Are remote workers more security-savvy than on-premises?

Chris Sienko: 0:00

Today in Ciderwork I am excited to talk to University of Miami and Oxford Ohio's Farmer School of Business, Information Systems and Security Researcher, joseph Wampa. Joseph recently wrote a report that overturned some huge assumed thinking. He found that work from home employees are, to a large degree, less of a security issue than many on-prem workers. Joseph discusses the Peltzman effect, the persistent struggles to create security awareness that last passed the initial training sessions, and talks about some surprising reasons that higher ed sector has been shown to be less sophisticated in their security awareness than many other industries. Hope you'll tune into this one. Especially use security awareness facilitators. You really want to hear this. It's chock full of great advice. And it's all today on Ciderwork. Hi, welcome to this week's episode of the Ciderwork with Infosec Podcast. Each week we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of Infosec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. My guest today, dr Joseph Wampa, is the director of cybersecurity initiatives and an associate professor in the Department of Information Systems and Analytics in the Farmer School of Business at Miami University in Oxford, ohio. He has more than a decade of experience as an Information Systems Professor in higher education. His primary research focuses on enterprise systems, software security and vulnerabilities, remote work strategy, digital business strategy and predictive models. In recent years, joseph has focused on vulnerability assessment, cybersecurity risks and cybersecurity awareness. Joseph has also authored several book chapters and worked as a reviewer for journals such as Information Systems Research Journal of the Association of Information Systems and Information Systems Journal A lot of journals that all seem to be very tightly focused, so I'm excited to hear more about those. Joseph, thank you for joining me today and welcome to CyberWork. Thank you for having me Chris. My pleasure, all right. Well, joseph, I want to help our listeners get to know you a little bit, and I wanted to ask you by asking what I asked all our guests, which is when did you first get interested in cybersecurity and tech and what was the initial draw to it?

Joseph Nwanpka: 2:13

Yeah, absolutely. That's a great question, you know, for me, I think that in the early 90s, when I was in high school, I think that's when I started getting a little bit of that peak for cybersecurity, and it came from believe it or not, from watching spy movies. Yeah, ok, yeah, back in the 90s I used to love a lot of spy movies when I was double or seven they hunt for it, nobody has time and one of the things that fascinated me was always, you know, they clandestine, where they used to communicate. That's, you know, covered communication was something that picked my interest. So I finished high school Actually, my, my undergraduate was in accounting. So when I graduate, I worked in a financial space, a little bit in a, in a bank, and in my department I was in the trade, and one of the things that I also saw in trade was in terms of being able to remit funds. There was always that privacy concern, that confidentiality. So I started to think about, you know, even though, that we were leveraging technology to be able to effectively remit funds across the globe, there was always that concern, you know, that cybersecurity concern, that privacy. And so when I left, I was in the financial sector for two years, when I left to get my master's in Finland. I wanted to go into tech and into security, and so when I was with my master's in advanced financial information system, I started to like encryption a little bit more. So in the labs I used to play a lot with, you know, encryption whether it's desk trade, whether it's encryption, whether it's desk trade, whether it's encryption yeah, so at that point I knew that one word you had, that I was definitely going to be in tech, but I felt like I always had a flip for cyber. Just to, you know, make sure that you deal with confidentiality, privacy, the deal with this. That was so important to me at that time.

Chris Sienko: 4:04

So I want to go back to some of your. You know the many things that you've written. You know as a reviewer for journals like Information Systems Research and, you know, information Systems Journal. Can you put a big frame around what you do as regards information systems? What is that as a sort of a larger concept? What is the scope that information systems covers in terms of?

Joseph Nwanpka: 4:26

Yeah. So, for example, you know that's a great question and there's always that question that always comes. You know, computer science and information system, right, right, right Me, as an information system faculty member I mean the business school and I think when we think about information system, we think about three key pillars the people, technology and the process. Right, you know, when you go to the computer science they tend to talk a little bit of the technical aspect of things, but at the end of the day, you want to be able to look at that intersection between people, process and technology, and that's what frames you know my thinking even in cyber security research. You know, what are the things that you can deal with? Technical controls, what are the issues that you have to deal with? The process controls, what are the things that it comes down to? People that you have to come up with policies and say you know what's done, do this because there's no technical components to be able to mitigate that. You really have to. Well, you know you shouldn't share your password. That's pretty much what it comes down to. So, sure.

Chris Sienko: 5:27

Oh yeah, oh yeah, always important as long as we get that one that covers 75 percent of all of all ills there. So, speaking to your, your role at you know, my University Business School, and the fact that you're an actively researching professor on staff like, what kind of security problems do you and your colleagues generally take on? Are there particular big topics right now around higher ed level research and cyber security?

