May 7, 2025 • 45 mins
This episode focuses on the critical role people play in cybersecurity. The hosts discuss how most breaches (95-97%) involve human error, emphasizing that while technology defenses are important, humans remain the weakest link. They explore how hackers exploit human psychology through social engineering and why creating a positive security culture that rewards reporting and learning is crucial. The episode includes stories of successful security awareness programs and offers practical advice for organizations looking to strengthen their "human firewall."
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Justin (00:14):
Welcome, everybody, to episode 50 of Unhacked. Guys,
the team is back together. OGstyle. Just the three of us. I
love it.
No guest today. We actually haveone. She no showed. But We're
scrambling, but honestly, Ithink sometimes we do better
(00:34):
when it's just the three of us.So we're gonna test that theory
today.
Here's the truth. Most, if notall breaches could have been
prevented. Right? And we arehere to coach, to educate, to
train, business owners on how toprevent. Because guys, once you
get hit, you can't get unhacked.
Alright? I named the whole thingafter it because it's all
(00:58):
bullshit. You can't do it. Youcan't get unhacked once you get
hit. So let's do a coupleintros.
Brian, it's been a hot minutesince you've been with us. So so
absolutely thrilled to have youback. Tell everybody who you
are, what you do, and who you doit for because we've all
forgotten.
Bryan (01:13):
Yeah. I think I've even forgotten myself. Okay. My name
is Bryan Lachapelle with B4Networks based out of beautiful
Niagara Region, Ontario, Canada,And we support, other businesses
in their journey oncybersecurity as well as
technology. And just, the way Ilike to say it is I make the
headaches go away when it comesto dealing with technology.
Justin (01:32):
Perfect. Mario, same question.
Mario (01:35):
Mario Zake, CEO of Mastech IT located in New Jersey
right outside of, Manhattan.Been in business for twenty
years and helping, you know,small to medium sized businesses
stay protected on the web andspecializing in having CEOs
sleep better at night.
Bryan (01:54):
Alright. I like that.
Justin (01:57):
I am Justin Shelley, CEO of Phoenix IT Advisors and today
I am wearing the shirt that Iwear in all my profile pictures
on across all social media.Random fun fact, if you look me
up on LinkedIn, Facebook,anywhere, this is the shirt I'm
wearing and this shirt mostlysits in the closet because I'm
self conscious about it. And forthat reason, I call it out and
(02:18):
put a spotlight on it. Guys, Iwork with businesses in Texas,
Nevada and Utah. And what I dois I keep you protected safe
from the Russian hackers.
Yes, Mario, they're mostly inRussia from the government
because they're gonna come andsue you if the Russian hackers
don't get you. And then finallyto clean up anything that's
left, we've got the attorneysthat are gonna come in and file
(02:39):
these class class actionlawsuits. So that is my
specialty, that is what I eat,breathe and sleep and that is
the shit that keeps me up atnight is making sure that none
of that happens to my clients.Guys.
Mario (02:51):
Dustin, it seems like this episode, episode 50, is a
is somewhat of a little jinx.This is you know, every time we
try to record episode 50,there's a there's an issue.
Justin (03:04):
I know. I know. Why why don't you tell us more about
that, Mario? Let's talk about wejust our no show, I guess, we'll
call that failure number two.What was failure
Mario (03:13):
number one? Failure number one is, you know,
somebody that we got on here, westarted recording and going
through everything. And aboutwhat? Forty five seconds into
it, you know, during intros,we're like, woah. What hell?
What the hell did we sign upfor? This guy is just like a
lunatic. He started screamingand getting in the middle of the
(03:33):
like, in the face of the cameraand then, like, you know, we're
we're all on on this on thisplatform, but me and Justin,
technically, like, we looked ateach other. We're like
Justin (03:43):
Oh, what the fuck?
Mario (03:44):
The fuck did you just put us into?
Bryan (03:48):
I'm glad I wasn't there for that. Yeah.
Mario (03:52):
Afterwards, camera goes out. We're like, are we stop
recording? And he's like,listen, let me sell you my
service. And we're like, okay.Yeah.
Justin (04:00):
I don't
Mario (04:00):
think so.
Justin (04:00):
He he had no interest in the podcast. He was just there
to talk about himself, to sellhis stuff to us, not even to our
our audience. It was crazy.
Mario (04:08):
And the whole thing, Justin booked them because, you
know, he this person wassupposed to be in charge of,
like, IT for, like, largecompanies. And Justin asked them
a simple question, like, wouldyou see this when you're trying
to work? He's like, honestly,he's like, no. I don't I don't
really see it too often. Andthat's it.
The conversation ended there.Like, are where are we supposed
to take it from here?
Justin (04:31):
Yeah. It was crazy. It was crazy. So we're it's
recorded. It's in the archives,and I'm gonna pull clips out
from time to time, but neverwill I publish that as an actual
episode.
We're just gonna use it to say,here's what not to do.
Bryan (04:44):
Shadow 50.
Justin (04:46):
Yes. B side or whatever. Yeah. So today is the real
episode 50. And I love that it'sthe three of us back together
again.
Sans, guests, sans problems thatthey bring and just breaking
down the real, the raw, thedirty of cybersecurity. Guys, I
have long for quite a while I'vetalked about the human element
(05:07):
of cybersecurity. I did a wholewe did about a year where every
single month we held a seminarin the Dallas area talking about
this. This very it was eventitled that the human element of
cybersecurity. You know, and Ialways say 97% of breaches could
have been prevented.
You can almost use, I thinkninety five. So very close to
that when they talk about thepercentage of breaches that are
(05:31):
caused by us, caused by humans.It's almost all of them. In
fact, I did an episode beforethe three of us got together.
This is going way back with aformer employee of mine.
