Phish testing: What to do about so-called 'repeat offenders'

Chris Sienko: Welcome to another episode of the cyber work with InfoSec podcast, the weekly podcast where we sit down with a different security industry leader each week to discuss the latest cybersecurity trends and how those trends are affecting the work of InfoSec professionals as well as tips for those trying to break in or move up the ladder in the cybersecurity industry. Today's episode is a webinar released on July 24th, 2019 in collaboration with the Spiceworks it community. It features Tori Dombroski of Spiceworks IT, and Lisa Plaggemeier chief evangelist at InfoSec. The topic is phishing and specifically the repeat phishing offenders in your organization. Those people who just can't stop clicking the link for what looks like free tickets or an overdue invoice. What is the best method for dealing with these threats to your company's safety? Do you name and shame or are there other more effective and humane techniques available?

Join us and the Spiceworks IT community as we discuss. Is it ever a good idea to terminate habitual clickers? How do you protect your org from click happy employees as well as training techniques and escalation methods. And now I'll pass you over to this one hour episode titled the phish testing, what to do about so-called repeat offenders featuring Tori Dombroski and Lisa Plaggemeier.

Justin Ong: Hey, what's up Spiceheads welcome. Thank you guys for joining us for another great video meetup today sponsored by InfoSec. We've got a great show for you guys today. We're going to be talking all about what to do about those pesky repeat offenders that I know all of you guys have experienced at some point in the past and what you should be doing about them to help them get with the picture. So for more on this, we have a great panel of experts for you all today, including an IC pro from the Spiceworks community as well as an expert from Infosec. So without further ado, let's go ahead and kick things off with a round of introductions. You can meet them. Coming to us first, he is known in the community as Torb Z, also known as the diabolical one when it comes to his phish testing schemes. Everyone please welcome Mr. Tori Dombroski to the show today. Tori, how's it going today, sir?

Tori:

It is going well. Thanks for having me.

Justin: Absolutely.

Tori: So I'm an IT pro you all know, if I'm in the community, most likely I'm an IT pro. I've been working in IT for probably 25 years. My whole kind of professional career, even though I didn't go to school for it, right. I think we all kind of find our way there one way or another [crosstalk 00:02:27]. So I've been in the business for a long time. Currently I'm an IT director. I see you got my title wrong here. That's okay, I don't live and die by titles, but they upgraded me without telling me, so just catching up to the director position anyways. But, as far as for a growing company, it's kind of fun, new challenges all the time. And security is kind of one of the biggest challenges we all face these days.

A long time ago when I realized I wanted to keep my network safe, I realized end training was going to be really, really important as a phishing, really came on the rise and was happening in the background. So, I really like getting into that side. That's a big part of me. You guys might know, me per my phishing award campaigns that I do. did a how to recently in the how to section. So that's how I like to kinda keep in, build a culture of cybersecurity awareness in our environment, that's who I am.

Justin: All right, very cool. Thank you for joining us today, Tori. I guess my question for you is how did you get to be so diabolical and can we all learn how to be [inaudible 00:03:33]?

Tori: So, I started to build a program where I wanted to build an award program so people had to do really good. And what I found is that using the baseline phish tests, most people kind of didn't fall for it. They could see right through it. So, I realized I'd wanted to do kind of a really in depth, focus training month. And so I'm like, I'm going to use inside knowledge against these people. And I got pretty diabolical with that one. I don't hold it against them for our annual phishing awards, but we did kind of a phishing Derby. And so I used inside knowledge just right off the bat and [crosstalk 00:04:12] got mad at me. But I built a story behind it. I said, look, if someone was listening to your email chain long enough and some of these hackers will do that, they could build out their own little story that would work.

So not just the guy who's going to spam out a million document links for some random PO, but more like those guys who are going to sit back for a couple of months, watch the chain, figure out who people are and then take advantage of that. And that was the part I played and it was diabolical.

Justin: All right. If the bad guys aren't going to be pulling any punches, why should we be pulling any punches either. Well, thank you for joining us today Tori. We are going to be learning a lot from you. So thanks for joining. My next panelist, she is the chief of the Angeles for InfoSec. Everyone, please welcome back Ms. Lisa Plaggemeier to the show. Lisa, how are you doing today ma'am?

Lisa Plaggemeier: Good. I'm awesome. I'm here in Austin, Texas, just like you. So, always a sunny day in Austin. As you said I'm chief evangelist for InfoSec. We're a personalized education provider. Everything from any user training and a phishing platform like we've been discussing to tactical training, boot camps, certifications, all that good stuff. So I came to the world of training and awareness from sales and marketing. I started my career with Ford motor company a long time ago. Selling cars and trucks, marketing cars and trucks in the US and Africa in the middle East and Eastern Europe. And, then from there when I moved back to the States, I was with a technology company that's automotive related. So it used to belong to ADP, the big payroll processor. And, it was a company that had half a billion consumer records to protect social security numbers and driver's license numbers, that good stuff.

So I was doing marketing for their data on different SAS platforms and those, because you're handling, sensitive information, there's a marketing attributes to those products that are security related. And so that's when I started to do that translation between, security technology and our client base of car manufacturers and dealers. And, then the company was spun off in 2014 from ADP and that's when the CSO asked me to join the security organization and run training and awareness program. So my first reaction was, I'm not that boring stuff that they make us do once a year. I don't want to do it really. I have to do that. So I decided to kind of turn it on its head and, do something that was super engaging. Most of the CSOs I worked for there wanted more demand for our services.