Joseph Nwanpka: 5:52

Yeah, thank you, chris, for that question. Like here in Miami, I can only speak for the business school and some of my colleagues here at the Framasic Business. Yeah, so one of the things that we're trying to look at now, because I already said, tend to mirror the challenges that we see in the industry. So, for instance, now there's a lot of active research going on with respect to, you know, how do we leverage AI? How do we leverage AI to solve the cybersecurity challenges we've had in the past? And I'll give you an example. So, for instance, we think about things like you know, data breach incidents. If you think about it as a basic data breach, it takes almost 300 days to discover and report a breach. So the question is, you know, with this age of AI, with the new technology that we have with machine learning, is there a way that we can narrow that time a little bit? It doesn't have to take nine months If we have all this stuff. Can we narrow that down in terms of being able to identify a breach a little bit earlier? So we are looking at how AI can leverage that. So we're looking at things like you know, patterns. Can we use AI to be able to create better predictive models in terms of vulnerability assessment, in terms of vulnerabilities that may be exploited. So these are other areas that we're also looking at with respect to research right now, and also we're looking at zero trust. A little bit on zero trust you know zero trust came with a lot of promises, so we're trying to really look at, you know, is that paradigm shift, you know, paying dividend in terms of, you know, the cybersecurity threats and challenges that zero trust was supposed to mitigate? Are we seeing those type of things? Are we seeing how people responded to that?

Chris Sienko: 7:32

Yeah, no, that's great Because, yeah, I mean, you're right. There was that wave of a year or two ago where every guess I had come in here saying zero trust is the answer. Zero trust is the answer. This is going to change everything and you know it's hard to invite the same people back and say so, how do you know? So I'm glad that you're there checking this out for us. So, yeah, now I want to talk to you about some of your research today here. So, as I mentioned in the intro at the start, you recently have co written a report through my university about some surprising findings regarding the relative level of safety for employees who work on premises, at their company's offices, versus those who work remotely from home or in variable locations. So, without giving away too much of the report, your findings inverted a lot of what people previously thought about which work methods are safer on the whole. So can you tell us more about that?

Joseph Nwanpka: 8:24

Yes, thank you, chris. And so in that research, you know, one of the things that we found it was we got into that research with certain expectations and it turned out to be, you know, the reverse, like you say. So you know, when you think about remote work environment, people always felt like remote work came with inherent cybersecurity challenges. You know, when I look at expanded attack surface, you know loss of visibility with respect to the people working remotely, and anytime you have a distributed work environment, it creates a lot of you lose. For instance, you know the infrastructure. You don't own it. So there's a lot of issues. But one of the things that you know nobody thought about was that you know, when people work remotely, our study found that they really kind of had this, you know, a much higher cybersecurity awareness. It is like I tend to look at it this way that when you walk remotely, you feel like I don't want to be the one that poisons the challenge, right? So all of a sudden you feel like you have to be more, a little bit more cautious. So when we looked at the true groups the groups that worked in premises and the groups that work remotely it's almost like the groups that work within the boundaries of a corporate environment developed the type of complacency you know they felt like you know what we are, the company has countermeasures when, within the organizational boundaries, they're going to take care of things. So they were not. They didn't have that higher level of cybersecurity awareness and also they weren't they weren't always willing to take precautionary measures, even when they found something. And that's something that we found with people working remotely, and part of it stems from the fact that remote workers also, over time, they feel like, you know, they don't really have an IT staff readily available. They start to do a little bit of things in their own and I think that's really kind of elevated, that level of, you know, level of cybersecurity awareness that we didn't see within office premises. And you know, when we got that result one of the, we started looking at it and it felt like wow, when you take a step back and look at that, you say like you know what maybe this is a little bit intuitive, you know, chris, think about it this way. You know, when you're in a corporate environment, right, you don't worry about who walks into the building, you don't care. You know, you feel like the security would take care of that. You know, you might see, but you don't really pay attention. But when you're at your home. You're all of a sudden, you have this heightened state of aliveness. Where you're, you know who is this person, who is this person in our neighborhood. So that's what we saw in that recite. That was really interesting.

