UnHacked

Welcome, everybody, to episode 50 of Unhacked. Guys, the team is back together. OG style. Just the three of us. I love it.

No guest today. We actually have one. She no showed. But We're scrambling, but honestly, I think sometimes we do better when it's just the three of us. So we're gonna test that theory today.

Here's the truth. Most, if not all breaches could have been prevented. Right? And we are here to coach, to educate, to train, business owners on how to prevent. Because guys, once you get hit, you can't get unhacked.

Alright? I named the whole thing after it because it's all bullshit. You can't do it. You can't get unhacked once you get hit. So let's do a couple intros.

Brian, it's been a hot minute since you've been with us. So so absolutely thrilled to have you back. Tell everybody who you are, what you do, and who you do it for because we've all forgotten.

Yeah. I think I've even forgotten myself. Okay. My name is Bryan Lachapelle with B4 Networks based out of beautiful Niagara Region, Ontario, Canada, And we support, other businesses in their journey on cybersecurity as well as technology. And just, the way I like to say it is I make the headaches go away when it comes to dealing with technology.

Perfect. Mario, same question.

Mario Zake, CEO of Mastech IT located in New Jersey right outside of, Manhattan. Been in business for twenty years and helping, you know, small to medium sized businesses stay protected on the web and specializing in having CEOs sleep better at night.

Alright. I like that.

I am Justin Shelley, CEO of Phoenix IT Advisors and today I am wearing the shirt that I wear in all my profile pictures on across all social media. Random fun fact, if you look me up on LinkedIn, Facebook, anywhere, this is the shirt I'm wearing and this shirt mostly sits in the closet because I'm self conscious about it. And for that reason, I call it out and put a spotlight on it. Guys, I work with businesses in Texas, Nevada and Utah. And what I do is I keep you protected safe from the Russian hackers.

Yes, Mario, they're mostly in Russia from the government because they're gonna come and sue you if the Russian hackers don't get you. And then finally to clean up anything that's left, we've got the attorneys that are gonna come in and file these class class action lawsuits. So that is my specialty, that is what I eat, breathe and sleep and that is the shit that keeps me up at night is making sure that none of that happens to my clients. Guys.

Dustin, it seems like this episode, episode 50, is a is somewhat of a little jinx. This is you know, every time we try to record episode 50, there's a there's an issue.

I know. I know. Why why don't you tell us more about that, Mario? Let's talk about we just our no show, I guess, we'll call that failure number two. What was failure

number one? Failure number one is, you know, somebody that we got on here, we started recording and going through everything. And about what? Forty five seconds into it, you know, during intros, we're like, woah. What hell?

What the hell did we sign up for? This guy is just like a lunatic. He started screaming and getting in the middle of the like, in the face of the camera and then, like, you know, we're we're all on on this on this platform, but me and Justin, technically, like, we looked at each other. We're like

Oh, what the fuck?

The fuck did you just put us into?

I'm glad I wasn't there for that. Yeah.

Afterwards, camera goes out. We're like, are we stop recording? And he's like, listen, let me sell you my service. And we're like, okay. Yeah.

I don't

think so.

He he had no interest in the podcast. He was just there to talk about himself, to sell his stuff to us, not even to our our audience. It was crazy.

And the whole thing, Justin booked them because, you know, he this person was supposed to be in charge of, like, IT for, like, large companies. And Justin asked them a simple question, like, would you see this when you're trying to work? He's like, honestly, he's like, no. I don't I don't really see it too often. And that's it.

The conversation ended there. Like, are where are we supposed to take it from here?

Yeah. It was crazy. It was crazy. So we're it's recorded. It's in the archives, and I'm gonna pull clips out from time to time, but never will I publish that as an actual episode.

We're just gonna use it to say, here's what not to do.

Shadow 50.

Yes. B side or whatever. Yeah. So today is the real episode 50. And I love that it's the three of us back together again.

Sans, guests, sans problems that they bring and just breaking down the real, the raw, the dirty of cybersecurity. Guys, I have long for quite a while I've talked about the human element of cybersecurity. I did a whole we did about a year where every single month we held a seminar in the Dallas area talking about this. This very it was even titled that the human element of cybersecurity. You know, and I always say 97% of breaches could have been prevented.