They wanted more engagement from employees. Right. Everybody's got, I don't know, a single organization that doesn't have a shadow it problem. And that's what keeps CSOs up at night is the stuff they don't know about cause they can't protect it. So we just wanted more engagement. We wanted people coming to this security organization for help and advice and architectural reviews and all kinds of stuff like that. So I tried to run a program that really got people interested and communicate at the middle level, like just meet them where they live right now. Get them to understand what their own, how they contributed to protecting their company. But then, what role did they play like in their daily function? Like what processes or data did they touch that probably needed some, a security review and some eyeballs on it and getting their engagement that way. So I'm a big proponent of programs that are outside the box I would say.

Justin: Okay. Very cool. Well, thank you so much for joining us. We're going to dig into that more as well with you, Lisa. All right, well let's go ahead and get started into it. I think it goes without saying that pretty much everyone who is intending in today's show has had some sort of experience with a user or possibly multiple users who just repeatedly fail test repeatedly. Tori, in your opinion, what is the most common reason why folks fail repeatedly? Obviously we can understand if it's just one time, if it's just part of learning experience, but for the people who are repeat offenders, is it that they don't care? Is it that they can't learn? Is it that they're just not taking it seriously? What's been your experience?

Tori: So, a lot of people want to go for, they can't be trained. But I've proven that wrong in my environment. I love having that success story. I had a guy, he was older, he's retired at this point, but early on he would be very feisty about phishing emails when we identified that he clicked on a phishing email before we had any kind of real in depth security training. We pointed out kind of the warning signs and he's like, what is, that email's got the guy's email signature in it. How could it be a fake email? And you go from that to after training. He was like a picture of a well trained user. He caught stuff that other people might not have caught themselves. So I like to take that whole, they can't be trained and set it aside.

And I always use him as an example. We had a C level exec that got infected multiple times and after the training he's been, maybe not a picture of perfection but a lot better than he was. So, that one I don't like. I think it's a little bit about culture and it's a little bit about maybe apathy. Someone who's there to collect a paycheck and they're doing their day, speed, you're talking about those one offs, those people that miss it here and there. Those are going to be the people who are just too busy in their day, that they don't take that extra second to really, think about what they're doing before they proceed and they're just kind of whizzing through those emails. Click, click, click, click, click. That's the one offs, but there's definitely that apathy, those people that it's like, "Ah, it's not my job to worry about security, that's Tori's problem. He's got to figure it out and I can just click on anything and he'll take care of it."

Justin: Well, that shows I've got a lot of trust in you. Right. That's actually in some ways a really good thing.

Lisa: You hit on a good point there about culture, right? I think in some organizations it's not unusual for people to get a couple of 100 emails a day. And what was fun and innovative, sort of the move fast and break things. Culture, a couple of years ago I think has become kind of an Achilles heel in the world of security because people are just whipping through emails as fast as they can and not paying enough attention. And that's the problem is that we need folks to just slow down just enough, I mean the devil in a phishing emails in the details, right? And if you're just flying through things quickly, you're going to miss the details. So for me, I think it's that culture of, it being okay to slow down a little bit long enough to, some organizations, there's just a lot of social pressure and it's in the culture to respond really quickly and to move really fast. And that's what will get ya. I think if you're flying through emails too fast and you don't notice the details.

Justin: So I mean, if we agree that a lot of it is culture, I mean, how much of that can be changed and how much of that can be changed from the IT department. Lisa, are there things that, where should it start? If you've recognized that you have a culture issue and that's causing some security issues for you? Where do you start? Who should you be talking to?

Lisa: Yeah, so I think this is a little bit off the topic of just, running a phishing program. But for me, in my last organization, I talked to a lot of training and awareness managers are kind of looking to corporate comms to set the culture for the organization. And they're looking for, looking to marketing or looking to leadership and kind of waiting for them to promote a culture where they can, piggyback on that and add security to whatever the culture is that those groups are trying to establish in the company. And the reality is that a lot of companies really struggle with that. And I don't think we as security professionals should wait for somebody else to set the security culture. Right. So if you do the training and awareness programs, you want awareness campaigns that are really fun and engaging and you have events and you do stuff that really gets people involved.

Is that the culture yourself? I think you have to have really, really good content that really does actually engage people, instead of just saying like, you should care. You have to explain to them why they should care. Right? Is that what's in it for me? And, just really getting people excited and talking to them at their level, getting their engagement. And I think we have to, if you go before, I was talking to one of the analysts a couple of weeks ago, and if you go before the folks in your organization that are responsible for reviewing your materials before you go out with a campaign, right? So if it's corporate comms or marketing or HR, whoever it is, if you put material in front of them that isn't, that they get engaged with, even in that review process that's really good quality awareness material, then it's really hard for them to not approve it. Right. It's really hard for them to say no.

So I think as far as culture goes, I mean obviously you run a phishing program parallel to all this and you should be able to see results in those phishing tests as you're running your awareness campaigns. But I don't think at the end of the day we can really wait for anybody else to set the culture. I think pick up the ball and run with it.

Justin: Tori, what's your advice, how do you feel like, what's been effective for you as far as a change in culture to one that's more security aware and takes it more seriously?

Tori: So, just like she said, I really like to take the ball and run with the culture piece because, C level executives are kind of a little afraid of what cybersecurity is. They don't fully understand it. They don't fully comprehend it. They know they want their people to be safe, they know that it's important. But how do they build that culture without scaring people away from clicking anything in their email and kind of having that negative sense. So that's why I've tried to take a positive approach. A lot of people talk about, as a character is that stake. And I'm definitely leaning towards the carrot, but so what I like to do to build a culture is I built award programs. And what that does is it, I love when it builds the buzz around the water cooler.

