The Last Mile of Security: Security Awareness Training Trends with Heather Stratford Cybertraps Podcast 163

Welcome to the Cyber Traps podcast.

Today we have a very
special episode for you.

I am your host, Jethro Jones.

We will be talking about the
Inch 360 conference that took

place in Spokane, Washington.

This conference is a must attend
event for cybersecurity folks here in

Spokane, Washington, and it was a great
opportunity for me to connect with

cybersecurity folks here in Spokane and
learn about a lot of things that are

going on in the world of cybersecurity.

Right now, this episode is one of
the sessions from the conference.

I hope you enjoy it.

This session is The Last mile of Security:
Security Awareness training trends.

My name's Heather Stratford.

Some of you know me, some of you don't.

Um, I am the founder and CEO of DRIP7.

We are a micro learning platform,
uh, for cyber security education.

And, uh, we are headquartered and
founded in Spokane, Washington.

So I'm going to ask a lot of
questions, and I'm going to

ask you to participate in this.

So this is much more interesting
than, than you just sitting there.

So, why do people think cyber
security is not their problem?

How many of you have felt like this?

That your leadership, your people,
all put their heads in the sand.

By a raise of hands, how
many of you have felt this?

I think it's getting better.

I think there's more in the mainstream
news and general people who are

not in cyber, all of a sudden are
saying, Oh, maybe this is one of

the problems we need to think about.

But this is, I love this picture because
I, I, I talk to people and they're like,

Well, it's not going to happen to me.

And I'm like, Why are you
putting your head in the sand?

Why do you think it's not
going to happen to you?

So, here are some current statistics,
and I didn't put what the statistic

is for, so let's think about this.

This is your mental exercise.

11 seconds.

Think about what is 11 seconds.

1.

2%.

What is 1.

2%?

3.

4 billion daily and 8 trillion per year.

Think about what those might be.

Alright, let's go through them.

Every 11 seconds, there
is a ransomware attack.

Did you realize it was that common?

Every 11 seconds.

So, when your leadership says,
putting their head in the sand,

and says, Oh, it's not going to
happen to us, here's a statistic.

Every 11 seconds.

1.

2 percent of all emails
that are sent are malicious.

This number has increased.

It used to be less than 1%.

Now it's 1.

2%.

That means if you have a hundred
emails coming into your inbox,

how many of them are malicious?

A little over one.

when you think about
that, you're blocking.

You're blocking a lot of that coming
in, but you're not going to be perfect.

That's the problem.

Cybersecurity is expected to be
100 percent perfect all the time,

and you're not going to be perfect.

So, 3.

4 billion phishing emails are sent daily.

And these are the bad phishing ones.

These aren't the white hats.

These aren't the people
saying, hey, learn from this.

These are the bad phishing emails.

3.

4 billion.

And over 8 trillion dollars will
be lost to cybercrime this year.

That's the estimate that we will be
topping 8 trillion by the end of the year.

That's a huge amount
and it keeps going up.

So, first of all, you all have a job.

You all have security in your job
because this is a continuing problem

and it's not going to go away.

So, 90 percent of cybercrime
is due to human error.

How many of you, by a raise
of hands, believe this number?

That's pretty overwhelming.

I do have some people that argue with me
and they're like, no, I think it's 95%.

And I'm like, okay, okay,
you, you might be right.

but let's just all agree that
it's a really large number

and it's, it's the main part.

People are the problem.

I keep telling people cyber
security is a people issue.

There's great hardware out there.

There's great firewalls.

I'm not going to name them.

There's great clouds, infrastructures.

I won't name them either,
but there's great hardware.

And yes, we do have to get faster,
but it is a people problem.

So let's look at this family here.

This family includes young people,
it includes middle aged, it includes

older people, this is a family, right?

How is this family going to
learn about cybersecurity?

How do they traditionally learn about it?

Trial and error, I heard over here.

In the past, the first people
to really start educating in

cybersecurity was the military.

