UnHacked - Cybersecurity Made Simple for Small Businesses

Justin Shelley (00:00)
Welcome everybody to episode 72 of unhacked guys. Week after week we show up. We're here to protect businesses from the game ending cyber attacks that just seem to be everywhere these days and getting worse. Um, we're going to run around the room and do some quick introductions. I've been going first long enough. I'm going to punt this over to Brian first, Mario second, I'll go, and then we'll introduce today's guest. Take it away guys.

Bryan Lachapelle (00:26)
All right.

My name is Brian Lashford with B4 Networks based out of Niagara, Ontario, Canada, and we help with business owners reduce the frustrations and headaches that come with dealing with technology.

Justin Shelley (00:37)
All right, all right, Mario.

Mario Zaki (00:40)
I'm Mario Zaki, CEO of Mastek IT located in New Jersey, right outside of Manhattan. Been in business for 21 years now, specializing in helping small to medium sized businesses stay safe from the Chinese hackers out there. ⁓ we specialize in keeping business owners have the keep the ability to sleep better.

Justin Shelley (01:07)
Right. You got the Chinese Mario as always. I've got the Russians. I am Justin Shelley, CEO of Phoenix IT advisors. And I help companies use technology to build wealth, build their business, grow their top and bottom line, and then protect that from the Russian hackers. I team up with Mario for the Chinese brand comes in for all the rest, but also we're protecting people from government fines and penalties, class action lawsuits, you know, because it's never enough. It's not like we got into business to just run a business. No, no, we're here now. We've got to do all this other BS. All

Mario Zaki (01:10)
Ha ha ha ha!

Craig Taylor (01:10)
Hmm.

Justin Shelley (01:36)
We'll keep the PG rated today. All right, guys. So let's go ahead and introduce our guest. This is a very interesting and timely topic. I read an article, actually I lie. I just read the headline. ⁓ And it said something about how cybersecurity awareness training doesn't work at all. In fact, ⁓ I don't know if it said it was worse, but that's how that's my memory. Again.

Craig Taylor (02:01)
Some

of them say that.

Justin Shelley (02:02)
I

didn't read it. yeah, maybe, maybe our guest today is gonna see, he can't even wait to get started. I haven't even told him your name yet. Craig Taylor's with us. Craig is the, ⁓ let's just get some of his background. 30 years of cybersecurity experience. ⁓ That's impressive, Craig, especially since cybersecurity hasn't even been a problem that long. ⁓ He has, I'm kidding. just, all right.

Craig Taylor (02:25)
The morris worm would argue differently in code red and blaster, but we'll let that

go.

Justin Shelley (02:30)
Listen, we aren't about truth here. Just kidding. a little, a little bit of a professional training, which I'll be honest, we've talked a lot about how this industry is unregulated and you can call yourself a cybersecurity expert without any credentials whatsoever. But Craig comes today as a certified information system, security professional, CISSP. This is a real deal, certification. Craig, how long did it take you to get that?

Craig Taylor (02:58)
⁓ The exam itself was like four hours of misery, but it took about six to eight weeks of actual practice and studying. And we went through a coursework, but you can't even sit for it for five until you have five years of experience and you have someone that nominates you who has already got it or in the industry. There's a lot of hoops you have to jump through. I think what's interesting about that is.

Mario Zaki (03:20)
Sounds like a special club, huh?

Craig Taylor (03:22)
I've had it for almost a quarter of a century since 2001, which is making me feel even older than my 30 years, you know.

Justin Shelley (03:29)
Again,

Mario Zaki (03:29)
He

he.

Justin Shelley (03:29)
I don't think cybersecurity was even a problem back then. So you've been certified in this world before it was even a real problem. Listen, I'm kidding, but I will tell you that my entrance into the world of cybersecurity, I got into this as a computer technician. That's what I was, that's what I loved. I got thrust into the world of cybersecurity by accident and it definitely happened after 2001. So that's why I kind of joke about that. Okay, so you've got your certification. You've been doing this for 30 years.

Craig Taylor (03:31)
Hmm

Justin Shelley (03:58)
At some point, I believe about 10, 11 years ago, you decided to co-found a company called cyber hoot. I say that right? Cyber hoot. and what's your, your seven word pitch there? Elevator pitch minus.

Craig Taylor (04:06)
Cyber Hoot. Yes.

positive reinforcement to change behaviors in cyber literacy and awareness. That's what we do.

Justin Shelley (04:20)
Okay, beautiful. I didn't count either.

Mario Zaki (04:22)
I didn't count, was that seven?

Craig Taylor (04:24)
close.

It might have been eight.

Bryan Lachapelle (04:26)
Close

enough. Good to go.

Justin Shelley (04:27)
Yeah.

Listen, I read a book one time and it said your, your tagline needed to be seven words or less. So that's why I say that. ⁓ I don't even know what book it was. Actually was like guerrilla marketing. believe anyways, ⁓ on track here, you worked for or with, organizations like JP Morgan chase, Vista print. mean, you've, you've, you've been around the block. You've talked to some, ⁓ worked with some bigger companies. Were you employee at that time for those companies? Were you a consultant?