Chris Sienko: 10:57

Yeah, yeah, no, and I want to at the risk of cribbing your report from you here, but your report references something called the Peltzmann effect, which is used in findings about automobiles, and it basically stated that as cars added more safety features like seat belts and airbags and you know body structures that crumple and impact and safer way, that it paradoxically seemed to engender more unsafe driving, which sort of erased some of the improvements that the innovations could have made. And so when you applied, as you said here, the Peltzmann effect to on premises workers, you know you have this, this notion that if you have your IT person just down the hall, then if you know what's the harm, if I click this thing and it goes wrong, I can just, you know, scamper over there and they'll, they'll shut me down, whereas, conversely, workers were work remotely from laptops, as you said, rather portable devices are more cognizant of the potential risks and are engaging in less risky behaviors. You don't know necessarily how to initiate something with your IT person if you're at home and you know, and certainly not in a quick way like that. So I want to talk about security awareness in a moment, but I want to start first, if possible, with the tech side of things. So recurring cadence from past guests is that, from a security standpoint, security engineers and architects, you know, previously in the sort of pre COVID times were tasked with protecting a single company, often a single location, and these the sort of metaphor of like security being like a drawbridge in a mode around a castle. It makes threats hard to get in. But by comparison they talked about remote workers as as trying to fortify not a single castle but a series of small encampments all over the countryside, a breach of any of which could have a snowball effect. So just can you talk about, on the tech side, security strategies both on prem work and work from home. Is there any great deal of difference in the approach between defending the two?

Joseph Nwanpka: 12:41

I think absolutely, absolutely. You know when you think about it, when you're dealing with people that work, you know, on a face-to-face or the premises, that's a different bargain when people are working remotely. When people work remotely, I think that the threat level is a little bit different and that should also require a different strategy. So, for example, you know, think about it, when people work remotely, you're dealing with all this. You know increase that tax office. You're dealing with compliance issues. You're dealing with loss of visibility from a standpoint of what are the people doing. You know the endpoint that are leaks. You know the data integrity issues. These are all issues that you're gonna have to grapple with. Now, when you work in a face-to-face, in a premises environment, you have a lot of things that you can control, for because those people are there, you can be able to put in place certain control mechanisms. So the difference in strategy really comes down to now. When people work remotely to some degree, you really have to, really you know they become your line of defense, right. You are almost like the employees have to do things on your behalf. So you become a little bit susceptible to the degree to which you know that security awareness or precautionary taking behavior is really amplified. And I think that's what speaks to our research that you know, when people work remotely, you expect them to have a strong if they do have a stronger cyber security awareness. That puts you in a better position to be able to manage those threats. So, but that doesn't eliminate the fact that people work remotely. They are still going to be exposed to multiple layers of threat. That's true. But we are, our study is saying that, hey, but wait a minute, there's a way for you to manage this threat. And, chris, one point that I forgot to mention is that in our research, one of the things that we also saw that when you have an organization that has a culture of compliance, it increased their ability to take precautions. So not only that remotely, yes, but there was a moderating factor there. If that organization had a culture of compliance, if they build a culture of cybersecurity compliance, policy compliance, that even made it much better for them in terms of being able to manage those people. So that's definitely one of the things that we found in that study.

Chris Sienko: 14:56

Okay, could you untangle the concept of culture of compliance, because I guess I'm trying to get at my head around. What companies do not have a culture of compliance? Like, what is a culture of non-compliance look like? Is it just that it's kind of flying by the seat of their pants or something like that? Like, what sort of sets apart a company with a culture of compliance? Is that they're going above and beyond compliance for security.

Joseph Nwanpka: 15:26

That's a great question, chris, and in research, one of the things that we've found over the years is that there are certain industries, for instance, that tend to have a higher level of compliance and compliance, in this case, being able to meet those policy compliance, regulatory compliance with respect to policies, policy frameworks on how to navigate your day-to-day job activities, so that we use, for instance, when you think about the financial sector, they tend to be up there in terms of compliance. When you think about, for example, the educational sector, when you think about, for instance, hospitality, they tend to be at a very lower level. So we tend to see that, and that just comes from maybe comes from how fine-tuned the policies are. Chris, you and I know very well that sometimes a lot of companies do have policies, but sometimes, when you look at those policies, they tend to be a little bit ambiguous. It seems to well be careful why you do this. It becomes very difficult to enforce, and those are the areas that we see that well, it appears that this industry doesn't have a very strong compliance culture. They don't have a strong culture. So that's what we mean by that that you have to be very specific. You have to have a policy that is really very specific. That should not be vague, not ambiguous. That everybody thinks is okay, who cares? It's just what it is.

Chris Sienko: 16:45

Yeah, yeah, and I suppose that's something that not just if you're trying to get a job in this place, obviously as a security person you wanna know whether you're coming into a place that has that commitment to compliance level security. But I imagine even if you're just working in any other part of the company, you would wanna know whether or not you're so talk about, if you're not security person trying to come to a company, how do you sort of research whether or not your company sort of has this high level of security compliance culture to it?