You can almost use, I think ninety five. So very close to that when they talk about the percentage of breaches that are caused by us, caused by humans. It's almost all of them. In fact, I did an episode before the three of us got together. This is going way back with a former employee of mine.

And I posed that question. I'm like, hey, I always say 97% of breaches. Damn it. I'm messing that up. I always say, you know, that whatever percent is human caused.

And he looked me straight in the eyes like, no, I don't think so. I think it's a %. Like whatever percent we assigned to it, really we could go back and find a human screw up in that chain and that breach somewhere every single time. What are your thoughts on that?

Absolutely.

I I would confirm because even if if nobody screwed up, there's still a human element to it because there's a hacker at the other end that's a human. So no matter which way you look at it, it's caused by a human.

Well, alright, alright, alright. That's that's a good point. That's a good point.

Well, I I mean, you know, like, I I don't know what the exact percentage is. It's just like the number one source of breaches are, you know, coming in through a phishing email. You know? So obviously, there are people there you know, it's a numbers game. If they send out the same email to, you know, a thousand or 10,000 people, It's they're even if they get one person, which, you know, to them that's a very successful number.

If they get one out of 10,000 people to click on an email, you know, guess what? They're gonna click on something and something bad is gonna happen. I mean, yesterday, I'll give you an example. And part of it is sometimes it's the curiosity to see what this really is. I know yesterday, I got an email.

If somebody sent me a DocuSign, and I knew it was I knew it was bullshit. I knew it wasn't anything that, you know, somebody I'm I was expecting from somebody that I knew. But part of me kinda just, like, you know, for some I didn't click it, by the way. Just, you know, I didn't click it. But part of me is like, I love I wanna see what these guys are doing.

Like, what are they trying to get me to do? You know, I know it's bullshit, but it's the curiosity in in that in me that wants to click on it.

Yeah.

But, you know, we'll never know.

I did a webinar seminar actually live in person for the construction association in my area. And my my theme of of the entire night or the day, the session was who is responsible for cybersecurity at your organization? And so I challenge all our listeners to ask themselves that question right now before we get started in the subject for today. Who is responsible for cybersecurity at your organization? You know, who ultimately bears that responsibility?

And just leave it at that, think of that question and then we'll dive into the rest of the topic that we have today. And then at the end, I'll come back and ask that same question.

Sure, we have a topic that forgot.

And what was the answer? Well

Should be everybody.

No, but what was it Keep it up.

Oh, so when I asked the audience, they were like, oh, well like this person that we always responsible for cybersecurity or our IT company is responsible for cybersecurity. And Mario just gave it up. But ultimately security is a team sport. It's not just an IT thing. It's not just a, oh, this person's in charge of IT for their organization.

It is everybody's responsibility from the top top ranks all the way down to the bottom ranks. Everybody is responsible for IT but it starts at the top. You to have a culture

of security. Absolutely. So then we have to get into the nitty gritty though of what we're talking about because we've got who's responsible or whose job is it, which I think is what you're asking and then you've got who's accountable or who's the throat that's gonna get choked when something goes sideways. And oftentimes that mean that is spoiler alert, that's the guy at the top, that's the CEO, the guy, the gal, the whatever. And oftentimes they're the ones that we have the hardest time getting to adopt the training and to work with culture, which is kind of what we're gonna talk about today.

Going back a little bit to the the fact that the problem is humans when I was doing So here's you asked that question to your audience, Brian, when I did my tour on the human element, my introductory question was, what is the number one problem in cybersecurity? Where where is the you know, what's the biggest threat? Right. The biggest weakness? However you wanna frame that.

And almost nobody would get the answer, which is us. We are the problem. Right?

Right. Inaction is the problem. Not thinking it's a problem is a problem. Believe that we're too small, so it doesn't apply to us. Nobody would want my information anyway.

Those are all

God, that's the best one. Always a best one. Have any of you either of you guys read, Mark Goodman's book, Future Crimes? Oh, I love it.

That was a good book.

Okay. So I have a stack of those books with the page folded down and highlighted. And the quote that I always read from that is, if you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. It is not a technology problem.

It is not.

And honestly is hard we can make it really hard to hack technology, we can harden firewall servers, endpoints, we can set up seams and like all this stuff we can do to protect the technology. But that human brain, oh my God, is that easy to hack. All you've got to do is just pick the right emotion and you can get anything you want.