Craig Taylor (04:52)
I was a full-time employee at CSE Vistaprint and JP Morgan Chase. And the origin story that has two sides to that coin was I was fired at one of those in 2014. Turns out I was competing for the one job there was with a local handpicked V-Ciso. I was hired by the corporation and 18 months we were trying to help this organization within the bank, we'll say.

Justin Shelley (05:12)
Okay.

Craig Taylor (05:21)
And ⁓ ultimately I lost and was terminated. I said, hmm, what am I going to do with my life? This is an opportunity. Once I got over the real painfulness of being fired, that's not, I don't wish that on anybody, but it was the best thing that ever happened to me in my entire life because I finally took the reins of what I was doing and said, I'm going to build something better than what's out there. And that was the origin of cyber hood. The beginning was in tragedy, so to speak, but it was actually a blessing.

Justin Shelley (05:48)
Right.

Bryan Lachapelle (05:50)
Usually is, isn't it?

Craig Taylor (05:51)
Mm-hmm, it really can

Justin Shelley (05:52)
Yeah.

Craig Taylor (05:53)
be.

Justin Shelley (05:54)
I was fired from my last job in 1997 and ⁓ say similar, you know, I had to go home to my wife, my brand new baby. My father was actually staying the night that night for some reason. don't remember why. ⁓ And let them know that, Hey, we just bought that car. You know, I'm not sure how we're going to make the payment. ⁓ Yeah, it was rough. That was a, that was a bad time. But that was the beginning of my entrepreneurial.

Craig Taylor (05:58)
Yeah, very.

my-

Justin Shelley (06:21)
experience. Well, that's a longer story, but anyway, so yeah, I can relate. Not a good day, not a good time. I believe you do more than just cyber hoot, right? Don't you also have a firm that does and I'll say VC. but chief information security officer, right? You're kind of an outsourcer or a fractional CISO.

Craig Taylor (06:39)
Yeah,

yeah, we do. I had this really just fortunate brainstorm idea about seven or eight years ago to found a peer group of virtual CISOs. And I just because CyberHoot was talking to so many MSPs and so many security professionals who could use our platform to train and govern and test and all the good things that you need to do a cybersecurity program. I was exposed to these people and we were all lone wolves. We were all trying to do it by ourselves. And I'm like, my God.

What if I could share what I know with those folks and if they could share what they know with me? I said, let's start a group of five people. started it is 25 people. Me, 20 months tomorrow. In fact, we're to be going over another presentation I just delivered today on fishing in the age of AI and AI has crossed out and it now says in the age of agentic AI because of the anthropic report from the 13th of November that everyone's got particles about.

Justin Shelley (07:33)
Right.

Everybody excited about that one.

Craig Taylor (07:37)
So have a presentation

about that we're gonna review. It's a huge deal in the cybersecurity world because AI was always like, do this one thing and make sure you don't F it up, right? And then do this next thing and don't F it up. But Anthropic had the hackers jail broke it and they said, do these 20 things in a row and check your answers against this special page of what we're looking for.

And they got it to do it. And so they attacked dozens of companies out there in the world. Anthrobic got word of it either. I think Anthrobic got word of it from the companies being attacked saying, what the F are you doing to me? Here's this amazing thing, launching 28,000 attacks in an hour and getting into my network and sending phishing and all this good stuff. So was really a watershed moment in the world of AI and, and, agentic agents and attacks. Very interesting stuff.

Justin Shelley (08:12)
Yeah.

It's interesting stuff. ⁓ got Robert hers of ex attention. He did a little video on it. ⁓ yeah. Listen, it's crazy times. I don't know how many times we've said, this is the wild, wild west and it just in the world of technology, it's like every, every few weeks we reboot that and we've got a new version of the wild, wild west. And when we're trying to catch up, it's really, ⁓ it's really a terrible way to live, but, here we are. I know, I know it's terrible. but we love it, I guess.

Mario Zaki (08:33)
Yeah, I saw that.

Craig Taylor (08:33)
Hmm. Yeah.

Mr. Shark.

Mm-hmm.

Bryan Lachapelle (08:51)
There is no catching up. It's a cat and mouse game.

Mario Zaki (08:51)
All

They are taking

over the world.

Justin Shelley (09:00)
I know who's they ⁓ anyways. So Craig, real quick, you, another point that I wanted to make is that you work with MSPs or you guide MSPs on the so-called cybersecurity best practices. Again, I want a very concise explanation of what that is.

Craig Taylor (09:11)
Mm-hmm.

So, you know, anybody can put up their... No, it's a different thing. So our virtual CISO offering, because we have exposure to so many virtual CISOs, some run their own businesses and their own practices, some are independent consultants. We do 1099, a bunch of them to us, to ourselves, and we have a process, a tried and true methodology and a set of deliverables and a tool, the CyberHoot platform that helps deliver...

Justin Shelley (09:20)
Is that the same thing? that your peer group or is that different? Okay.