If you served in the military,
you were forced to learn it.

You also, then, different types of
businesses, if you worked government

or if you worked financial, they
started to push this education to you.

So, if you were military or work, you
started to get cyber education because of

who you were, what kind of job you had.

Not everybody fits into those.

So now, we have all different
types of, of areas that are

starting to address the issue.

School.

So, if you go to a university or college,
I'm going to pick on Whitworth over there.

Whitworth now is training their
students in cyber education.

They're not the only ones, but they're
realizing, Hey, if we give them

laptops and we give them access to
things, maybe we should actually tell

them what they can do and can't do.

You have work, colleges, you have K 12.

There are two states in the United States
that mandate having K 12 education.

Meaning, down to kindergarten and
first grade, they're starting to

learn about privacy and cyber.

Senior centers, financial institutions.

Now this is a newer one, right?

If your credit card, your, uh,
information is compromised, financial

institutions are starting to say, Hey,
how can I better train our people?

How can I help not make this happen?

And then volunteer organizations.

I know working with DRIP 7, we're
working with some national non profits.

Why?

Because they have all these volunteers
who are touching their systems.

Well, you better tell 'em what
to do and what not to do, right?

So all of a sudden we have more places
because it's a continuing problem.

So 38% increase in 2022, which is the last
year, we have complete information for.

38 percent increase
globally in cyberattacks.

Now, I speak a lot, and I've
pulled this data year after year,

and it's been interesting to see
how it's shifted and changed.

What industry or what sector do
you not see in that top five list?

And this is in order.

Number one is education and research.

In 2022, they were the most hit sector.

Government and Military was second,
Healthcare was third, Communications

was fourth, and the Internet Service
Providers were fifth on the list.

Now who is not up there?

Financial and Banking.

Why?

Much harder target.

That's exactly right.

They've been on the top five list
for years, and they're finally being

pushed off the top five list because
they spend, defend, and train.

So these other sectors, like education,
government, healthcare, communications,

they have to catch up, and they
have to catch up on the people side.

You know, a Fortinet firewall can
only go so far if you hand somebody

your credentials and your password.

So, who at work is targeted?

Sometimes I think we think that
it's just a very small segment.

Oh, it might just be accounting.

Maybe accounting is just targeted.

New hires are targeted because they
don't know the system very well.

They don't know what to
do and what not to do.

Mid level people, they're targeted.

IT staff, who in this room has been
targeted specifically, spearfishing,

by, by, uh, a phishing attack.

It's because you have credentials.

HR staff.

Why would HR staff be spear
phished and specifically targeted?

PII.

Exactly.

They have access and keys
to all kinds of data.

W2s, etc.

Vendors.

Contractors.

And your C suite.

The attack might not be the
same, but they're all targeted.

So, once again, 90 percent of
cybercrime is due to human error.

So what are we going to do to change that?

What are the trends in the industry
that are trying to fix this?

This is a problem that I've
been working on for a long time.

I love this picture.

I looked hard to find a
picture that It's like, yes.

What's changing in the
cyber security industry?

When I talk to people about cyber security
education, some of them say, give me

something better, because my people
say they want to poke their eyes out.

I'm like, really?

People, they have a hate for it.

They're like, oh my gosh,
don't make me do that again.

Some of you are laughing.

So, what's changing that it's not
this person sleeping on the computer?

Here's one of the changes.

A once a year training for
your employees does not work.

Now, intuitively, we know this.

It's still the most common practice.

Hey, I trained.

You know, Riley's sitting right here.

I gave Riley that training on
onboarding three years ago.

Or, I gave Riley that
training last January.

How come he doesn't remember, right?

So, it's human to forget, and it's
called the Ebenhauser Forgetting

Curve, and that's just, uh, the
person who discovered it, and a lot

of research has been built on it.

But it basically, it says, all of
you sitting in this room who are

listening to me already have tuned out.