People are like, Oh, did you see that? That phishing tests that came through that was absolutely diabolical. So that's why I do that, try to make it something that, you don't want to ding someone really hard, so you don't want to be like, I put out this really diabolical phishing test and 20% missed it or something like that. You don't want to put out this, Oh, 20% now I have to go through security training, but more like, okay, you guys missed the boat for this award. This big prizes is going to be out there and kind of raise that bar and try to raise that awareness. I also like to use weekly newsletters. I used to be weekly, now it's kind of interspersed a little bit more.

But I would hand out, phishing badges, so I would make badges with the people's names for the people who submitted, examples of phishing that they saw throughout the week. Or if we did a phishing test that week, maybe I would put the results out there. Give people kind of a feedback. People love feedback, they love to see their name in a newsletter, they love to see the feedback. And if they see their buddy's name in a newsletter on a badge, I love to use the shark theme because of the whole phishing idea, then they start to compete for it. And absolutely, you can't get that culture out to everybody. But if you've got that kind of apathetic person sitting here and somehow you get that buzz near them, somewhere along the line that starts to build, it builds some pressure and a build some momentum.

So I know I'm going to be doing my phishing Derby again and I'm kind of looking forward to it and starting already to think of the creative why ideas that I can use to build around that. So, and it was completely an accident. I worked for the CFO and he saw me putting up posters on the wall was like, "Oh, what are you going to do at phishing Derby?" And I said, that's it I'm doing a phishing Derby. And I started to build the idea in my head, what does that going to look like? How do I do that? I got management involvement, the user level management involvement because I knew I was going to put a lot of phishing tests in front of people. So that meant it was going to slow down their day a little bit.

And I said, look guys, I know that there's going to be a positive or a little bit of a hit to your users. Are we okay with this? But I think we're really going to build a culture. And believe it or not, most of those managers came back and said, no, I think that's a great idea. I think, you're engaging people, you're doing something fun, you're doing something that starts to build that culture. And if you, I got lucky, I got a good set of middle-management that'll work with me to build that out. But it's all in how you present it. It's all about how you bring it. Cybersecurity can be scary because I know, today I had someone who's like, I've gotten this email twice and it looks scary. Can you please look at it? I don't want to click anything, but this is someone I know and they might be trying to send me something worthwhile. I just want you to look at it.

So I know there's that security aspect or that's scary aspect. But if you make it fun, you make it engaging. I think you can build that culture right through a training and a phishing program platform if you use it creatively. And definitely security training content can be dry and boring I understand. So how do you make the programs around it engaging?

Justin: Lisa, I wanted to ask you, so Tory, like mentioned he got lucky he had a problematic C level executive, but someone who is receptive to the feedback and had support from middle management. What do you do if you've got someone in the executive suite or at the C level who is causing problems and it's a bit awkward to kind of reach out to them or they may not be receptive to these types of changes? Is there anything that can be done?

Lisa: So, in my personal experience, when I had, a situation like that, I kind of used peer pressure. If you're in the C suite, if you're in a large conference room with them and all of their peers, and suddenly they're the only one that's not a proponent or a fan or not a supporter. Then that's not to say that I named and shamed anybody by any stretch of the imagination. But if you can kind of get that consensus building around them. And, they don't really have [inaudible 00:18:18] $2 billion organization with 9,000 employees, and half a billion consumer records, it's going to be really hard for somebody to make a case that, we shouldn't be doing all we can to protect that. So, I mean I have had situations where I've had C level executives that weren't initially on board. But I always had really supportive CSOs and between the two of us and leading meetings with them and their peers, we could usually get them on board at the end of the day.

Justin: Okay. And then, Lisa, another question for you. Tori had mentioned, he prefers the carrot over the stick. Do you agree with that? Do you find that that is generally to be the more effective way to, coke's cooperation out of the average user?

Lisa: Yeah, absolutely. So I'm a big fan of carrot and not stick. And I think the problem there is if you, I did a lot of the same things that he described. You want to catch people doing the right thing, and recognize folks when they do the right thing. I had a catch of the day on a page on an internet site, would send out newsletters and recognize people and then we kind of mocked up, the classic picture of a fisherman standing next to his catch that we kind of had a cartoon version of that and we would put the person's face on that character. So people like to be, people like to get public recognition obviously. And then you usually, there wasn't a time, obviously I would copy their boss when I would recognize them for reporting something.

But, there was, I can't think of a time when their boss didn't reply to all and say like, good job, this is awesome. Keep it up. So, that was really good. But I think the carrot and stick argument, I think the arguments I've heard lately for stick and I and I have heard a few including, having beers with a CSO at a conference who was really all about the stick, the best argument I had, I think what it does is it trains people to very specific behaviors, but it doesn't necessarily teach them how to think. And in a world where the threats are always changing and you want to not just have compliance, but you want people to sort of, you want it, you have to, obviously we're trying to operationalize security in everybody's role, right?

So, if you want people to really engage and think about, okay, I don't know, I'm a software developer. How does this stuff apply to me? Or what do I need to be thinking about? Or I work in accounts payable and I have bank account access and I write checks. And so what do I need to be thinking about to make sure that I'm doing my job securely? If you want that kind of engagement, and what that means is you can't just train them to be Pavlov's dog. You have to go beyond that and they have to think for themselves and they have to be able to make decisions, and to know when to engage with the security team and what to report. And how to do their job securely. So I think, obviously we don't want folks clicking on phish and malicious links and all that good stuff.