Craig Taylor (09:46)
governance policies to employees, to all employees to sign off on with legally binding signatures. Hey, here's our password policy. When you sign up for that SaaS platform, follow these rules and set up the MFA and put it in your password manager and make sure it's 15 character length or longer. All that stuff is governance policies for discretionary controls tied to the mandatory controls of the MSP. And you got a good program, right? And so we've tagged a bunch of folks that can be 1099 to us to help us have a bench strength.

and bring that to the MSP for a specific client that wants to get CMMC certified or has HIPAA compliance or PCI compliance or just wants to have a sleep at night comfort. heard Zach, Mario say that or it was Brian. One of the two of you said, we help companies sleep at night, right? That's what the virtual CISO does because guess what? You can't find a CISO at an MSP or even at a business that they support in the mid-market and smaller for less than

Bryan Lachapelle (10:29)
Mario.

Craig Taylor (10:42)
a couple hundred thousand with any level of experience, right? But you can get my team and our group of redundant backed up people to be or see so virtually or fractionally for eight, 10, 12 hours a month at 36, 46, $50,000 a year. And you can get the benefit of 12 people and 20 people talking about it once a month. And I have a problem, you have a problem, I can bring it to 25 people and say, what's the best answer for...

a vendor in this space or for a ⁓ solution or a process or a document or procedure, or how do I harden, you know, how do I stop session token theft in my M365 environment? All those things we can get answers pretty quickly from the collective of our peer group or the actual vSISOs on our accounts.

Justin Shelley (11:32)
And I'm not going to lie, Craig, as a business owner who knows nothing about cybersecurity and technology, I have no idea what you just said, but we're going to break that down ⁓ soon, soon enough. ⁓ This was just your friendly reminder. We're talking to business owners, not technology guys. ⁓

Craig Taylor (11:40)
Okay. Okay.

That's right.

There you go. Good. Good point noted.

Justin Shelley (11:51)
Um, Craig, now, now that we're done with most of that, the, the final thing I want to kind of point out is it with all that, that sounds like plenty to me. It sounds like you've got enough going on. Um, but on top of that, you're a toast master, a Rotarian, you were raised $130,000 for cancer research. I mean, like, Jesus Christ, when do you sleep? Um, but don't answer that. I don't want to know. I'm already feeling bad enough about myself because I have not yet raised. I'm only at 122,000 and I lie. Um, guys.

Bryan Lachapelle (12:09)
Yeah

Mario Zaki (12:09)
That's awesome.

Craig Taylor (12:14)
You

Justin Shelley (12:19)
Let's go ahead and get serious. Let's talk about, ⁓ and again, I, I, I'm kind of jabbing, but I also am serious. We, are talking to people that don't really know our world. And so I want to be very careful to, to bring these stories down to, or these lessons down to the level of, ⁓ the average business owner. ⁓ and that in itself is enough, you know, like we have as business owners, we are responsible for so much and we have to know so many different.

things we want to keep today's lessons in, the, the world of simplicity and actionable items. So one of the things that is a frustration to me as an MSP, as a self-proclaimed cybersecurity expert is I really go out and I have to know everything about a lot of companies. have to know, you know, I have to vet vendors. have to go out and look because I don't do all this myself. can't. Um, but I do deploy a set of tools.

to protect my clients. And I have to know a lot about those cool tools and those vendors and you know, the, how they build their stuff and how secure they keep it. I have bounced all over the place in the world of security awareness training, and I'm not sure I've ever been happy and Mario believe you've got a similar situation. I'm going to go ahead and punt this to you for a second. Talk about your current reality of security awareness tools.

Mario Zaki (13:47)
So I don't want to name the vendor on the recording, but we've bounced through a couple of different guys and we've went recently with what we thought is the company that's kind of very well known in the industry. ⁓ And I put one of my guys in charge and I'm like, all right, you're going to do the campaigns, you're going to set it up for every.

customer where they get it once a month or once a week or you know and stuff like that some some customers just want a training like once a year, you know, so we do it and I when I Got the invite for this call with Craig. I was very excited because this vendor that I currently use they require one year Term a commitment which you know, normally it's not a big deal

But I was very excited because I spoke to my one of my technicians and I'm like, what do you think of this platform? ⁓ He's like to be honest. It leaves a lot to be desired ⁓ It's not really that great, you know ⁓ Most people are not opening up like, you know, the the training and stuff like that. Nobody wants to really do it so I was very excited today to meet Craig because I am my renewal is actually coming up I think on the first of December

And I kept pushing it back. I'm like, you know what? Let me wait. I'm not renewing yet. I'm not signing. I'm not signing until I have this call. Unfortunately, this call was supposed to be last week and we ended up our schedules conflicted. So we had to move it back and I had to try to buy some more time. So I'm very eager to hear about your platform or CyberHoot and what really makes your platform a lot different than the dozens out there.

Craig Taylor (15:24)
you

Mario Zaki (15:41)
and ⁓ what makes users really kind of excited to want to actually do the training.

Craig Taylor (15:42)
Mm-hmm.

Right? Well, I can answer that, I don't know if it's my turn to go. I think we can talk very high level if you want, Justin, because business owner concerns.

Justin Shelley (15:53)
Yeah. Let let's keep it high level and talk about.