Yep. I always like to use the analogy that I can have a building and I can secure that building with a guard at the front. I could put bars all over the windows. I could put locks on every single door. But if you've got that numpty who goes and puts a brick in the back door and props it open because he wants to carry some big box outside and he doesn't wanna have to, you know, use a key to get back in, that criminal is just gonna sneak right on in there and there's nothing anybody can do about it.

Right. All those security protections are gone because of one one person who circumvented it all by giving up information and or access without realizing what they were doing.

Yeah. And and I don't know about you guys, but sometimes I'll get, you know, a a call like right on my cell phone, you know, from another business owner, you know, a customer. And they don't wanna go through the proper channels. You know, they don't wanna go through like the the technicians or the opening up a thing like Mario. I clicked on something and I don't know what this is and stuff like that.

And they, a, they feel like they're you know, all the stuff that we go through in training and stuff like that does not apply to them. And And just an example that they don't even wanna go through the proper channels to get a result, you know. So it's it just shows that like some of these people feel like it does not apply to them. And those are a lot of times, you know, the the cause, you know, like and, you know, we talked about it in a previous episode a long time ago, you know, where before we started to do the whole managed services, when I was just a one man shop break fixed. I did have one breach and it was like when first ransomware was first starting and it started by the on the owner's computer.

You know? Like, was the one that clicked on something because he just felt like you should click on it, and the whole network came down because of them.

Yeah. It's crazy stuff. I've I've debating whether I should tell a similar story. We might get bogged down in stories, but you know what? Stories are fun.

So let's do

it. Fuck it.

Yeah. Fuck it. I had

a client and I the guy was just just an unpleasant human. And he had my cell phone and he wanted to be able to get support, know, like basically 20 He called me up, I think it was nine, maybe 10:00 at night, just screaming at me. He's like, I pay you to protect my computer. Now I've got a virus. This was back in the days of viruses.

What are we talking ten, fifteen years ago? Because it's not really the way we at least talk about it anymore. Anyways, he had gotten himself a virus and I'm like, all right, Bob, let's take a look. I'm gonna remote on your computer while he's screaming at me. And on his screen, it's just like tabs and tabs of porn.

I thought that's where I was going.

Gay porn no less. Whatever. No judgment there, no judgment. I'm just saying. Do you guys remember back in the days of dialers?

So what they would do is you'd look at something and they're like, hey, click here for the next better stuff. And it would disconnect your modem and dial a new one. That was like a 900 number. Do you guys ever have to deal with that?

One tell me up.

Phone bills get hundreds, thousands of dollars, just nuts. And that's what this guy had going on. I'm like, Bob, listen, I don't care what you do, but just understand that it only takes one click and it undoes everything that we're working on. It's like perfect illustration of what we're talking about right now. If you want to do that, fine, go get a computer that just just for that stuff, that doesn't have your bank account information on it for fuck's sake.

Right? That doesn't have all your company's IP, that doesn't have QuickBooks on it. Everything in his business was on this computer that he was just blasting out there to the whole world anyways. So if you think technology is a problem, don't understand the problem.

Or if I guess if

you think technology can solve your problems, we really have to dive into this human element of cybersecurity. And I talk about culture, we can label this however we want. But let's get into that. Why is it that, one of the phrase that got kicked around while we're planning this is that people actually are more important than firewalls. Right?

Mhmm.

Guys, give me some thoughts on that one.

I can dive in here. From my understanding and, you know, statistics, about 89.2% of all statistics are made up on the spot. Including this one? Yes. According to the statistics I've read, about ninety five percent of breaches involve human error.

And we talked a little bit about that from clicking bad links and reusing passwords. And again, people are the ones that are opening up the doors to the cyber criminals. If purposely download something into your computer thinking it's a really cool game that you really wanted to play but you didn't wanna pay for, you've just downloaded a virus. Anything that you put on your computer that you don't pay for, you are the product. You and your computer.

And so the human element is where a lot of these breaches happen and they're using social engineering to trick people into doing things they're not supposed to or or shouldn't. So I will Well,

let me

floor to Mario.

Go go ahead, Mario. Then I wanna I wanna deep dive on the social engineering part for a second. Go ahead, Mario.