But I think you've got to go beyond that. And if it's all stick, people tune out, right? If it's the up to and including termination kind of language, and pictures of hackers and hoodies. Now I'm not just afraid of the hacker and the hoodie, the bad guy off, thousands of miles somewhere that kind of an unknown to me. I'm not just afraid of this guy. I'm also afraid of my employer because they've threatened me with, not clicking on phish or tea or taking my training or whatever the heavy handed email said. So that causes the fight or flight response. And that's not what we want. We want engagement, we want people understanding the role they play and wanting to participate and wanting to report things.

I think the other thing to keep in mind in phishing programs is, it's training and a lot of, especially executives just want to see that phish click rate. But there's a lot of consensus in the community that the most important number you're chasing is really the report rate. That's really your mark of how much engagement you've got from your employees.

Justin: Tori, what about you? What's your take on the stick? When is that the more appropriate course of action than the carrot?

Tori: So, we're talking to IT pros here and we're all kind of in a situation where, we live at the same level as someone kind of the middle management a little bit. I'm not a CSO myself. I'd love to kind of be in that position. But not today, even as a director kind of. There's a lot of people at that level, so that C levels a little bit above us. And we don't, we can't really kind of, I can set security policy, but I have to work with the other managers, the C level executives to kind of get agreement consensus on that. So, I've had multiple discussions with our HR and kind of with my boss, direct boss at the C level and talked with them a little bit. We don't really have consensus yet, but what I've decided in the short term is it's not really a big stick, but, when people fall prey to a security, a phishing test, their management, their direct management is also informed on that.

And then obviously most people we follow up with followup training when they fail a test. So then their attitude, a followup test program. And if they don't finish that or they don't complete that in a timely manner, that's also going to their manager. So I'm starting to take this approach where I totally agree. We talked about it in the beginning. What do you do about those trouble users or what type of trouble users are there? And to get them out of that position I think those people need a little bit of a stick. I love rather leading people than, than whacking them. But sometimes people don't move. They don't like carrots. They would rather have a big juicy piece of bacon in front of them.

Lisa: It's kind of about visibility, right? So I used a strike program and that was a group decision between HR and the business. You click once, you might get a short training assignment, what have you, but we worked up an escalation process so that maybe you're eventually your boss was copied on an email or we had a one on one with you. Somebody from security organization would sit down and understand if you've got somebody who's really a habitual repeat offender after months and months, and months. Then, there might be some business drive that's causing them to do what they do, or something that we don't quite understand. And so sitting down and talking to them, I know a lot of training orders managers who will do that personal one-on-one. But otherwise using an escalation process where you copy their manager, maybe copy HR eventually have sit downs with them and their manager and them and, and the individual in HR.

But as far as like, what that escalation process should look like and if that would eventually lead to any kind of disciplinary action, that's HR's job and the businesses job, right? I think sometimes security professionals, we have this keen sense of justice and this person is not learning and we want to see some sort of consequences. But as far as what that should be, we're not HR, we're here to protect the organization, but it's not our job to fire people. I think you have to treat it like any other risks to the business, right? If you've got a manager who's advocating for this person, I don't care that they click on phish every day because they're a great asset to my team and I can't live without them. Whatever the reasoning is, I think you treat it like any other risks, right?

You do a risk assessment. What could happen if this person, what kind of data do they have access to, what kind of systems are they touching? All that good stuff and what's the worst that could happen? And then, that manager is then responsible for that person and then you try to mitigate the risk. Maybe you take away their internet access, maybe you take away their ability to receive external emails, whatever it is, right? There are a lot of tools in the tool belt. There are a lot of things you can do before you get to that point. It's like, I think we need to have a conversation about whether or not this person is still employed. And I think we're kind of too quick to go there and we're a little bit out of our swim lane. I think you treat it like a risk like you would, any other risks to the business.

Justin: So Lisa, you do advocate then that there's some extreme cases where it may be reasonable to terminate an employee because of security risk. Would you agree with that statement and if so, what do you think that that is?

Lisa: I think that's a business in HR decision. I think we can come to the table with the results of our training. I think one of the other things I struggle with about it is that at the end of the day it's training. It's a hypothetical, right? So if they didn't actually do any harm to the organization by clicking, by answering wrong on a training question, which is essentially what it is. Right? So I think it really depends on what their role is. How much can you mitigate the risk. And, like I said, I could foresee in particular organizations that are very risk averse where it would be necessary to do that. But it's really a case by case basis. And it depends on the organization. It depends on what kind of data you have on what kind of business you're in, what the risk is to the organization. I think there are just a lot of factors. I don't think it's a black and white situation that you can make a pronouncement on across the board.

Justin: Tori, any input from you, do you feel like that would ever be justified and any insight as to when that would be?

Tori: So I'm lucky I'm not in an organization that really, our data is high level. So we're not secure, we're not a security business. We're not a financial organization. We're not kind of at that level. So I can see where that might fit into that world. And I think in our case, like Lisa said, right down the middle with the, do the risk assessment, what is the risk that this user portrays to the organization and then mitigate it as much as possible. So if you've got that manager that's saying, no, this person is very important to the organization, we can't let them go. I don't think I would ever, that's not somewhere I would go very quickly myself.

But, how do you kind of put those barriers around that person or how do you kind of, there are absolutely a lot of tools that you can put in place to make them more secure, but you also can limit what they have access to. And then limit their exposure to the world. So I mean, absolutely those are the best ways to start. And sometimes those will help kind of curb the behavior to where you say, okay we've gone to the point where now you can't receive external email and now you're trying to communicate with a customer and you've got this big hindrance in the way where you have to work through someone else and all those other things. So then they say, well, that's it, I want to get back into position.