So I yeah, let me, and I did that to you Mario on purpose. Cause I want to introduce this as kind of the situation that we have to, to deal with.

So right now I want to talk about what is cybersecurity awareness training? What should we be looking for? And, really like what's in the news about this, because there's recent studies saying that it's all for nothing. So let's, let's start with that.

Craig Taylor (16:19)
Mm-hmm. Mm-hmm.

Mario Zaki (16:26)
So if I could add one thing to kind of clear up, usually when we sit with prospects, we tell them, every MSP has like what they call a security stack, first, second, third, so on. For us, and probably the majority of MSPs, their first line of defense is the employee. If we can educate that employee to know what to look out for, what to click on, what not to click on.

Craig Taylor (16:26)
Okay.

Mario Zaki (16:54)
and what to do if they get something that they are unsure about, by doing that, they will resolve probably 90 % of the issues that come about. So the first line of defense is the employee and the knowledge and education that you provide to the employee. So that being, you know, is cybersecurity awareness training and phishing, stimulating tests.

So you actually wanna test them on some of the stuff that they were trained on. If you get an email from American Express saying, your account is overdue, click here. And you don't use American Express, that's probably a phishing email.

Craig Taylor (17:25)
Mm-hmm.

Mario Zaki (17:36)
Does that cover it, Justin?

Craig Taylor (17:37)
May I

jump in and just sort of take you through it? you're... All right. ⁓

Mario Zaki (17:41)
No, no, we're not talking you today. It's just us.

Justin Shelley (17:45)
⁓ I just had myself muted

too as I tried to tell you, yeah, jump in, Craig. Anyways, go ahead.

Craig Taylor (17:49)
Mario, so you're

not wrong. So as a business owner out there, you hear this and you get ISP MSPs that are are doing your IT services and they have their stack and they have their solutions, right? But let's take a step back and ⁓ take a 50,000 foot view of what's wrong in the industry, because Justin labeled it perfectly. There are three studies that have come out in the last five years that say traditional.

Attack phishing. call it attack phishing because it's sending messages to inboxes to see if users click. And when they click, they fail. And when they fail, they get assigned remedial training. And this is a very punishment oriented, shame based approach to changing behaviors. And it doesn't work. And the empirical research studies have found multiple holes in the way it's orchestrated today. As a business owner,

you need to hear this one message. Psychology and education has proven people change behaviors when you reward them, when you positively reinforce the good behaviors you want to see more of, not when you shame and punish. Those are punishments. Think about incarcerated adults. When you have all these laws to punish

people who make mistakes and have a crime. It does not, there's studies that say that doesn't act as a deterrent. People are still gonna do their crimes. They're just hoping not to get caught. What psychology for 75 years has said, B.F. Skinner, operant condition grandfather, he said rewarded behaviors are repeated. And cyber security for 25 years, as long as I've been in here, has been trying to clamp down and punish and reduce

the clicks in phishing emails, because the Verizon Data Breach Report, all the studies and science says the number one way companies are breached is phishing emails, followed by password hygiene errors, where people are reusing passwords all the time, followed, and this is growing because of AI, by vulnerability in tools that haven't been patched. So unpatched systems that are open to the internet, or if a phishing email gets someone in, then they,

have a field day looking at all the unpatched systems inside your network. Everything from copiers to forgotten PCs to whatever. So the message for a business owner today is that the industry as a whole has had it wrong punishing bad behaviors because that never changes the behaviors in the long run. No different than training a dog with a shock collar works or scolding a child having a temper tantrum works.

You wanna find the good behaviors and reward with treats, with food for the dog. You wanna find and talk to the child about other behavior strategies and reward those when they show them because that encourages them to repeat those behaviors. And gradually over time, the temper tantrums go away, the good behaviors come. This is common knowledge in psychology and education. When is the last time? Sure.

Justin Shelley (21:00)
I can back it up with the story. Let me, let me interject here because,

one of the products that I have used slash demoed does have a score. ⁓ you, get your, your own little personal score. There's a company score and, ⁓ the wonderful young lady who edits all of these podcasts. So she gets to hear this. ⁓ when I rolled this out initially, ⁓ I dunno, I did some things in my score was we'll call it 600 now seven, whatever it was.

⁓ and she caught wind of that. I couldn't even get her to work anymore. Cause all she did is go through and do the things that it took to get her score higher than mine.

Craig Taylor (21:37)
Gameification! Perfect!

Bryan Lachapelle (21:37)
Hahaha

Justin Shelley (21:39)
That's it. That's it. And had previous

to this, had, ⁓ I had some technicians who got similarly competitive and everybody wants to beat the boss for what it's worth. They all wanted to beat me. And so that puts some pressure on me. I had to keep my score up to keep them keeping their score up.

Craig Taylor (21:50)
Mm-hmm.

You're 100 % right. It's why we added gamification like that to our platform, CyberHoot, where you can see your own rank in the company against all the other people. You don't know who's above you and below you. It's an anonymous ranking, but you see, oh, you're 10th in the list, right? And you can actually add a feature where you can actually add the people in a friends list. So you could say, I want to compete with the boss. I want to compete with my team. Everybody add each other in. Now you see how you rank in your own team.