Yeah. So most firewalls, we when we configure them, we're configuring them so the bad guys can't come in, you know. But going from inside out is much easier, you know. And we have now content filtering and all this stuff to kind of because people just click on shit they shouldn't be clicking, you know. So it it and it's not gonna be a % because it still has to go and analyze the the site or analyze, you know, has to have been previously reported and stuff like that.

But it's still, you know, it's no matter what it is in protection, you know, like just like Brian said earlier, you know, your house, your building, you know, your car, You know, obviously, you're on the inside, you should be able to get out and going out, you know, is you have to be directed into a safe area, you know, but the because the world in general, there's a lot of unsafe things out there. So if you're leaving the inside of your protection and going out, that's where the vulnerability is gonna come in.

Yeah. I've actually seen situations where the individual is giving up information on purpose, I. Uploading files or sending information, and that would be the equivalent of opening up a window and just tossing out all the jewelry outside. Right? You know, you can't protect against that.

You can't put bars on the windows. You can't put security protections preventing somebody who's already in throwing good things out.

Yeah, mean I'm just gonna keep going. You guys have already said it, I'm gonna say it again a little bit maybe in a little bit different way. You're talking about putting bars on the windows and locks on the doors and you can put cameras in and you can great big magnetic locks, have to buzz somebody in but breaking that technology can become almost impossible. The problem is getting somebody inside to push that button to release the lock is super easy. Mhmm.

Right? And and and by design for safety reasons, have to be able to get out, you know, we can use that analogy. Here's what hackers prey on. The human brain is wired for two very specific things that get exploited. One is the desire to help.

Know, I'm trying to think of a good example. I don't wanna say damsel in distress because that becomes sexist and whatever. But we can't help our need to help people. Somebody on the side of the road with a broken down tire and you know, somebody on the side of the street with hungry kids and a sign like we, it just, it, it it just tweaks our brain to see somebody needing help and to choose not to provide help for them. Right?

So hackers love to exploit that. Yes, they do.

Then Saudi prince that needs needs that sends you an email and

Correct. False, Mario. That's not what I'm talking about at all. So our desire to help, and then the other one is our our need to avoid conflict. As humans, we are wired to avoid conflict.

So you either get some version of, oh, please help me. I'm desperate. I've got to get this done right now. Or you get some version of, you will help me out right now. I'm gonna have you fired.

I know your boss. I've got a cell phone number right now. I'm texting him. You better get you know, like that. Right?

So some version of this is now I don't have any firsthand information, but I keep hearing over and over. So I'm gonna call it reliable. The MGM Grand Breach was some version of this type of social engineering that ended up costing. I don't remember how many hundreds of millions of dollars. So just very, very, very expensive because somebody was able to hack the human brain.

So why is it the firewalls are important? However, people are more important. It's because we are so easy to hack so we we Right. We are designed to be hacked. Where firewalls are designed not to be, we are designed to be hacked.

And the part there is is, you know, making sure people are trained in what to do and what not to do. The most memorable example of social engineering that I've seen is a young lady was sitting with a reporter and they were sitting at a table together and he says, can, she said, I can get into your phone and get access to your entire contents of your account without you being involved whatsoever, and he said, There's no way. And she said, All I need is to know is your phone number and who your provider is. So he gave he gave her the phone number and who the provider was. She then hopped on a call with a customer service person at that cellular operator and within three minutes had access to the entire account by pretending she was her husband or her wife, his wife, putting a baby crying in the background, to simulate stress.

And she was pretending she was, anxious and needed help and that her husband's gonna get mad at her if she doesn't get this thing done. And before anybody knew, she was put on the account because she wasn't already on the account, had removed him from the account and had changed the password. And essentially that then from there, she could go anywhere and gain access to, the account because she could go in person, show her ID, get the SIM chip, put in a new phone, and basically take over the whole account if she really wanted to. And he couldn't he couldn't remove him her because now he was removed from the account. Yeah.

So it it is And all that within five minutes.

The absolute classic damsel in distress I was trying not to talk about. But it is true. Like you can't, you almost can't protect the brain against this. It's so hard. Yeah.

And I I love that video. I've seen that video. I used to use that in my my presentation that I would do. Yeah.