Now I'm trying to keep your attention
by moving around and changing my voice,

and I'm really, really trying, but
half of you have already tuned out.

So, this is what it says.

If all of you pay attention for a full
hour, and then you walk out of this

room, you will retain less than 50%,
you will retain about 40 percent of that

content if somebody asks you to tell
you what was said just one hour later.

If you go out a full 30 days, a
full month, and I go over to Riley

and I say, Riley, what did I say?

He's going to remember this
much, about less than 20%.

Now, how do you change that statistic?

And the way you do it is by it's more.

You have to have more interaction.

You have to see it more than once.

I know I can't remember a
phone number if I am told it

once I will never remember it.

I have to say it over and over
and over again in my head.

Our brains are just not hardwired
to hear something once and get it.

So, when it comes to
cybersecurity, it's the same thing.

The goal is not to check a box.

The goal is how do you get
people to do something different

and actually change behavior.

So, first of all, they
have to remember it.

They have to enhance their decision making
and they have to use it in real life.

Only by doing that are they
going to change their behavior.

Makes sense, doesn't it?

But only a small amount of companies
right now are doing it, and

yet they're seeing the results.

They're seeing the behavior change.

So different generations work differently.

How many in this room hit
the baby boomer generation?

Who's gonna raise their hand?

Okay, a couple of you.

How many are Gen Xers?

I'm a Gen X, okay?

How many are Millennials?

Okay, and Gen Z.

Any Gen Z's?

Okay, good.

Each generation is interacting
with our technology differently.

Baby boomers want to sit down, have,
have a lecture, they want to go

through, they want to know their,
what they're supposed to cover.

They want it in a traditional format,
and they're used to it, and they like it.

You get to a millennial and
they're like, ugh, roll their eyes,

like, why do we have to do this?

They do things differently.

there are 71 million millennials in the U.

S.

workforce.

35 percent of the U.

S.

workforce are the millennials.

They are the largest sector.

And you've all heard of the great
resignation and trying to hire

people and people just won't stick.

This is one of the reasons.

Because we're not adapting to how
the new generation is doing things.

So, Millennials and Gen Z workers
find micro learning works for

them and that's what they want.

So, how do we take cyber security
education and pull it into

the world of what most of our
employer, employees are made of?

They're younger, they're more techie,
they want it in TikTok format.

Now you're laughing, you're
like, oh my gosh, right?

They want it short.

So, short training sessions are better.

This is what the statistics say.

The statistics say, if you're listening
to something for longer than six

minutes, you're sitting at your computer,
you're watching a video, if it's longer

than six minutes, you start to lose
interest and your attention just drops.

At six to nine minutes, learners
become less engaged, unless

highly, highly motivated.

And then at nine to ten minutes
They start to think about,

when am I getting off of work?

What am I eating for dinner?

Am I going to work out with someone?

Right?

They start going somewhere else.

So if you are not capturing them, you are
not training them in skills development.

So, the new trends, gamification, and
microlearning, because it hits what

the new learners are looking for.

So what does gamification mean?

It's kind of a fancy word.

I have people who I talk to and
they're like, Oh, you made a game?

I'm like, yeah, yeah, not a
first person shooter game.

Like, that is not what I'm talking
about when I say gamification.

What gamification means is avatars,
badges, rewards, leaderboards,

um, things that are going to
engage a learner and reward them.

Now, some of you are rolling
your eyes, I can already see it.

You're like, oh my gosh, I've
got to reward them for doing

what I'm paying them to do.

And the answer is yes, they want a reward.

They want a gold star.

So, you need to put a gold star next
to their name saying, Hey Riley,

thanks for doing your training.

You get a gold star.

And Riley's gonna be like,
oh man, I got a gold star.

I should do my training more often.

Okay, so why gamification is surging?

These are three statistics
that I think stand out.

They're pretty incredible.

90 percent of employees say
gamification makes them.

More productive at work.

Let's say even half of that's true.