Joseph Nwanpka: 17:20

Yeah, I think it's when you think about having this state requires you, something that develops over time. Right, you see, it sometimes is driven by the industry, it's driven by the regulatory requirement, it's driven by a lot of compliance issues that you tend to have. So, for example, when you think about the hospitals, there are certain areas that they have certain laws, certain regulatory oversight that really forces you to be able to comply with certain type of standards. And I think that's the posture that you're coming. When you're coming, what are the things, what are the do's and the don'ts, what are the things that they say no, no, how do you? What are the key standards? And I think those standards are enforced by trainings, by policy formulations that are very, very specific. In the road against that one shouldn't do it's okay, like well, you shouldn't take certain resources, certain information at home and take into devices that are not companies that are. So these are little things that I think that's how that culture is developed, and when people fall in, they realize that that's elevated culture, because we've seen people move from organization, industry to industry and they really say that, oh wow, when I moved to this industry, things were a little bit different. So it comes over time definitely.

Chris Sienko: 18:38

Well, that's great. That moves into one of my next questions real quickly. I wanna talk about security awareness among your workforce as well. So, going back to the Peltzmann effect, it seems, as you said, that remote workers are more aware of threats due to their relative isolation and feeling that being able to pop up, pop around to the IT person if something looks fishy, and on-prem workers assume everything will be fine if they say Simon will cast a game on a second screen while they work, maybe click on that pop-up for free ramble drawing that just appeared. But in your findings, what were some of the best lessons whether these are compliance related or just corporate culture related that you saw being taught in terms of making sure that your remote workforce is using and internalizing security awareness best practices in their work? Do you have some examples of companies that where there was an especially high level of security awareness and low level of sort of breaches and what was sort of the thing that tied those together?

Joseph Nwanpka: 19:31

Yeah. So, like I was saying, adia, one of the things that we saw that kind of tried to tie them together was just having that culture, having that security posture already that allowed to be able to comply to certain state of things. When we looked at this, that this particular employees that were working remotely one of the things that really came up when you look at people that came from companies that had a very established culture of this, while we're working remotely, here's what we're supposed to do, as opposed to companies that moved in a remote work environment because of COVID and some of this is we're a little bit vague. So we saw that those things did manifest a little bit with respect to those companies and in terms of how they were able to deal with that. And also when we think about this complacency, one of the things that also has to be careful and we saw that is that sometimes, too, we weren't sure how long this heightened state of awareness for remote workers will last, because, at the end of the day, complacency can also set in, like in terms of when we think about moral hazard. Right, well, we do have multifactor authentication. We do have access control. I'm using a VPN. To what degree does this start to kind of make you a little bit more complacent as well, as time goes on. So that's a full work we're trying to do and see how does that heighten state of cybersecurity awareness and precautionary taking behavior. Is this something that pita's out over time?

Chris Sienko: 21:03

Yeah.

Joseph Nwanpka: 21:04

When they start to kind of familiarize themselves a little bit. So that is something that we are looking at at the moment.

Chris Sienko: 21:11

So the tech level might well be recreating the Peltzman effect, in the sense of people are feeling well, I've got a VPN, I've installed all the things that my IT guy told me to install on my laptop, so you know, we're probably fine kind of thing, correct?

Joseph Nwanpka: 21:28

So that is the challenge, and so, but at the end of the day, one of the things that we try to in argument we make in our paper is that this allows companies to have this intervention mechanisms, knowing fully. How do we intervene, knowing that this is what is happening? And so the question now becomes how do you continue to make sure that that cybersecurity awareness is not diminished to the level where they contact this precautionary behaviors when something happens?

Chris Sienko: 21:58

Yeah, do you have any sort of thoughts on internalizing security awareness best practices, especially for places where you've already seen that it's bad, like, and also I mean it's with these kind of overarching cultures, especially when it's a culture of like it's un, you know, it's not put down in set in stone, so it can be hard when you suddenly set in stone like you're not allowed to do this anymore. You're not allowed to do this anymore. Have you found any sort of patterns in terms of what worked well in terms of getting people you know security awareness and buying into it without feeling like they're you know they're getting all their, their freedoms taken away or whatever?