I mean, we we see it all the time, like in our office. Like, we'll we'll get somebody, you know, like a manager or somebody's like calling and he's kinda being, you know, a little obnoxious and to the technicians, like, like, I need this today. I need like, you know, what the hell is taking you guys so long? You know, I need this today. And then, you know, sometimes being under that kind of distress, you you they make mistakes, you know, like they they do stuff that, you know, we reset a password and we normally would reset it, you know, obviously we have other steps like we have to verify the person and all that stuff.

But, you know, we usually will reset it and set it where they have to change the password after the first login. And if they forget that, that's a problem, you know. You know, you could easily have somebody make a mistake when when they're like that.

So with that said, what do we how do we you know, what steps could we use? What what do we train our people on on how to prevent these type of things? What are all the different things that we could train on awareness training?

Mario? I I would say, you know, obviously you have to have guidelines and and procedures and stuff like that and tell them like no matter what, have to stick to to to the rules. Stick to what we you know, the guidelines that we have put into place. You know, if you're if you're following these, you should be 97% protected. Alright?

Goddamn it, Justin. Don't you know we're recording?

I told you that they pushed an update on my phone and I cannot figure out how to mute this goddamn thing. I shit you not. I'm pissed. You keep talking. I am literally trying to figure out how to mute my phone.

I'm gonna You have an Android.

Yeah. I know it. Oh, there it is. I found it.

So what I would say is a couple of things. One is I would concentrate heavily on There's the obvious things, you know, password stuff, making sure you have good passwords, how to spot an email, things. Those are all the obvious things, the things that we've been trained on the whole time. I would say the majority of our training should be focused on how to spot social engineering and what are the red flags. Specifically, I don't if you've ever seen physical security being breached, but, you know, if you put on a vest, you can pretty much get in anywhere.

You know what? Those reflective vests, those orange ones?

And a name tag. Just get a name badge.

And and a name badge, and you can walk into pretty much anywhere. So just training your staff to be hyper vigilant. If they see somebody that they don't recognize, stop them because it could potentially be somebody who's not supposed to be there, right? If somebody's calling in with, Hey, I'm really stressed. I need to get this, this, this.

No, I will not break their company policies. You know, it sucks. I hate, you know, I really hate to see you needing something, but I can't help you right now because you haven't authenticated yourself, right? So just training on those social engineering red flags and how to spot suspicious people is where I would concentrate my efforts on. And then and then testing them on it.

Right? Purposely going out of my way to try to get somebody to breach the security and then figure out who and and if anybody does fail, then do remedial training on them. So in our in our industry, we do phishing simulations, but we could also do physical breach simulations by, you know, having somebody walk in with a a clipboard, a vest, and a name tag and see if they can get through. Right?

Yeah.

See something, say something, right?

Well, right. So reporting is another part that needs to be part of this program is creating a system and a culture that rewards it for reporting things that you see. There is a lot of shame in the world of cybersecurity where like don't ask stupid questions, know, there's no stupid question, but yeah, we say it one way and then we treat it another way. There's always shame around stupid questions to get asked, right? That has to be removed.

There has to be a reward for reporting whether it's useful or not. We've got to reward people for bringing that information that putting a spotlight on things that they see. Because if you're just relying on your IT company, guess what guys, we're not there when things happen. You've got to get your people, Everybody has to have their eyes on this stuff.

Yeah. There's also go ahead.

Sorry, go ahead, Abroad.

I was just gonna say there's something to be said too about creating an environment or a culture where people feel comfortable bringing things forward. People feel comfortable saying, Hey, I screwed up and I clicked this link, right? Now, with that said, if they're ignoring the training and they're not taking the training that's being provided, I would treat that the same way that I would treat somebody not following health and safety regulations because they're putting everybody in jeopardy. But if they're following all of the procedure or they're doing all of the training and they messed up and they clicked the link they weren't supposed to, that should be a no shame, no blame type of environment, right? Don't blame them, don't shame them, don't make them feel like they did something wrong because then they're gonna hide it next time, right?

A good story is, you know, one of my kids, you know, at one point, once upon a time, you know, gave them trouble for taking a sandwich when they weren't supposed to. And then one day I walked into the kitchen and my son was acting all suspicious. I was like, wonder what's going on here. So I didn't say anything, but then he left. And a week later I find like a sandwich in the drawer somewhere all like molding up because he had hit it.