And you say, okay, this is how we do this. You do the security training and then we get you there. And I'm a big fan of trying to lead people there. I had a discussion recently with someone in a final financial position in the organization and she was kind of, I was going to ask her a question and she didn't have her screen locked. So as a little bit of a prank, I decided to kind of write a funny little message on her screen and left it there and I sort of wandered away to see what would happen. And she came back and she got real feisty with me, which we're, we usually have a very good relationship. We have a great working relationship. And she was like, well, what do I have to do? What's going on? And, I explained, I said, well, I was just being funny, but you are nowhere insight.

Your screen was completely unlocked and here's our financial softwares wide open on your screen. And she's like, well, what can people really get? It's just there. And I said, well, it wouldn't take much effort for them to create a payable that doesn't exist or to pull your data to pull your financial records. It's not really something that you should be doing. And, you try to be kind and gentle about it. I don't think I really had success in that exact adventure, but, it made me opened her eyes a little bit to some of that because, I think Lisa hit it too. At one point we were talking about your training people do a behavior. That's great.

We do the phishing platform, we do the security training, but there's also physical security and I'm trying to figure out how to wrap that into kind of those training programs. There's fun programs as a word program, so where it's not scary, but fun ways to kind of remind people you walk away from your desk, how can you lock your screen when you walk away? And that's something I'll do is I'll just walk up to someone and say, "Hey, how do you lock your screen when you walk away?"

And some of them we're starting with what do you mean lock your screen? And others are like, Oh, I just do the control out, delete the lock screen. And that for me is ding that's good enough. You have some idea, but I always kind of stop and say, Hey, you're on a windows machine. You just hit that Apple key and L and bam, you're locked. And a lot of them will go, Oh, that's much easier. I keep doing this. So we build that. I didn't answer your question, did I?

Justin: No, I mean I think you're hitting on a lot of points and I think that actually leads me to my final question before we get to the ones from the audience. Which is, okay, so we've kind of discussed when termination may be something to consider. What about mitigation? Tori, is that something that you've ever considered is just being like, you know what, you don't get to install any apps unless we say so, we're filtering the heck out of your browsing ability and all of your [crosstalk 00:31:16]. Yeah, exactly. Is that something that you've ever considered or had been done before?

Tori: Yeah, I did that early on. Again, it was another person that I was very friendly with, but he was a maintenance guy. So, not a real big risk because he didn't have, you wouldn't think there would be a lot going on. But it turned out he was emailing a lot of vendors with the materials and things like that. And so once I shut down his email is outside email because I said you haven't done your training. You're not going to have email anymore. I'm sorry we can't, you're clicking on every phishing test that comes through. You've refused to do the training. Everybody out. Well I can't say everybody, most of the people in the organization had done the training at that point. So you really, you can't have email unless you go through this.

And so we locked it down. So I've been there, it didn't go over well because then it got into his manager who was kind of more about getting results than getting it right. So, we ended up kind of making a special case, the boss in that situation, the manager in that situation understood my point. And we did find ways to mitigate it. But it wasn't as clean or as nice as I would have thought. So I've learned from that experience and decided that I start with the manager and then worked down instead of going vigilante and trying to do it at my level.

Lisa: It's really important to communicate like that. Yeah, I think that risk you can run, I mean, I've talked to people who have shutdown, a top performing sales person's email two or three days before the last day of the month and you just cost that guy, that individual and your business revenue. I mean, that's not what we want to be known for in the security department. Right. We already have a reputation of slowing people down and costing the money. So if you exacerbate that we're not doing ourselves any favors. I think it's really important to talk to the business and not kind of go rogue and do those things individually. If you feel like, there's, hopefully if you have individuals where you feel like you need to start taking away admin rights, or email or internet access, any of those things.

But that's not a surprise to you that this is somebody that has been showing up on, reports that you've been talking about for a while that you've been trying to work with them or you maybe have a short list of people that you're trying to work more intensely with and do one on one training, what have you. So when you get to that point with those individuals, hopefully that's not a surprise to their boss or to your boss, or to their HR business partner that you're in frequent communication with those people. And I think that's something that's a little bit of a challenge for a lot of IT folks cause we're kind of used to, being off doing our own thing a lot of time at times it's behind the scenes.

And this is a situation where it's really, really important to be communicative and vocal and keeping everybody informed along the way. So that those things don't come as a surprise and you don't get a shocked response from the business that you want to take, the kind of measures that you probably need to take with that person. It's just a matter of open channels of communication and frequent reporting.

Justin: Alright, well great. We've got a ton of questions coming in from the audience so we're going to try to tackle as many as we can. A lot of good ones. This first one comes from Lauren seven, zero, six, zero. Basically in our latest campaign the majority of the failures come from mobile devices. And this is always a concern that we hear about a lot because a lot of this best practices and security tips like mousing over that changes when you're on a mobile device. Tori, let's start with you. How do you train folks to be more secure when it comes to their mobile devices as opposed to in their laptops and desktops?

Tori: That's a great question. Sometimes someone leaves their phone on the ground and the cat clicks on the link. meow, meow, meow. But, no, so really that's absolutely right. Everyone says, I've got this iOS device. It's completely invulnerable? Or they're like, how do I do a mouse over on a phone? I love the second question is how do I do a mouseover on the phone? So I've kind of built out some quick little cheat sheet type stuff. I said, Hey guys, you got a lot of people who feel like they're failing these phishing tests because they can't mouse over on a mobile device and that's how they live and breathe. So I put together a cheat sheet on it. I've looked for specific targeted training towards that way.