Joseph Nwanpka: 22:37

Well, chris, you know, at the end of it that's the Holy Grail, right? That's what everybody's trying to do, everybody's resting to accomplish, you know, to find out. I'll give you an example, for instance, in high education, for example, we tend to really lack behind in terms of cyber security awareness. And how do we know that? So we do a little bit of a simulation of, you know, phishing behavior and we tend to have a higher than normal click rates within the universities. And there's a lot of arguments for why that happens. Maybe they just don't have enough funding in terms of tech, they're just a large, you know, volume of size of people, the students, the faculty and all that. But the question is, how do we try to, you know, increase that cyber security awareness? And one of the ways we've tried to do that, you know, obviously most companies try to enhance their cyber security awareness to trainings. So the question is that but what we've seen in the past in terms of prior research is that trainings seem to be something that, yeah, you know, it gives everybody that heightened state of alattness for just a brief period and then everybody goes back to where they were originally. So the question now becomes you know, how do you incorporate that training in such a way to have a long-term goal and did you really see out how to do that? Because part of the challenge is that most people are also under pressure to deliver in their respective job roles. Right, you know cyber security is necessary, but it's not sufficient. That's not their primary task. At the end of the day, if I'm a female in sales, I will still be judged based on myself's output, right, and not the fact that you know well, I was able to meet all the cyber security policies now. So this is the dilemma that we face in trying to tailor and structure training programs that will be able to force employees to have that heightened state of alattness, have that enhanced cyber security awareness. So the question is that question is something that continues to be ongoing being able to tailor this training and it's always going to be different across industry, across even employees, if you are the managerial level, at the lower level so, just, it has a lot of complexities and I think that's why it continues to be a challenge.

Chris Sienko: 25:02

I mentioned that also the fact that, as you said, you get one training once a year and then forget about it and then your knowledge. I guess it's like if you were like, try to learn a language and you tried to learn you know Spanish in a weekend and then you didn't speak it for six months, then, yeah, you're going to forget it after a while. But I mean, have you seen any other sort of recurring patterns of things that seem to be going in the right direction in that regard, in terms of retention?

Joseph Nwanpka: 25:29

Absolutely so. One of the things that we've seen is that it's not so much training might not be what will help you get to where you're going, but we are beginning to see is that when you look at it in terms of risk, when you not bring people in and say, well, this is an inherent to risk of doing business, here are the usual challenges that we're going to, here's the potential drawbacks. These are the problems that we're going to encounter in the thing that this happens. That tends to have a much more profound effect. As opposed to saying training. The training appears to be like you know, I checked the box, yeah, I've gone through the training, Okay, what else, let's move on. But being able to have that sensitization not so much about training but being able to give them the knowledge and skills of say, hey, here's what happens in defender distance. If we have this type of threat, if we have a data bridge, if this can lead to these consequences, it gets people's attention. So, and I think a lot of companies that are able to use that as a way to intervene and as a way to increase that are being a little bit more successful as opposed to people that really limited to training alone.

Chris Sienko: 26:38

Now, out of curiosity, you mentioned a little bit that you that you know obviously higher ed is is sort of a target area that you're looking at. Have you seen any particular patterns or insights around security awareness in the higher ed space? Are there particular blind spots that are specific to higher ed that you don't see in other, in other areas? Because I know I've heard that as well that that higher ed has maybe a lower rate or you know higher rate of, you know security issues and so forth and maybe some other industries. But like, where do you see the blind spots in higher ed in terms of security awareness and security posture?

Joseph Nwanpka: 27:14

I think that's a great question. So definitely, when we think about like so we use the classical case of fishing right and, like I mentioned, when you think about fishing and think about click rates, when you, anytime you run simulations there's a lot of studies that have demonstrated is that when we run simulations across industries, the higher ed, you know they tend to come out at the lowest level, you know they have the highest click rates. And the question is why and I think part of that has to even when you eliminate tech survey sectors, you know, when you equate them with construction, when you equate them with, they still come out at a very, you know, lower at the bottom of the table. And I think part of that challenge has to come from the fact that it's almost like high ed systems to be like you, almost like a distributed work environment where everybody is their own, you know specific bosses, they come in and do their research, so they don't tend to see the big picture of how you know distance pose a very significant threat and I think that's part of the challenge. So, because one of the secret this is you might trust you to notice that we've had simulations when we've run on the universities and the same set of people. You know they click the simulated fishing attacks and they click it all the time. And then you go back to them and say, oh well, you have to go through some training. And then you run it months later and you still get the same click rate and you're like what is going on? And I think it has to do with that level of awareness that in our country, in the US, there has to be an effort to get people to really buy into cyber. They buy into the threat, understand that this is an inherent risk in your daily lives and unless that happens, I think that these measures, when it is training, when it's forced into a more cosmetic nature, because they don't really, and I think that's why the you know people that work remotely, what are reasons why they were successful at increasing their cyber security awareness? Because they consciously wanted to do this. Therefore, no, I don't want to be the reason why something bad happens to the company. I'm going to put a little bit of attention and I think that's what we need, even in higher ed. So, for example, if you go to finance, for example, you know that, okay, well, folks come in. They understand their ramification. They know that this is a very sensitive area, so they almost come in with that level of awareness as well, and that's one of the reasons why they're a little bit more cautious. But in other areas where the implication what if a university has a data bridge? Okay, well, it's not something that is going to be the case of that, well, you know what's that can happen. So it creates that sense of complacency and that is part of the reason why we are still grappling with some of these cyber security awareness within the higher-end industry.