Like, right? That's the kind of thing you shame them and you blame them, they're gonna hide it in the future. That's human nature. And so just creating that environment of no blame is very important.

Yeah. And then to add on to what both of you said, like sometimes we feel like these people are just working against us, You know, like, even, you know, something as simple as like recovering a backup or trying to re you know, fix something or whatever. We're like, we part of us wants to say, well, what the hell did you do? You know? But we have to ask them like in a nice way.

Okay. Was there something that you clicked on, maybe accidental or whatever? And they always say no, no, no. And then when we show them like, oh, you didn't click on this? Oh, well, you know, besides that one.

Yeah. Yeah. We did do that. You know?

Did you put in your password? No. No. But, yeah, I put in my password.

You know? Because sometimes sometimes, you know, it's critical to really address something in a very, you know, timely manner. And, you know, time time is of the essence and and it's like, well, don't make it as more difficult than it needs to be, you know. Sometimes they'll call us just bitching. Like, yeah, I didn't click on anything and, you know, they start getting all angry or whatever.

Then the second or you tell well, did you reboot your computer? Yes. I rebooted it. I okay. Because the computer says here it hasn't rebooted in, like, thirteen days.

That's one.

It's you know, it's stuff like that. It just drives you crazy. You're like, this could have easily been avoided such a long time ago.

Alright. So I've got a story. I'm I'm gonna have to bring this up here. So you've got you've got the shame. You you we have to and and I'm not sure Mario if your points illustrated that you you might have undone some of it because you just said behind the scenes we're shaming them.

I I don't. Mario does. Come to before next, we'll help you. No shame,

no blame. I do. I do. I

don't think there's any industry where behind the scenes there isn't some, shall we say banter that goes on. I used to always have to point out to my technicians like, listen, they knew everything about IT we wouldn't have a job. It is true, but what we need to do it, I firmly believe this is we have to find a way to reward. Like way before we're talking about, did you click on a link? Did you do something bad?

We have to be very, very proactive. We have to be on offense, not on defense where we're training, but we're doing it in a way that people actually want to participate. So with that, I'm gonna give you two examples. Number one, if we go back years and years, I I put a platform in place that does have a score, a security score for each employee. And internally, I just saw my technician start bragging about their score.

And they loved it if they could get their score higher than mine. They always wanted to compare it to to Justin, to the boss, you know, we're smarter than the boss, which I absolutely loved. Now that we actually went away from that platform for a while, tried some others and recently came back to it. And so I introduced it again to my team and you guys got to meet Liana last week, right? So a little bit of background about Leanna.

I'm gonna use her name, I'm gonna call her out because I love this story so much. She is not a technical person, like her background is not in technology. Her previous job had nothing to do with technology other than using a computer in an office environment. So she comes in and she's helping me with marketing and some other administrative tasks. And at one point I said something to her about, I send you emails, you don't even look at them, you don't open my emails, you gotta read my emails.

Then we put this this stuff in place. Right? Phishing simulation and all this. And she goes in and she sees her scores down. And I've never seen somebody so hell bent on getting a score back up.

She's digging in and she finds out, oh, she clicked on an email and she's like, it's your fault because you made me, you shamed me and not reading my emails and I started just clicking on everything and now then she went to, she spent I think two full days. Now this is not a success story on productivity within the company. But I tell you what, two days of doing all the micro trainings, the full training, going back in and looking all of the emails. And she now knows more about cybersecurity than I do. I swear to God, I could ask her anything.

Knows all the terms and I did, even quiz her. I'm like, all right, let's see what you really know. And I started throwing some things at her and she's just like, bam, bam, bam. I swear to God, could get on here and do this podcast better than me at this point because of that stupid score. And it's not because she caused a breach, but it is because she failed a phishing simulation test that dropped her score down and she will not lose.

You talk about a competitive spirit. This girl's got a competitive spirit. This is what I wish I could create in every organization. This mindset, this atmosphere where it's not a shame based, it's a, don't know, gamifying. Handing out trophies, like your score and it's not even like I have to say it.

She's running around showing her score to everybody. So if we could do nothing else, like this is always a question. If we could do one thing to get the best bang for the buck, it would be this in my opinion. It would be solid cybersecurity awareness training programs. And that's a compliment.