It is tough though from an IT standpoint, from a training standpoint with the changing mobile platforms, trying to keep up with what they're doing. But I don't let up, when someone comes to me and says, it isn't fair that I missed this test because I clicked on a link on my mobile device because I couldn't hover over it. So I said, well, if that was a malicious email, you can accidentally click and goes do it. So I try to not, I don't ease up on them. That's one way is I don't ease up just because you did it on a mobile device, but I try to follow through with that. How do you do it from a mobile device? So, I don't have a great answer. Keep your cats away and don't make a meow.

Lisa: I think it's, you kind of hit on it sort of empathizing with them. There is research out there that shows, I saw a study probably a year or two ago, that people are more likely to click on a phish that's on their phone. And I think it's because, again, they're going really fast through email. That's the beauty of having a mobile device that you can get that stuff done quickly. Right. I think beyond the stuff that he referenced, I would say context plays a big role and that again, that's like slowing down and paying attention. Is this an email that I was expecting? Is this something that makes sense in context? Is this something that I should be getting? And I know in some cases we might have vendors or customers that have been compromised, so then it's, really hard to tell because somebody else's infiltrated one of your vendors or your customer's email systems and then you get something that looks incredibly legit, but it's really about, slowing down and looking at the content.

Does this make sense? Kind of having those spidey senses a little bit of a gut feeling can go a long way when it comes to email security I think.

Justin: All right. Let's go to another question. This one I think is interesting it's from one O flow he says, do you find gamification of security awareness training makes it more appealing to the users or do you think it takes away from the seriousness of it? Lisa [crosstalk 00:37:40].

Lisa: I want to answer this one. This is [inaudible 00:37:43]. I'm known for doing awareness programs that are humorous and so I have sometimes get people saying, this stuff isn't fun, we shouldn't be, this isn't a laughing matter, right. We should be taking this stuff really seriously. I think it's getting people's attention and speaking their language, right? If you've got users who love gamified stuff and that's what causes them to engage, then more power to you. Right. I don't think it's one size fits all. There's not any one type of training or awareness material that appeals to everybody. I think you have to have a variety of stuff. Beyond doing compliance training, there's no law that says that everybody has to get the same format. Right? There's no, if you've got some people that love gamified stuff and other people that would rather have a PowerPoint or more traditional sort of animated module or some people that like comedy. Some people like drama.

That's why there's Netflix and Amazon prime, right? Because there's so much content out there and people can pick what they want and they can choose to engage the way they want. So I think one size fits all is not a thing in security training and awareness. And I think however you can get people to connect is how you do it. I don't think there's any, it's not black and white, it's all shades of gray.

Justin: Tori, what are your thoughts?

Tori: So very similar. Now I work for a graphic design company so we have a fun environment to start with. So that's why I took that from the culture and I express it forward. I don't think it would work very well at a, like a high level financial organization. They're going to be a different culture. There is definitely you work within the culture and in my case, gamification definitely was the way to go. And does it take people less seriously? I think, after seeing people take worry so much over clicking the link, I think it still works. It's a serious subject, but it can be trained on and kept top of mind in fun ways.

Justin: All right. Here's a question from Brian in CA. Brian wants to know what kind of carrots do you recommend? I used to hand out see's candy, gold foil suckers as rewards, but I'm interested to see what others are doing. Tori, what are your favorite carrots? Are they literal carrots? Are you using the motivated?

Tori: No, I think they'd be more motivated by bacon wrapped carrots. So, no, in my case, so again, I worked for a graphic design house and we make environmental graphics and signage and wayfinding and things like that. So I take advantage of the environment I'm in. And so I told you about those badges that would be in the email. So I turn those into actual awards and periodically they go out. I'm a little slow on following through on the end of a program. I just did my 2018 awards a few weeks ago. But they were physical awards. And I get kind of a double benefit out of it. I get an opportunity to work with our graphic design team, let them have some fun. Because, when you're in the graphic design world, they can get stuck doing kind of plain Jane boring work for some stodgy industry.

Then, I give them a wide open license here. I've got this phishing program I want to make some awards. What can we make that'll be fun. And they worked right within that theme. So I will build some bridges there, talk to them about, the award program. In fact, the girl I worked with, she didn't win an award and she realized that afterwards she was like, Oh, I didn't win. I wonder what happened. And then she went through it in her head and she realized what had happened. So it was an opportunity. And so physical awards, we did magnets this year. We do plaques, things like that. Candy works okay. But I like that lasting thing that they can have sitting on their desk. And there are plenty of people that keep them there. Our CEO, how of the organization, I gave them a special award two years ago because, he stayed engaged.

He found a few, phishing things that came his level being a C level executive. And so at least, so you mentioned at one point, calling out when someone does something right. And I was so impressed to see the CEO of an organization submitting to me some phishing emails that he was getting saying, Hey, I think this is phishing. And they were tricky emails. They weren't super tricky, but they were tricky enough and he identified them right away. So I called him out that week in a newsletter. I said, Hey guys, you were really, you should be really proud or really happy to work for an organization where right up to the top, they take this stuff seriously. So yeah, that's what I do. I like those physical tchotchkes they can put on their desk.

Justin: Okay. Lisa, what are your thoughts? What are the carrots that you saw?

Lisa: All of the above. I've seen people, I've seen a real clever turning awareness manager at a healthcare company do a $100,000 bars or a 100 grand bars. The candy bars, right? The little ones and with a little note that says you just potentially saved the company, 100 grand or more. Leaving those at people's desks, bags of goldfish, Swedish fish, goldfish crackers, all kinds of candy stickers, hats, tchotchkes. What I had the most success with, I had a fairly large organization in a lot of different countries to deal with and I hadn't, didn't have a good ambassador program, so I had, we were going through a lot of organizational change and the people that I had to rely on in different physical locations were a group of people was changing frequently. So, that was a big challenge.

