. Tell us how people can reach you. Please share your uh your uh information.
SPEAKER_01Yeah, so first and foremost, you can go to cyberhoot.com and you can learn about our platform there and our product. Uh, we can also do a demo with you. If you send an email to sales at cyberhoot.com, we will be able to reach out to you and give you pricing or even just book a demo for you. Uh our website gives you a little bit of that information as well. Um I'm on that email, so if you want to reach out to me, you can still send it to sales at cyberhoot.com. We do have a special gift for you today, Vishall. Anyone that signs up and mentions your you know, Cyber in the Trenches podcast, we will give a 20% discount on all fees for one year off of whatever the published pricing is. And we have special discounts for nonprofits, governments, educators, and and charity organizations, in addition to what I'm talking about now. So there's we really try to pre practice what we preach. We want to make the world a better place, leave it better than when we got here. We want to do that through cyber education of very simple things that most people are never taught well and are often taught with punishment. We're doing it positively. Our new logo is uh uh laugh, learn, and hoot up. You know, that's what we like to say. Hoot up, yes, because of cyber hoot. Yep.
SPEAKER_02I think you the background that you have from coming from psychology has played a big role in the way you are uh you are tackling this problem.
SPEAKER_01I think it has because you know, psychology has studied how humans think and what motivates them, how does behavior change, what creates the most behavior change versus the least behavior change? And when you study it from a multidisciplinary approach, and I mean cybersecurity, from a multidisciplinary approach, you can look at it from psychology, you can look at it from educators, right? When think of your best teacher that you've ever had teaching you a class or a subject. Was there ever a punishment involved in her classroom or his classroom? It was always empowering and lifting you up and saying you can do it and you can learn this, and you're doing a fantastic job. There was so much positivity and positive reinforcement. That's what teaches people things, and it's quite common sense. Why cybersecurity is focused on sticks for clicks, I cannot fathom, other than you know, the people running the show, Kevin Mitnick, no before, and all these different companies, they they were brought up on a punishment basis uh first. And I I don't think they did it intentionally. They just everyone wants this noble cause of not letting people click on links that can cause damage, but they've missed out on the psychology of how to make that happen. Uh, that's where we really want to refocus the industry on positive reinforcement.
SPEAKER_02Well, Greg, uh before we end, I have one question for you. Which is your favorite uh ice hockey team?
SPEAKER_01My favorite ice hockey team? Well, because I'm on the Boston Bruins Foundation team, I do have to say the Boston Bruins, uh, I did grow up as a Leaf fan in Toronto, just across the lake. But um I when I lived in Minnesota, I followed the wild. And when I lived in Delaware, it was the the Philadelphia Flyers. I'll tell you a little secret about me. I've played against three alumni teams, the Toronto Maple Leaf alumni, the Boston Bruins, and the Philadelphia Flyer alumni. Uh I got to go on the ice with Dave Schultz, and he got me by the face mask at Center Ice and shook me around and said, Hey punk, settle down. You're you can't you're not going to embarrass us, and you're going to cause somebody to get hurt. So just calm down. And I was all excited because Dave Schultz, one of the biggest tough guys of the 70s and 80s, had given me a face wash. You know, is a that's a very uh hockey term for anyone listening to it, you'll you'll know what I mean. But uh no, yeah, so it's it's kind of my passion uh in life as to um uh is hockey and and uh these different sports. So it's the Boston Bruins.
SPEAKER_02Awesome. So if the Boston Bruins are playing Toronto Leaves, you will support the Bruins? Yes.
SPEAKER_01And I do that also because my brothers who are in Canada are all some one is a diehard Toronto Maple Leafs fan, the other two live in Ottawa, all of them live in Ottawa, so the other two are Ottawa Senator fans.
SPEAKER_02Awesome. Okay, well, this brings us to the end of the end of the episode. Greg, thank you again. And it was a real pleasure speaking with you today.
SPEAKER_01Vishhal, the pleasure was all mine. You are an excellent interviewer and and just your insights are superb. Thank you for having me on your show. Absolutely.
SPEAKER_00Thank you.