Let's take 50 percent of that, 45%, right?

Maybe some of them are
just buttering up, right?

That's a huge number.

They're like, yeah, that'll
make me more productive.

Okay, 60 percent average engagement
increase with the gamification work

experience and then 72 percent of people
say gamification Motivates them to do

their tasks and work harder on the job.

Those are pretty staggering numbers
so Do you train for each job role?

Here's another trend currently in
the cyber security awareness space.

It's not that I, as an administrator,
am going to push out the

same training to all of you.

You all are not the same.

I've got this section over here.

You're IT.

I push training to you and
you're like, That's wrong.

How come this is said that way?

No, I don't agree with this.

You guys are going to argue
with me on every question.

This section in the middle,
you guys are accounting.

You're going to get hit
in a very different way.

And then I have people
over here, you're all.

New.

And you're like, training?

Why should we do training?

Right?

So, the question is, are you
currently pushing the same training

to every employee in your company?

Or are you staggering it and
making it job role specific?

When you make it specific,
people pay more attention.

Nothing is worse than being
required to take training

that you know is not for you.

Right?

I know people, healthcare system, teachers
who are like, oh my gosh, I had to, I was

required to take three hours of bloodborne
pathogens and I'm an accountant.

And they hate it.

So make sure it lines up.

Train.

Specifically for their roles.

Now, some of you are going to
say, Oh my gosh, that takes work.

And it's like, it doesn't,
because there are solutions out

there that are job role specific.

here's a question.

Does phishing employees work?

Okay, so I have up here, he said,
if it didn't, we wouldn't do it.

Okay, so how many of you, I'm going
to say yes it works, no it doesn't.

So, first yes, does it work?

Okay, does it not work?

It depends on how it's done.

And here's, here's the
question that I put up here.

For phishing to work, training
needs to be tied directly to it.

So if I push a training out here to
Bill, And I push a phish to him and he

fails it and then three months later
I put him in a group to learn about

phishing Is that going to help him learn?

No.

Because it's not tied to the training.

So, a lot of times fake fishing goes
out and it's like, well we got a metric.

20 of the people failed.

I'm like, okay, well
what'd you do about it?

Did you tell them right there on the spot?

So, thinking about how do you train and
use it as an actual training experience.

So these are three different
types of fishes that go out.

And also, I was just having this
conversation with Mike over there,

where we were talking about it's almost
like companies are afraid to fail.

They're like, oh, I want our
phishing number to come back as zero.

I'm like, well, what good is that?

If you say, this is a phish,
don't click, of course they're

not going to click, right?

If you make it so obvious, I
mean, you're not trading them

if you make it too obvious.

You're not trading them if you make it so
outside their realm that it's not real.

so training needs to be fluid.

This is another trend within the
cybersecurity awareness space right now.

Fluid.

What does fluid mean?

Fluid means when you see something, let's
say you have an attack coming in, you can

immediately turn around and train on it.

Now it seems pretty simple, right?

Hey, we see something,
let's train on this.

Most companies are not set up to be fluid.

They're set up to say, hey, add that
to our onboarding for next year, right?

and Brant brought this out in
the panel, we have to get faster.

We cannot sit around and wait for
the next reiteration of our training

to catch up to the current attack.

one of the things you can ask
your cyber security awareness.

Person is, are we fluid?

Can we push out content
when we see things?

Can we be adaptive?

Because it helps.

So what kinds of training
should I train on?

Many people ask me, they're like, okay,
so what, what should be in this list?

Let's go through a couple of things
that should be in your, your training.

This I love, you've probably seen
a different type of chart like

this, where it's for passwords.

When you tell somebody, and I'm
going to pick on Kim over here.

If I tell Kim, hey Kim, you
need to have a secure password.

Kim's looking at me, and maybe she's not
in IT, she goes, What does that mean?

Like, Oh, I'll add a
one to the back of it.

Or, Oh, I'll add an
explanation point to it.

Right?