So I didn't have somebody who could go run and put something on somebody's desk every day. Right. So what worked the best? There was recognition from the boss, it could be a handwritten note, it could be an email that copies the rest of the department, whatever it was. People seem to really appreciate that. I've seen folks use a handwritten note from, from the chief security officer or if that's somebody that people admire and look up to, I think, there's a million different things you can do, all different ways you can go with it. But when, and we also had the intranet site that would have people's picture on it with the catch of the day.

Justin: George also wants to add, I do Starbucks gift cards for the virus Hunter of the month. It's best $6 investment. It's a weird denomination of Starbucks gift cards, but that seems to work pretty well for him. Let's go next to Mr. Mikey, Mike, that's a cool name. Given the choice, what do you guys see as a bigger risk the folks that are in there every day but are somewhat complacent, or the temporary users maybe working four hours a month, like a volunteer, given that they're not in the job every day but maybe even less engaged with the organization as a whole. Lisa, we'll start with you.

Lisa: So I think it's, I've had this same discussion with people about employees versus contractors and all that good stuff. I think it's really a question of what do they have access to. I don't think you can sort of overgeneralize and say, well, because they're contractors then they need something different than employees or vice versa or because they're volunteers. It's, really a question of risk, what risks they pose, potentially pose to the organization and then ramping up your training and your phishing program to be appropriate for that risk. And I think you can send them phish. You can definitely, sort of Spear phish, that group, you can send them phish. That would be, I used to like to do this with interns. Poor interns would get phish for me that look like something that an intern should get. So, you Spear phish and just like the bad guys do and that can drive home the message because you send them something that looks like something they would be expecting.

Justin: Tori, what are your thoughts?

Tori: So, this is an excellent question and we do struggle a little bit with some of the part time work or temporary work over the summertime. And I've myself kind of struggled with how do I train them, or at what level do I train them. So, normally we'll start off with an hour or 45 minute training program for any new user. But when you've got someone that only works, three days a week during the summer, you're eating up some of their time to do that phishing training. I think Lisa hit it, as soon as she said do the risk assessment, I'm like, Oh, she just nailed it again. It's all about what do they have access to? And I think I'm going to rethink now thinking about what do these people have access to and then determine with whoever's hiring that position and say, okay, this is the risk that they could post to the organization because of the position they're in.

Part time work is not as, engaged with an organization. Like you said, Justin, they're not as committed to it because they're only there part time or they're only there for a little short period of time. And you can't build that culture into it. They can't absorb that culture. So I think that's what I'm going to start doing is I'm going to take a look at the risk and say, okay, this is the risk. This is their exposure. This is what they have access to. Use that to go to whoever's hiring that position and say, okay, we need to take this seriously and figure out how to handle that. The all day, everyday users, they're a part of the culture. I hope they're picking it up.

Justin: Okay. We'll take one last question before we wrap. And it's a joint question because both seller X and a layer three guru are asking, we kind of caught touched on it earlier, but what is the best way to get upper management, C levels, if they're not listening now because they feel like they're above these levels of concerns. They have the bottom line to worry about what is the most effective way to get them to start paying attention. Tori I'll start with you.

Tori: So you actually already hit on it already and that's the bottom line. I know I work for the CFO, the CEO, they pay attention to that bottom line very closely. So, what I do is I take a look at any events that have happened either in our network that I say, this is something that could have definitely had a large impact on our organization. We've had events in our history where hardware has gone down and it's shown what that impact looks like. If we were to have a disaster on some piece of some security situation happens. So I can use that as a leverage point. I can say, "Hey, remember that time when we lost access to this piece of equipment for a period of time." I know that was 10 years ago or whatever, but sort of scale that up and think about how you had all these employees that couldn't work because they were waiting for access to information.

And I also like to follow that up with, local events. So around us a few organizations have been very publicly in the news about how they've had to pay ransoms in order to get out of that situation. I think there's a couple of townships down in Florida recently that had that I love to use that information to drive home to the C level exec team because it hits him at the bottom line and that opens their eyes and now they're going to pay attention. So that's really, in my opinion, the best way to do it. You're not going to affect them through culture. You're not going to affect them through fun award programs and things like that. They just, they'll be out of their own tomb.

Justin: Lisa, any thoughts from you, as far as working with upper management?

Tori: Yeah. When I first launched my phishing program, we had a meeting with the C-suite and I explained, I talked a lot about how it was training. It wasn't meant to be punitive and talked a lot about the culture and how we were going to do some things that were fun and engaging. And by that time we'd already sent our first phish, the base level one that, just went to a 404 page, just to get a baseline measure of where we were as an organization and one of those C level executives and clicked on that. So during the meeting, I think somebody in the room asked, did any of us click on it? And I was able to say, yes, actually, whatever you want, if you did. And everybody of course said who? And at that point, there were the tone in the room was humorous, right?

And there was some levity. It was, because we just got done explaining how this wasn't going to be a name and shame. And this was all about, improving as an organization, not being, it was all about carrot, not stick. And so we could have a laugh about it. And he actually said that, he said, well, which one was it? And I described it to him and he said, Oh yeah, I didn't know what that was. So I sent it to my admin, so it wasn't me. She clicked on it. So we kind of had a laugh about that. And, that definitely raised their awareness to, what is this, why are we doing it? As humorous as that might have been him trying to blame it on his admin, the message hit home.