Chris Sienko: 30:19

Yeah, that's interesting. One thing that sort of sprang to mind with regards to the cautiousness that a remote worker has and I never really thought of this before but the idea that you say I don't want to be the one, you know the breach happens too. But I think there's also maybe a little carried implication that if I'm the one that gets breached and it happens when I was working remote we might lose remote work from home entirely. Like there's that double feeling If we have this thing, this thing that we like is precariously in our hands and we could very well get all get pulled back to the office if we don't do it. So that's really an interesting thing. Now I wanted to poke at something and maybe this is sort of not a correct assumption, but like with regards to higher-end and the high rate of fishing. You know, one of the things I say about fishing attacks is that, you know, especially in a lot of cases they are written in a deliberately clunky way with the idea that they're not aiming at people who have like a higher than average sense of English language. They're looking for people who they think are more likely to sort of be credulous or take them. But you know, in higher-end, it seems like you would see even more. You know, especially if you're like in the sort of like humanities, like you would notice, like the awkward wording of a fishing email and stuff and I don't know, I don't know they're necessarily getting like more refined version of fishing. Is there any, is there any aspect to that in terms of, you know, the parsing of a fishing email at a higher-end level?

Joseph Nwanpka: 31:55

Well, I think at the end of the day you know, the challenge has always been, I think when you know fishing attacks have always been successful has to do with the fact that you know the recipient of the information has really this wide range of emails. I pretty see, you know, as a professor, I get emails all the time from students. You know so many students that I'm dealing with At some point there's a fatigue that sets in. Yeah, that's true, you know you can take that issue and all this stuff. If you're going to get 200 emails a day, then at some point that really you know, pit us out things and then you're not really paying a specific attention. And I don't think that's necessarily the case for other sectors where you're dealing with a very specific customer. You're dealing with both, you know, and have this, you know, one-to-many relationship with our students, and that can be a challenge.

Chris Sienko: 32:44

Yeah, and I guess I didn't talk about that too that you're probably you might, you know, have to be still answering emails at 10 o'clock at night and you're already naturally fatigued at the end of your day and stuff. So that's a really good consideration. So we've talked a lot about the 2020, obviously was the year that you know the great, you know remote work phenomenon. A lot of places transitioned very quickly into this whole new paradigm. You know might have taken weeks, months, even a few days, and suddenly you had to completely change your security posture and the way you did business. Like I'm guessing by now that most places have figured out the remote strategies. But are there any persistent blind spots from the sort of security, engineering, architecture side that have popped up in this first wave of everybody homeworking that you see, that are still sort of persistent, or has that all sort of course, corrected itself in three years?

Joseph Nwanpka: 33:40

You know, chris, that's a great question, but to tackle the question, I would say this that you know there are certain risks that are not going away Anytime you're working remotely, it doesn't matter whether prior to COVID or post COVID, those risks are going to be there. You know. The reality of working remotely is that when you do work remotely, you know there's always going to be a challenge with data you know in transit and that are at rest. These are going to be potential issues. Well, you can mitigate them with VPN. But again, you know, just because you use VPN doesn't necessarily switch the pay. That doesn't mean that you know you are not immune to these challenges. You know a VPN, not the penicillin. You know a VPN encryption. At the end of the day, how strong is that encryption? You know how strong are the key sizes? These are all issues. And then what about the endpoint itself? What about the device? You know, you know, is the device patched to the level that you know it doesn't do? So these are all. Those challenges are not going away and, at the end of the day, you still have to grapple with some of those blind spots in a distributed work environment and think about it in when you work within the premises of a company, there are certain safeguards that they can put in place. You know they have the firewalls, they have the network segmentation. They can say you know what, let's kind of start to hedge the risk a little bit with segmentation. Those things are not going to exist in a remote work environment. You're most susceptible to the person, to how the cybersecurity hygiene that they have, and that is going to be the challenge and people always think about it like you know, what's good is assess control? What good is encryption If somebody's credential is compromised?