And then we had to add a feature that says turn it off because the boss doesn't like being last, you know? So.

Justin Shelley (22:28)
Wait, I want to, I want to dig into this one, Craig, because that's act. That was actually

a gripe I had with this is that the names were randomized. So you didn't know who you were competing against. What? Why? Why can't we just say, Hey, I'm better than you.

Mario Zaki (22:40)
Yeah.

Craig Taylor (22:42)
Well, you can, and it's possible in the friends list when you actually permit other people to add you when you set yourself up in CyberHoot. You can add all these friends and you can have everybody in there, or you can just have your anonymous leaderboard and see that you're at eighth on the list of all these hundred employees. Both are really helpful because sometimes you get a C-suite that are lackadaisical and at the bottom of the list and you need it to stay anonymous, right? It's encouraging the lower up.

Justin Shelley (23:10)
This is to protect the innocent.

Craig Taylor (23:10)
lower folks to get up.

Right, well, not really, but it is true. It's the nature of the game, right? Some will want to turn it on. I think ultimately transparency is best. And I would recommend if you're a business owner, get your act together and get higher up the list because you're targeted and you're the least likely. So back it up a moment. Fake email phish testing still doesn't work. We know why it's actually leads to more clicks, not less clicks, according to a study from the University of Zurich.

Bryan Lachapelle (23:15)
Uh-huh. ⁓

Craig Taylor (23:42)
When you send those fake email messages from the vendor you use, Mario, you cannot have realism in the sender domain. What I mean by that is the email comes in for a Microsoft password reset from account resets or us, and you're training your end users to look for obviously wrong domain names. But how do hackers hack us?

The sophisticated hackers have typo-swatted domain names. They have one letter off. They'll look at your domain and they'll say, okay, ⁓ Mario's company's name is, what's your company name? Mastex. I'm gonna register Mastex with an S on the end, and I'm gonna fish your users. And I promise you, I'm gonna get people to click because they've never been trained on that level of deviousness.

Mario Zaki (24:06)
they compromised somebody else.

Master.

Craig Taylor (24:31)
But that's exactly what AI and hackers are doing today. They're registering a domain name. They can't keep it for long. One spam report and it's taken down in a week or two, but the damage is done. So the training by traditional vendors that not only punishes is also bad education because it dumbs down the end users to look for the wrong things. You need to have out of the email client in the browser simulations where you can put in a Microsoft.com domain with an R

and an N for the ⁓ in Microsoft because that's what hackers will do or they'll do it in Amazon, right? And these little tricks that they play are so foreign to most users that they click blindly because they want to do their job. They want to get a good, they want to be responsible and then their tricks. So studies have proven that doesn't work. So what do you do? That actually leads to disengaged apathetic employees who don't want to do it. And it leads to

loss of value to you and your MSP, right? You don't wanna be the enemy of the people by sending these mean, shameful things that they click on and then they get mad at you. They don't take personal responsibility, because they think the test is unfair. Why are you measuring what I've never been taught by sending these things? I'm going down a list of things that are problematic, but at the end of the day, if you're listening to this, there is better alternatives out there. There are multiple vendors starting to use gamification, positive reinforcement, ⁓

Reward systems right and then whatever you choose you can build those kinds of rewards and positive reinforcement and public recognition Into your processes that say hey if an employee reports a fish and they were correct Call it out on the next all hands call let their manager know this employees doing the right thing make it positive Bingo make it fun

Justin Shelley (26:17)
Yes. Give him a cup of coffee. Give him a gift card. Like do something real with this,

right? Yeah. Yeah. Brian, you've been awful quiet here. What, uh, what do you got to say about this stuff?

Craig Taylor (26:25)
Cybersecurity's dry.

Bryan Lachapelle (26:29)
I've just been enjoying the back and forth. It's very rare that I don't have anything to add, ⁓ but it seems like you guys are covering all the bases. guess my go-to statement has always been, I can put bars on the windows and security guards at all the doors, but if somebody opens up ⁓ a back door and props it open with a

Mario Zaki (26:31)
Mm-mm.

Justin Shelley (26:31)
Okay,

okay.

That's why I was worried about you.

Bryan Lachapelle (26:56)
a brick, it's very difficult to ⁓ protect against things like that. So that's effectively when somebody's clicking on a link, it's essentially that. Like they're just letting them in the back door. Doesn't matter how many security systems I put in place, if somebody on the inside is letting them in. ⁓ And so, yeah, cybersecurity is, as Mario has said, the users are the last line of defense or the first line of defense, depending on how you look at it. ⁓ It all comes back to that. And I've known for years about positive reinforcement.

Craig Taylor (27:20)
Yeah, true.

Bryan Lachapelle (27:26)
⁓ with kids and training pets and things like that. ⁓ But you're right, most ⁓ cybersecurity frameworks are all built around, you click the link, remedial training, punish, punish. And I've always been, I even talked to my brother, I won't mention where he works, but his company will fire people if ⁓ they click on a link inadvertently. And I was thinking like, now people will hide.