We're talking about what's involved in that and it can be complicated. Just make sure it's there. But on top of that, you have to have the atmosphere that supports that. You just throw training out, I said on a podcast a while back, right? I was like, if you just send a link and say, take the training, that's spam.

That's not cybersecurity awareness training. That's sending out an email and trying to get people to click on it. It's spam. It's counterproductive. We have to get this culture piece in place.

Yep. I like the gamifying idea. So the score really helps with that because then you're right, like my team, they're notorious about trying to beat each other. I'm thinking of even implementing, and we've done this in the past for clients where a little bit of competition, you know, the person with the highest score, everybody who's taken the training gets entered in for, you know, a draw or everybody who's got a score above this and has taken a training gets entered into a draw for, you know, some sort of gift certificate or some sort of prize. All of a sudden people are like fighting each other to take the training.

Actually that's Yeah, we should probably try to do something with our clients try to get them like to do this because, and if the whole point of, you know, phishing training and stuff like that is kinda learning from your mistakes and, you know, you know, Steve, you know, that works with me, you know, a couple months ago, he actually, maybe a year now, he had something that came in, you know, as a training or a phishing test, and it came in from Capital One. And he saw it, and it's like, all your accounts is overdue. So he forwarded it to his wife, And, you know, his wife is sitting there trying to log into it, clicking on the link, whatever. And meanwhile, my phone is going off. And me and him are on our way to a meeting.

And I my phone look goes off and I'm looking at him like, hey. Did you just fail a phishing training? Like, what the hell are you doing? And he's like, no, I didn't click on anything. And then later we found out it was his wife.

And from then on, he stopped forwarding stuff to his wife. He stopped clicking on stuff. He's been pretty good and he learned from his mistakes. But it's good that he learned from a controlled environment, not a hacker.

Yeah. The irony there is that his wife received the email from a trusted source, him. Yeah. And so she's probably not even, no no red flags are up because she's like, well, my my husband sent me this so it must be legit. And he's sitting there fiercely trying to log in.

Whoops. Yeah.

Alright guys, let's go ahead and move to wrap this up. Any final thoughts or was there anything that we missed? We're gonna do key takeaways here in a second, but is there anything that we missed as far as the we'll call this the human element of cybersecurity? We are the weakest link, like absolutely truth. What else did we miss that we

need talk It's making it simple, fast, nothing long and complex. Know, if you tell somebody to take a one hour long Training session on cyber security. They're probably gonna wanna. You know. Lose their mind and you know jump over a bridge- but if you do you know five minute.

Here and there five minutes a week- I think that that's a lot easier to handle. Or maybe just during a huddle right just like very quick and simple things like if you do a company huddle the morning just talking about it for like one minute. I will have a bigger impact than. You know a one hour training session. Just constantly reinforcing things on a weekly basis.

Keeps it top of mind keeps it awareness on an ongoing basis versus like a once a year training. So maybe that that would be

my biggest. Span that you know like the world that we live in the attention span of people you know you can't you can't they you can't have them for more than five minutes. That's why like TikTok and all this the reels and stuff like that is so popular now because people people like to just click on and then you keep going and keep going and keep going. But when you try to have them to sit there for a half hour or thirty minutes, they're not gonna remember any of it past maybe the opening, you know, seat. That's it.

You know?

Yeah. And I've already said that, but I just think rewarding good behavior is is really where all this needs to start. However you choose to do it, you know, have the plan in place, have the program, and and get with your IT consultant. Go Google it. It doesn't matter.

Put a put a security awareness training plan in place, and then build that culture. Reward people for for taking the training, for having a score, for saying, hey, boss, look what I saw on the news yesterday. Does this impact us? Mhmm. And and Brian, you mentioned on a daily huddle.

I've said before, if you have a weekly meeting, make it an agenda item on your meeting. And just find a way. Everybody has to do this their own way because it's your culture, but you have to find a way to get everybody involved. There's just there's just no other answer to it in my opinion.

Now this doesn't say that that's the only thing you guys need to do, you know, like it's, you know, one out of every five people will still click a link. It it just it's the stat that's been there for years. It's they're still gonna click on it and you still need to have stuff, you know, it's all about layers, you know. Yeah. Protection in case they do click on it.