Because, he was in a room with his peers and it wasn't presented to him in a way, I would never, and that organization in that particular culture, obviously you don't put your C level executives on the same escalation path that you might put somebody else, where you're going to start, you're not going to copy the CEO on an email to a C level executives saying bad dog. No, no, you clicked on a phishing email. So I think it's a matter of having a rapport with that organization. If it's not you, maybe it's your CSO, who covers it with them, but you gotta speak people's language and so you've got to talk to them a way that they'll relate to that doesn't sound threatening.

Justin: Let's take one last quick question. I think this is a good one from [inaudible 00:50:46]. What is the most creative phishing test you've sent out or heard of? Tori, we'll start with you and then we'll go to Lisa.

Tori: Sure. So, as a part of my phishing award or my phishing Derby program. They had a few in there that were really creative, but we do a fun day every year in the fall when NFL starts to kick off. And our HR department is all about creating this fun day. And so what I did is I posed as her, I used her email address, I asked her in advance for permission, and it was, click here to get you're a Buffalo bills square. So it would be like, you could sign up for your square. And it was just perfect timing along with, she had already announced that the NFL fun day was happening. And I had a lot of people angry at me for that one because it fell right in line with what was going on at the time. And in fact, one of the people that first person in my door is like, I just talked to her about how we had to have, squares and people sign up for square. So I thought this was her responding to it.

I pointed out all of the warning signs that he should have seen and how we should have covered the link and things like that. But, that was probably the most creative one that I did.

Justin: Lisa, what about you? What's the best one that you heard of?

Lisa: So I can't think of, I mean, there's lots of examples of crazy phish out there, but I think where I leaned into my creativity was letting the data tell me who deficient, how. So looking at my phishing results from across the organization and finding those pockets of users, right. It could be, at one point we had a group that were in accounts payable in an offshore location and the rest of the organization there was really high. But it really comes down to, if your platform doesn't let you do it, maybe you dump out all the data and stick it in a BI tool and start looking for those, really, really, really drill down and get focused and targeted so that you can make a difference with those organizations. And then what, what you're doing is you're phishing them.

What you're doing is sending them something that looks like something they would see in their jobs. So you've got to get familiar with what their roles actually are and what functions they perform and what systems they touch and everything so that you can send them something that looks appropriate. But that's probably where I had the most fun with the program wasn't so much crafting the phish though. I know a lot of people send some really creative phish. It was more like, okay, is there a particular office location? Is it a country, is it a role? Is it a department? Is it a particular job title or job code? Really drilling down into that data and finding if you have, because a lot of times that's an indicator of the culture of that group.

It could be a particular department and it put in a particular physical location somewhere halfway around the world and they could be running fast with sharp objects, and you realize that you need to ramp up your training with that particular group, that little pocket. You have these pockets of opportunity within an organization where you can really affect things, but you've got to get more personalized. You've got to get more customized, you've got to get more targeted. And I think you can be super effective that way when you work with individual groups and then you can be really creative with the phish because you've got to send them something that's specific to them and targeted to them. Just like a bad guy.

Justin: All right guys. Well we are just about out of time. I didn't want to see if you guys had any last minute advice or any takeaways that you'd like to audience to be aware of. Lisa, we'll start with you. Anything that you want the audience to walk away with as far as what they should do around repeat offenders?

Lisa: So I think just to remember that it's a training program. First and foremost, it's a training program. It's not penetration testing. Unfortunately some organizations give their phishing program over to the SOC, or the cert to run. And I think it's really important that it resides with the training in an awareness that person, whoever's running that program. First and foremost, it is training and it's not pen testing. And then I think, to work on having an escalation process, a strike system, whatever you want to call it, but sit down with the business and HR and those people and make sure that, that's a joint decision. And, so then you're just running the process. You're not the bad guy, right? You're not the police. You're not the one, you're not. Because, what we want at the end of the day, if we're perceived as being the folks that are tough to work with, then people are going to avoid us. And that's not what we want. We want people, we want to work with the business.

Justin: All right. And Tori, any final words of wisdom from you as far as repeat offenders?

Tori: So I think I got a lot from Lisa today, on kind of knowing what the exposure is on that user, what do you have to worry about, what do they have access to, and what is their exposure? And then, kind of tailor things around the data that you're getting. So it's that idea of what have you been seeing, where are the problems, and then focusing on that. So repeat offenders are going to be repeat offenders, they're going to meow, meow, meow at you all day long. And you have to find creative ways. I think I'm going to still push that you have to find creative ways to get into someone's mind and meow back. You don't want to just listen to them over and over again and let them drive you where you're going.

It's a culture thing. It really is. I don't like to get frustrated when I see that pocket of people that are apathetic and don't want to supply. But if you find that you can affect the person next to them and the culture around them, it's eventually going to come in and somewhere along the line they're going to meow the same tune you are.

Justin: Okay guys. Well, I want to thank all of our panelists again, Lisa and Tori. This is a great event. I definitely learned a lot and I definitely think the audience did as well. Again, big thank you to Lisa and Tori, as well as to InfoSec for sponsoring today's event. Until next time guys, stay safe and we'll see all of that here at next time. Bye everyone.

Chris: I hope you enjoyed today's episode. Just as a reminder, many of our podcasts also contain video components which can be found at our YouTube page. Just go to youtube.com and type in cyber work with InfoSec to check out our collection of tutorials, interviews and other webinars. And as ever search cyber work with InfoSec in your podcast app of choice. For more episodes like this one. See the current promotional offers available for podcast listeners and to learn more about our InfoSec pro live bootcamps, InfoSec skills on demand training library, and InfoSec IQ security awareness and training platform. Go to InfoSecInstitute.com/podcast. Thanks once again to Spiceworks IT and to Tori and Lisa for their insights. And thank you all for listening. We'll speak to you next week.