Craig Taylor (27:31)
Yeah.

No!

Bryan Lachapelle (27:55)
If they clicked on the link, they're going be like, I got to hide this. I don't want anybody to know I did this, right? Because they're afraid of getting fired. The correct approach is to not punish somebody if they've clicked a link and work with them to make sure that it's resolved, but also to help them understand why it's important to pay more attention and positive reinforcement is way to go. So yeah, no, I've been enjoying the back and forth.

Craig Taylor (27:59)
Yeah, it's exactly the wrong approach. Completely wrong.

Yeah. Yeah. I don't blame.

I don't blame those companies for wanting to fire because somebody clicked. It's so dangerous to click and people want to stop the clicks. And it's all from a position of protection and nobility. want to help our company survive and I want to do better, but it's a ill-informed approach, right? It's like getting the bigger shock collar each year.

putting it on your dog and saying, okay, this year we're gonna learn how to sit and stay and stay in my yard. And when you go near the edge, I'm gonna zap you harder. It doesn't work. The dog shuts down or gets aggressive with you, right? And employees are the same way. Just use a little modicum of multidisciplinary approach. Help cybersecurity reorient to positive behavior benefits and rewarding those. And guess what? Your dog will come every time you call him and he'll say, am I getting a treat today?

Bryan Lachapelle (28:42)
Yeah.

Craig Taylor (29:07)
maybe not this time, but next time I will. Intermittent reward schedules are even more powerful. Think slot machines, right? It works. You just need to know why.

Mario Zaki (29:14)
So, Craig.

Bryan Lachapelle (29:15)
Now,

yeah, I would say the only caveat to all that is if somebody is literally not engaging in the entire process, even with positive reinforcement, even with all the training, and they just don't participate at all, then in my opinion, you have to treat them like it would be ⁓ no different than somebody who's not participating in safety training, right? If they're ignoring all the safety rules and they're not participating in any of the safety training or safety, and they're just ignoring safety altogether, yeah, in those cases, yes, you probably should.

Craig Taylor (29:35)
Right.

Bryan Lachapelle (29:44)
part ways, but that is more the exception rather than the rule.

Craig Taylor (29:45)
100 % agree.

Mario Zaki (29:48)
or put a shock collar on them.

Craig Taylor (29:48)
But if you, well, you could, right? But here's the thing. If you have provided positive reinforcement, rewards, and good, quick HIIT training, right? What is that? High intensity interval training? No, it's one little training a month on videos, one little training a month on fishing simulations, and rinse and repeat, muscle memory, not once a year. I heard someone say that. That is the worst thing you could ever do.

Bryan Lachapelle (29:50)
No!

Justin Shelley (29:52)
You

Craig Taylor (30:14)
Try to go to the gym once a year and get in shape with a six hour workout. You'll hurt yourself at best. You'll break something at worst, right? ⁓ But is there a place, let me add, Mario, I'm not sure. I know you like what you like. So here's the thing. Is there a place for attack fishing, for the traditional gotcha fishing? I would argue yes, there is. For the simple reason that Brian just put out, right?

Justin Shelley (30:20)
I feel attacked right now.

Mario Zaki (30:25)
I think he's talking about me here.

Craig Taylor (30:43)
If people are doing their training, think of it like a classroom environment teaching genetics for the course for the year. One of the biggest pet peeves I have is an MSP that starts their engagement with a major fishing attack campaign to get really good scores on how many people fail, right? That's like saying to the class of ⁓ biology, okay, everybody's first day, we're gonna teach you about biology this semester, but put your books away, put your pens.

Take your pencil out, we're having the final exam today. Because I wanna measure just how stupid you are today. And then at the final exam, I'll measure you again and we'll show like improvement this big, right? That's not a good approach, folks. What you wanna do is teach the material throughout the semester and six, nine, 12 months later, have your final exam of a fishing test of the attack nature of the gotcha email kind. But you've taught them all along the way with muscle memory, 10, 12 of these.

Hootfishes is what we call it. It's an interactive thing. You pick and choose safe and unsafe indicators. We teach you the rubric. It's okay to measure down the road. And yeah, there will be someone that joins the organization a month before and only has one ⁓ iteration of the positive reinforcement fishing. If they fail, give them a call. Say, hey, you know what? You didn't get a lot of training. You failed this test, but that's okay because you're brand new here. Here's what you did wrong. What we do in our hootfish example,

When you fail that attack fish, we immediately flip it to a positive hootfish interactivity. So if you get a Microsoft attack email, you click on it, you make a mistake, you get the hootfish equivalent, which is, hey, here's the sending domain. Is this safe or unsafe? And here's what you missed. The in Microsoft was, you know, an R and an N. And that's what you got to watch out for. And then in the subject line, it's kind of hard, but there was a spelling mistake you might've caught.

in the subject, the greeting, your name wasn't there, it was a generic greeting. And we walk you through a positive experience so that you pass the exact same ATT &CKfish as a interactive fishing simulation. You get a better boost to your compliance score. You have a positive passing a score, passing a test thing. You also get a certificate of completion, 15 minutes ⁓ CEC, continuing education credits. So there's a lot of little tiny rewards and benefits turned from a negative into a positive.

but you've given people a fighting chance by educating them along the way. So I think AttackFish is not gonna go away because it is a measurement of did they learn and pay attention throughout the semester or the trainings throughout the year and do they pass the test? Now, if someone's not doing their trainings and they fail the test, they gotta go see Brian, cause he's gonna fire them.