Kim doesn't understand
what I'm talking about.

So, if you look at here, number of
characters, if I go down to, let's say,

ten characters, and I go across, and I
include numbers, lowercase letters, and

upper, I'm at one month to crack that.

If I just add two or three more digits
to this, if I go down to 14, and I go

across to upper and lower case letters,
and numbers, I'm at 800, 000 years.

Now that's random.

That's saying it's random, and most
of us put, you know, known words in.

but the number is
exponentially harder to crack.

Like, it, it's just,
it goes off the charts.

So, when I talk to people, I'm like, Kim,
hey, you have a ten, ten digit password.

You need to make it fifteen digits.

Kim gets that.

And if you show her why, Kim's like,
oh, well that makes sense, I know why.

So, you need to train, and
you need to help explain why.

Alright, you also can train on things that
are a little more technical, like OWASP.

So many of you know this, but, Mark
created this in 2001, uh, Mark.

Ker fee, I think that's how you pronounce
it, and OWASP is an international

organization now, and it stands for
Open Web Application Security Project.

Now, why I put this up here is
because if you have technical staff,

you want to be training on this.

From 2017 to 2021, There were changes in
the OWASP top 10 and what they're seeing.

Things were added, like for example, down
here on the bottom, server side request

forgery is one of the new top 10 areas.

Have you trained your
IT staff on that yet?

If you haven't, this is one of those
areas that you can do training with.

Okay, third, ransomware attack.

if you were to pick a random person
in your organization, Just a regular

employee, not an IT employee.

And they had a ransomware
screen hit their computer.

Do they know what to do?

Raise your hand if you think your
random employee knows what to do.

They don't.

They're going to freak out.

Many of them are not going to
tell you because they're afraid

they did something wrong.

They're going to reboot.

Thank you, Brandt.

Yes, they're going to lose the
forensic evidence because they don't

know not to turn off their and un,
not reboot their computer, right?

So train them.

So this is one of those areas
you can say, this could happen.

If it did happen, here are
the three things I want

everybody to know what to do.

So, three different areas that
you can train your employees on.

So, you want to nurture
skills development.

You want to make sure you're
covering everything from physical

security, mobile and home computing.

Many people, if you ask a general
employee in your company, do you have

a password on your router at home?

They'd be like, oh.

Routers all have passwords, right?

So, so you have to train them.

Social engineering, phishing,
passwords, privacy, and current trends.

These are some others
over on the other side.

Piggybacking, cloud computing,
uh, data classification.

These are all areas to train on.

So, I want a raise of hand for somebody
to tell me what this number is.

What percentage of cybercrime
is due to human error?

Go ahead in the back.

Ninety percent.

Thank you.

Now why did he remember that?

Why?

Go ahead, Nolan.

Why did he remember it?

It's written on the bottom.

because he's cheating.

Okay.

He must have really, really good eyes.

Okay.

Why did he remember?

It's been less than an hour.

I said it, so you heard it, said it,
and he saw it multiple times, right?

So when you train, he's
going to remember that.

So in a month, if I ask him,
what did Heather talk about?

He's going to be like, Oh,
I remember 90 percent of.

Cybercrime is due to human error.

It's the one thing he's going to remember
because it was said multiple times.

That's what microlearning is.

So, train your employees
in cyber security.

If you feel your employees are not
valuable enough to train, you should

rethink having those employees.

Training will reduce cyber risk.

You need to train not just
yearly, but weekly or daily.

Training should adapt to changes.

When you see it, you should be able
to turn around and train on it.

Training should be engaging and short.

Training should be reward
focused and not fear focused.

Thank you.

Creators and Guests

INCH360
Guest
INCH360
A regional industry group focused on connecting cybersecurity and compliance professionals of all levels. The group will promote education, collaboration, and communication about resources, regional companies, and jobs.
The Last Mile of Security: Security Awareness Training Trends with Heather Stratford Cybertraps Podcast 163