Chris Sienko: 35:22

Right.

Joseph Nwanpka: 35:23

Okay.

Chris Sienko: 35:24

Yeah, go ahead, I'm sorry.

Joseph Nwanpka: 35:25

Yeah, so that that's that those challenges are always going to be there and I think that in a remote work environment, your best bet is why it's so critical that you want to make sure that that end user, that employee, understands the vulnerabilities that that are going to be there when you work remotely.

Chris Sienko: 35:45

Yeah, Okay, so I'm we're starting to wrap up a little bit, but I want to ask you a little bit about this sort of learning study career side of this is the cyber work podcast, after all. So for listeners who are interested in becoming security awareness professionals whether they're teaching security awareness or creating security awareness materials or, you know, getting you know people into you know to think seriously about cyber security awareness Do you have any tips or recommendations for any types of learning or experiences or certifications or skill sets that they should be trying to get Like? What are some of the things that you've seen among security awareness educators that make them especially good?

Joseph Nwanpka: 36:25

Yeah, thank you. That's a great question and I think this comes back to what I said earlier on that sometimes we tend to put so much emphasis on the technical side of things and, you know, sometimes we tend to forget that we're dealing with people right At the end of the day. When we think about, you know, cyber security breaches, cyber security threats, we still see that 80% of those really have to do with human elements. So I think it's really, when you're looking at cyber security awareness and I think that's what we're doing right now let's start to look at the human being and look at ways. You know, from a psychological point of view, from their behavior, how can we induce this type of behavior? What are the mechanisms? What are they? You know what aspects can we tweak a little bit? You know, what intervention schemes can we put in place to get that? It's not always going to be the technical solution, and I think this is part of the challenge that we face in the cyber ecosystem today, because when we think about fishing, fishing has been there for decades. Why is it that we haven't tackled a problem? Because it's a human problem, it's not a technical problem. You're not going to fix it with writing some bunch of codes, no, and so this is where you have to start looking at the idea being able to align that technical component, process component and the people, and I think that's what makes you a good you know, cyber security awareness, research, you know, if you want to make a beauty career, that's what you have to look at. What is it about people? How can we look at people as a human being and say what is it that we can tweak a little bit? How can we intervene in a favorable, positive way that will help make cyber security risk something that people will be at their fingertips?

Chris Sienko: 38:07

Yeah, I think that's interesting. And another thing that we talk about here all the time is that people are intimidated by getting into cyber security if they don't feel they have a baseline tech experience. And it sounds like, especially with security awareness researchers or educated professionals, that you know we're always interested in people switching to cyber security later in their career, and it seems like maybe someone who has a background in counseling or psychology or psychiatry or would make a really good example. Is that something that you've seen as well?

Joseph Nwanpka: 38:43

Absolutely, absolutely, chris, and I would throw this in here Like, think about things like insider threats and that's a potential threat that happens within an organization. How are you going to be able to look at a profile and say, well, based on this, this is a potential candidate. That's something maybe we need to watch closely. These are critical questions that come from not so much about from the technical aspect of things, but from the psychological aspect of this, from the behavioral aspect of this. That will play a leading role in that as well.

Chris Sienko: 39:14

Yeah, that's great. I hope we get to see a lot more people sort of moving into this space from areas that work with sort of human empathy and sort of human understanding and so forth. So as we wrap up today, Ken, I'd like to ask this of my guests Can you tell our listeners the best piece of career advice you ever received?

Joseph Nwanpka: 39:36

Yeah, that's a great question. I would say that for me, I think, is I always think about it in terms of innovation, in terms of being dynamic. I really think that one of the things that cyber security brings for me personally is that ability to always evolve. You know, looking for something new. If you're an individual, you really value the search for knowledge, you really value innovation, you want new things and I think that's this space for you, because it gives you that ability to always be on top of things. Things are moving at a very rapid pace, things are radically changing, and so that eliminates that, because here, when you think about us in academics, sometimes we tend to wallow in silence After a while. You know, this is your expertise, you know everything about this and that and. But for you know technology as a whole, and cyber in particular, it really allows you to be able to evolve, and that ability to evolve and solve problems as they come, it's such a great you know characteristics and such a great element of cyber that I feel that if you do something that we always keep you on your toes and that's you know, it just gets me very excited every time. So if you have the passion, if you have the excitement, if you love new things, if you love innovation, if you like dynamic, changing, fluid environment, I would say definitely cyber is for you.