Justin Shelley (33:26)
I've heard or put a shock collar. Somebody mentioned a shock collar. Good. Good Lord, guys. We're here to.

Craig Taylor (33:29)
Mm-hmm.

Bryan Lachapelle (33:31)
Do they make those for

employees? I don't know.

Craig Taylor (33:34)
Mm-mm.

Justin Shelley (33:34)
Uh, I have a couple anyways, um, guys, so listen, I had, when we got started, I know we've to take, keep today relatively short. Uh, I had some notes of things that we've got to cover these things, these things, and we've already got them all. So I don't even have to introduce new topics, but what I am going to do, since we are kind of running short on time here is I want to just kind of go around the room and, uh, Craig, I'm going to save you for last Mario first, Brian next, and let's just do key takeaways. Or if there's anything that you feel we missed that

that people absolutely need to know. This is your moment to shine. And we've each got like, we're going to call it one minute. And I got the timer clicking Mario go. What do you got?

Mario Zaki (34:13)
⁓ Well, I can no longer use shot collars on any of my guys so that's ⁓ that's not gonna work anymore, but it is ⁓ It is definitely good to kind of have a different approach because the existing traditional approach of hey You just fucked up take this, you know 15 minute lesson now You're gonna be backed up for 15 minutes and then you still have to get all your work done That method does not work. We've seen

Justin Shelley (34:17)
Damn it.

Mario Zaki (34:42)
you know, not only in studies, but just ourselves. We can tell when we log into any of our, into the platform, we see this person hasn't done anything, this person hasn't done it. You know, most of the time they're just clicking through if they do do it. ⁓ The gamification is definitely going to step up things because even with us, you know, I'm competitive and I want to, you know, show everybody that I still got it. So that, that is definitely something that, ⁓

Craig Taylor (35:09)
You

Mario Zaki (35:12)
is going to add a different twist of office environment and competition to making cybersecurity fun again. You guys aren't enjoying it.

Craig Taylor (35:22)
Right. Was it ever? I'm not sure it ever was.

Bryan Lachapelle (35:22)
Again, wait, what?

Justin Shelley (35:25)
Wait, Maca?

What's the acronym for that, Maca?

Craig Taylor (35:30)
You

Justin Shelley (35:31)
Brian,

your turn.

Bryan Lachapelle (35:34)
⁓ Listen, ⁓ I'm going to keep it really short today. And that is ⁓ my key takeaway is, you know how they always say, use the carrot, not the stick. Carrots just aren't delicious enough for most people. So I think we need to use the cake, the cake and not the stick, the cupcakes specifically, because everybody loves cupcakes. So let's use the cupcake to get people's attention and not the stick. ⁓ it sounds like, ⁓ from my perspective, when we are looking at doing that, a ⁓ reward

Justin Shelley (35:46)
Agreed. Yes.

Bryan Lachapelle (36:03)
which is great if it's built into the tool, but you can also reward people and be like, hey, everybody who's done, and this is what we're doing sort of internally a little bit is, everybody who has completed all their cybersecurity training gets entered into a draw to win a $50 gift certificate, right? And so a reward like that is a lot more effective than, I'm gonna fire you if you click on the wrong link, which puts everybody at risk or everybody on edge. So that's it, that was my key takeaway.

Craig Taylor (36:18)
Mm-hmm. Perfect.

Mm-hmm.

Justin Shelley (36:32)
All right. I love it, Craig. Well, okay. But I've got to say though, I'm pretty sure that's referring to horses and horses love carrots.

Bryan Lachapelle (36:32)
Cupcake, not stick.

I know, but we're talking about humans here, and humans like cupcakes. Or beef turkey. Beef turkey. Yeah.

Craig Taylor (36:42)
Mm-hmm. I do. I like cupcakes.

Justin Shelley (36:43)
True, Definitely cupcakes. All right, Craig, go

ahead. Tell us your, your final takeaways and tell us a little bit more about cyber hoot and you know what you do there, who your target audience is and how you can help people.

Craig Taylor (36:56)
Sure, Benjamin Franklin said it best, an ounce of prevention is worth a pound of cure, but how do you get people to do the preventive steps? As business owners, we have to encourage participation through rewards, through positive reinforcement by calling publicly out when people do the right thing rather than shaming them when they do the wrong thing. So that is a game changer for anyone that adopts that approach. And there are tools that do that better or worse and find one that works for you.

that rewards the good behaviors and then add to it like Brian's idea. That's my takeaway for today because the days of Nigerian Prince fishing schemes are gone. The agentic AI is testing and if you don't click on it, it looks at your social media and sends an even better fish and it keeps going until it finds when you click on. So we have to get proactive and we have to get real about this first line of defense. I think it's the first line and the last line, it's both.

end users in the chair. So educate them. You'll be happy you did. Cyberhoo.com is where you can go and book a demo. There's a discount code for any listeners to this. If you use Unhacked as a registration link, you'll get 20 % off for the first year. We give extra discounts to nonprofits, charities, and educators and government organizations. Even at the MSP level, if you have clients, you can register.