And, you know is one of the layers. Right.

That's the first layer. Like, when we go over our security stack, the first layer of defense, the one that you can can help you avoid the most, you know, problems is education, training for your employees.

And I'll be honest, I guess, I I kinda think of this as the icing on top of the cake. Right? You have to have that foundation in place or none of it matters. I I don't usually start with a client and say, here's the most important thing you need to do. Let's do this first.

Although I have done that if I depending on the scenario, sometimes it is. But generally speaking, we're gonna go in first. We're gonna protect the endpoints. We're gonna check the firewall. We're gonna, you know, put a good solid antivirus in place.

But then if you don't, if you stop there, there's there's almost no point in having done the basics. Right?

This this is just where we have

to really put our biggest effort moving forward ongoing. Alright, guys. I I think we've kinda kinda nailed it. If you just had, I like to just say if if somebody listened one of your clients or prospect, if they were to listen to this and only this of today's episode, what would you want them to know? And I'll I'll I'll let you guys decide who goes first.

Mario?

Uh-oh. Okay. We will shame you if you don't do it. No. It's like I said, it's the first layer of your defense to make sure that you provide your employees with the proper tools to succeed.

Educate them so that they can be safe and keep you safe.

Perfect. Brian?

My so not or my short version of of what is the most important things to pull out of today's episode is that is is similar. People matter more than firewalls. Training is important, making sure people are aware of what's out there. We can't protect against what we don't know. And just making sure that we make it a culture of learning where we're not shaming and we're not blaming if people do something wrong With the caveat that if they're repeatedly doing it and not taking the training then there of a liability and that's a different.

Story altogether. But if they're taking the training and they made a mistake. No shame no blame- you know- that way they're not. Using that as a reason to not come forward next time- use mistakes as teaching opportunities- so you can. Up your game I'm a very big believer in getting 1% better every day.

And becoming your own. Greatest full time. So that would be my- shortened summary of today.

I missed that Brian. I miss it. The 1% better.

1% my friend, 1%.

I mean really if it's gonna get better doesn't it eventually have to become 2% better every day?

No. Because 1% compounds against tomorrow's and the one after and by the end of the year it's 238 times or something. I don't know. I'm bad at math.

Damn. How many days do you guys have up there in Canada?

I'm rolling my eyes so hard. You didn't even catch my my stupid joke, Brian. One percent better. If you're going to improve 1% better, you have to do it by 2% better. And never mind.

We're gonna I'm gonna go back and edit this part out.

Oh, I see what you're saying. Yeah.

Alright, guys. I my my key takeaway, the the one thing I want people to understand about security awareness training, if we're going to just already assume we know it's important, then what I'm gonna say is that the reason it gets missed is because of overwhelm. And you know this, the story that I told earlier about Liana, where I watched her set aside and she's very meticulous about getting her work done every day. Then I watched her for two days do nothing but cyber security awareness training to get her score up to the point where I did. I I never said anything, but I'm thinking in my mind, I'm like, yeah, but did you get your other work done?

And I never said that because I swear to God if if an employee is gonna sit for two days and deep dive on this for a score, I don't care what it is. The reality is she's not gonna get hacked. She's not going to be the weakest link in my company right now because she can answer this shit better than me almost. I will say almost, she does like to win so I'm going give her that one. That is the culture we need.

That is what we need to have within our companies. That type of almost OCD around cybersecurity because otherwise we will never win this war. With that, guys, let's go ahead and wrap for this week. Unhacked. Live.

Go to our website and you can get all the show notes. You can get the complete transcripts, complete recordings. You can, follow us. Well, social media links. We have all these published on YouTube.

We put clips out on Facebook, out on LinkedIn, all over the place. So, and actually, I haven't done it yet, but spoiler alert, I'm going start building out a resources section on the website where we can have downloadables, you know, checklists, frameworks, just actionable, useful resources that you can use to to just get started. Start that journey. Yes, Brian, get better every single day, and we'll even give you the roadmap for how to do that. Go to unhacked.live and also schedule a free assessment with any of us.

We've all got that offer on the table. Guys, thank you for being here. Mario, Brian, thanks for being here. Say goodbye, and then we're gonna sign off. Bye, guys.

Take care. See you next week.