Chris Sienko: 40:59

That's interesting. Yeah, a couple of weeks ago I talked to another guest, sean Falconer, and I asked him the same question and he specifically called out an old professor of his, and the professor said one of the things I don't like about people with doctorates is that they think they know something and the idea that and it's exactly what you said there once you feel like you've had a degree conferred upon you, that you're done learning, oh, you're, you know, or you know you might have to maintain it a little bit or what have you, but but you know, it's like you know, I won a marathon once and now I don't have to exercise anymore, or something. Yeah, yeah. So that's really interesting. Okay, so that's the second one now that I've gotten which. Yeah, I think that I think there's something really important about that, like learning never ends and and and love of learning is, you just can't let it go away. Okay, yeah. So before we go, joseph, could, if you'd like to tell us anything about your department at Miami University and other research or exciting projects you're working on, feel free to do so here.

Joseph Nwanpka: 42:03

Oh sure. So my department at the Pharma School of Business is Information Systems and Analytics and we have a very unique undergraduate cyber security program and so that's a cyber management program, and so we have this unique blend of an undergraduate program in cyber. It's not so much about the technical aspect but it's more like in risk management, being able to understand your cyber security risk. So we train business students that have a strong understanding of cyber security from the point of risk assessment, from the standpoint of coming up with, you know, policies that will mitigate risk, being able to have that ability to access. So most of our students tend to be consultant. They go into consulting within the cyber security space, within the cyber security ecosystem. So, for instance, when you're looking at things like margins and acquisitions, supply chain, being able to look at his supply chain environment and identify risk from multiple parties, multiple vendors, before you get into those type of arrangements. So these are the things that our students really do, and we think that that's a very niche-based program for undergraduate students. So if anybody's interested in that type of program, look up Miami University's Information and Analytics Department. And we do also a lot of research, like I mentioned, in AI, in especially behavioral research, trying to understand how we can continue to use people as a means of mitigating cyber security threats within the industry. So that's the areas of research that we do, and we definitely have, in the past, partnered with professionals. So and we do welcome that partnership, and we continue to look at how we can partner with professionals that you talk to all the time, grace, so that we can understand the risk out there and be able to conduct meaningful research.

Chris Sienko: 43:55

Love that. One last question. I'll let you go here If our listeners want to learn more or connect with you, joseph Wampa, or check out your reports, finding when should they go online.

Joseph Nwanpka: 44:05

I would say go to Miami University, put my name there. Like I said earlier, I'm also the director of Cybersecurity Initiative at the Pharmaceutical of Business and as part of that role, we do do a lot of collaboration. We invite guest speakers as well to come and sensitize our students At Miami. One of the things that we try to do here at the Pharmaceutical of Business is to make sure that cybersecurity footprint gets into across all departments, whether it's finance, marketing, manufacturing. At the end of the day, cybersecurity risk is an inherent risk of doing business, so everybody has to be able to understand that and make the necessary adjustments. So go to wwwmiamicohedu, get to the business school, Pharmaceutical of Business, and definitely you will find me and see interesting things that we are doing.

Chris Sienko: 44:52

That's awesome. Yeah, the cybersecurity is the secret sauce that sort of drives all the other departments as well. That's great, absolutely Well. Thank you so much for this really enlightening talk, joseph. I really enjoyed talking to you today. Thank you.

Joseph Nwanpka: 45:06

Sure my pleasure. Thank you for having me, chris.

Chris Sienko: 45:09

And, as always, I'd like to thank our 80,000 plus cyber work viewers and subscribers on YouTube. Your input and enthusiasm makes this a joy to do each week, and if you have any topics you'd like us to cover or dream guests you'd like to see on the show, always feel free to drop them in the comments below. And we have a little community on our YouTube page as well. Feel free to make comments over there. But before I let you go, I hope you remember to visit InfosecInstitutecom slash free and get a whole bunch of free and exclusive stuff for cyber work listeners, including the trailer for our security awareness training, workbytes, which is just hilarious and awesome, and I encourage you to watch it. So you know, do you have better security awareness skills than your coworkers? And then I asked what if your coworkers were a pirate, a vampire, an alien, a zombie and a fairy princess? Go check it out, find out for yourself. Infosecinstitutecom slash free is also the place to go for your free cybersecurity talent development ebook, where you'll find in depth training plans for the 12 most common security roles, including sock analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more. So one more time, that's InfosecInstitutecom slash free and the link is in the description below, along with Joseph's info. So one last time, thank you again to Joseph Wampa at Miami University in Oxford, ohio, and thank you all so much for watching and listening and until next week, happy learning. Thank you,