Mario Zaki (38:17)
that.

Craig Taylor (38:20)
their nonprofit status and we'll apply a coupon code for them because we like to help the world out. We're trying to educate a billion people. BHAG, that's our BHAG goal. And I think we'll get there. ⁓ But what else can I share? Nothing. That's really it. I think the message has been made loud and clear here. And have a look at us because we give a free trial, 30-day trial. To Mario's point, we only have month-to-month contracts. We don't lock you in for a year.

We're self-funded. don't have venture capital that has invested $6 billion in the big company in this space that they have to make their money back. So they force you down a one-year commitment, two-year, three years for the best price. We're month-to-month. And we're happy to work with you. And MSPs get the fun of multi-tenancy and automation. Everything we deliver also is 100 % automated. You don't have to pick and choose the trainings and the videos and the attack fish.

We just randomly assign it based on category tags. So it's very, very easy to support. And it does the number one thing MSPs need. It builds value with every employee because they enjoy 90 % thumbs up on our videos, 70 % on our hoot fishing simulations, a positive feedback loop. You can choose, I didn't like that, or I liked it. Those are the numbers on average, overall time. So you can't lose.

Justin Shelley (39:43)
Do you, do you work through MSPs as well? I'm glad to hear you do. actually listen, we target this. We hope that business owners are listening. I have enough feedback to know that several MSP owners actually are at least making it part of the audience. So ⁓ good to know. And I suppose that code you offered is good for MSPs as well. Anybody. Okay. Unhacked guys. Go ahead and throw that code in there. ⁓

Craig Taylor (40:05)
Anybody. Yes, everybody and anybody.

Justin Shelley (40:12)
And my key takeaway today, I just have to reiterate the culture. That's been something that has been important to me for a long time. It came from a, article I read way back when by a city government that had some nefarious activity going on inside the it guys raised a flag and said, Hey, here's a problem. They were told to sit down and shut up. ⁓ they didn't, they became whistleblowers. They got fired. They sued the lawsuit settled at like a million each. I don't know. It was just a mess. And I'm like, Holy hell, all they did was try to do their job.

You know, like you talk about a toxic culture. All we've got to do is when somebody brings a security issue to us, tell them, thank you. I mean, even if you don't do anything behind the scenes, at least rewarded. Here's a cup of coffee on me. You know, it cost me five bucks. Well, coffee now is like 20 bucks, but anyways. so I, I'm a big fan of the culture. I'm a big fan of reward, whether it's a cupcake, a carrot for the horses, or my favorite would be a cup of coffee or maybe a bottle of bourbon. ⁓

Bryan Lachapelle (40:42)
Mm-hmm.

Craig Taylor (40:42)
Yeah.

Mario Zaki (40:54)
you

Justin Shelley (41:11)
Find a way to, to shout out the ones that are helping the business out and driving it forward. So that's what I've got guys. That is it for this week's episode of unhacked next week. We're going to talk with a guy whose name I have yet to perfect. I believe it is Fais Gowri and he'll correct me next week. If that's too far off, we're going to be talking about securing AI. We've talked about this before, but he's got something that I hadn't just, I know we haven't discussed here.

And I just think it's cool because he's a lead senior software engineer at Microsoft. And that's what he specializes in is AI driven security. So really excited to have Fize and I hope I'm saying your name right. I'm sure he's listening right now in preparation for our next recording. ⁓ Guys, if you want more, go to unhackmybusiness.com. We'll get today's show notes, the guest links. It's also on your phone. you're listening to this on your phone and you go to the details, you're going to see the links you're going to see.

And I always cyber hoot. keep saying there's, some other businesses have hoot in their name and I keep confusing them. So cyber hoot.com will be linked in there. Mario's website, Brian's website, my website, unhackmybusiness.com will all be linked in there. Just hit that link and go get some more information. ⁓ guys, we're going to say our final goodbyes. We're going to start with you, Brian, tell everybody, ⁓ tell everybody goodbye and we'll, we're going to see everybody next week.

Bryan Lachapelle (42:36)
I'm just going to keep it short and sweet today, everyone. Have a great weekend.

Justin Shelley (42:40)
⁓ fair enough, Mario.

Mario Zaki (42:43)
Train your employees so you can sleep better at

Justin Shelley (42:46)
All right, Craig, final goodbye.

Bryan Lachapelle (42:47)
like it.

Craig Taylor (42:48)
Thanks for having me, I really enjoyed this. All of you are all on the same page and I applaud you, well done.

Justin Shelley (42:53)
Appreciate it. Thank you for being here, Craig. Yep. Thank you all. Appreciate it guys. I'm Justin. Remember to listen in, take action and keep your businesses on act. See you next week.

Mario Zaki (42:54)
Thank you for being with us, Greg.