And I posed that question. I'mlike, hey, I always say 97% of
breaches. Damn it. I'm messingthat up. I always say, you know,
that whatever percent is humancaused.
(05:54):
And he looked me straight in theeyes like, no, I don't think so.
I think it's a %. Like whateverpercent we assigned to it,
really we could go back and finda human screw up in that chain
and that breach somewhere everysingle time. What are your
thoughts on that?
Mario (06:10):
Absolutely.
Bryan (06:11):
I I would confirm because even if if nobody screwed up,
there's still a human element toit because there's a hacker at
the other end that's a human. Sono matter which way you look at
it, it's caused by a human.
Justin (06:23):
Well, alright, alright, alright. That's that's a good
point. That's a good point.
Mario (06:27):
Well, I I mean, you know, like, I I don't know what the
exact percentage is. It's justlike the number one source of
breaches are, you know, comingin through a phishing email. You
know? So obviously, there arepeople there you know, it's a
numbers game. If they send outthe same email to, you know, a
thousand or 10,000 people, It'sthey're even if they get one
(06:49):
person, which, you know, to themthat's a very successful number.
If they get one out of 10,000people to click on an email, you
know, guess what? They're gonnaclick on something and something
bad is gonna happen. I mean,yesterday, I'll give you an
example. And part of it issometimes it's the curiosity to
see what this really is. I knowyesterday, I got an email.
(07:12):
If somebody sent me a DocuSign,and I knew it was I knew it was
bullshit. I knew it wasn'tanything that, you know,
somebody I'm I was expectingfrom somebody that I knew. But
part of me kinda just, like, youknow, for some I didn't click
it, by the way. Just, you know,I didn't click it. But part of
me is like, I love I wanna seewhat these guys are doing.
(07:35):
Like, what are they trying toget me to do? You know, I know
it's bullshit, but it's thecuriosity in in that in me that
wants to click on it.
Bryan (07:43):
Yeah.
Mario (07:44):
But, you know, we'll never know.
Bryan (07:46):
I did a webinar seminar actually live in person for the
construction association in myarea. And my my theme of of the
entire night or the day, thesession was who is responsible
for cybersecurity at yourorganization? And so I challenge
all our listeners to askthemselves that question right
(08:08):
now before we get started in thesubject for today. Who is
responsible for cybersecurity atyour organization? You know, who
ultimately bears thatresponsibility?
And just leave it at that, thinkof that question and then we'll
dive into the rest of the topicthat we have today. And then at
the end, I'll come back and askthat same question.
Mario (08:24):
Sure, we have a topic that forgot.
Justin (08:30):
And what was the answer? Well
Mario (08:32):
Should be everybody.
Justin (08:34):
No, but what was it Keep it up.
Bryan (08:37):
Oh, so when I asked the audience, they were like, oh,
well like this person that wealways responsible for
cybersecurity or our IT companyis responsible for
cybersecurity. And Mario justgave it up. But ultimately
security is a team sport. It'snot just an IT thing. It's not
just a, oh, this person's incharge of IT for their
organization.
It is everybody's responsibilityfrom the top top ranks all the
(09:00):
way down to the bottom ranks.Everybody is responsible for IT
but it starts at the top. You tohave a culture
Justin (09:06):
of security. Absolutely. So then we have to get into the
nitty gritty though of whatwe're talking about because
we've got who's responsible orwhose job is it, which I think
is what you're asking and thenyou've got who's accountable or
who's the throat that's gonnaget choked when something goes
sideways. And oftentimes thatmean that is spoiler alert,
(09:29):
that's the guy at the top,that's the CEO, the guy, the
gal, the whatever. Andoftentimes they're the ones that
we have the hardest time gettingto adopt the training and to
work with culture, which is kindof what we're gonna talk about
today.
Going back a little bit to thethe fact that the problem is
(09:50):
humans when I was doing Sohere's you asked that question
to your audience, Brian, when Idid my tour on the human
element, my introductoryquestion was, what is the number
one problem in cybersecurity?Where where is the you know,
what's the biggest threat?Right. The biggest weakness?
However you wanna frame that.
(10:11):
And almost nobody would get theanswer, which is us. We are the
problem. Right?
Bryan (10:16):
Right. Inaction is the problem. Not thinking it's a
problem is a problem. Believethat we're too small, so it
doesn't apply to us. Nobodywould want my information
anyway.
Those are all
Justin (10:27):
God, that's the best one. Always a best one. Have any
of you either of you guys read,Mark Goodman's book, Future
Crimes? Oh, I love it.
Bryan (10:36):
That was a good book.
Justin (10:36):
Okay. So I have a stack of those books with the page
folded down and highlighted. Andthe quote that I always read
from that is, if you thinktechnology can solve your
security problems, then youdon't understand the problems
and you don't understand thetechnology. It is not a
technology problem.
Bryan (10:54):
It is not.
Justin (10:55):
And honestly is hard we can make it really hard to hack
technology, we can hardenfirewall servers, endpoints, we
can set up seams and like allthis stuff we can do to protect
the technology. But that humanbrain, oh my God, is that easy
to hack. All you've got to do isjust pick the right emotion and
(11:17):
you can get anything you want.
Bryan (11:19):
Yep. I always like to use the analogy that I can have a
building and I can secure thatbuilding with a guard at the
front. I could put bars all overthe windows. I could put locks
on every single door. But ifyou've got that numpty who goes
and puts a brick in the backdoor and props it open because
he wants to carry some big boxoutside and he doesn't wanna
have to, you know, use a key toget back in, that criminal is
just gonna sneak right on inthere and there's nothing
(11:41):
anybody can do about it.
Right. All those securityprotections are gone because of
one one person who circumventedit all by giving up information
and or access without realizingwhat they were doing.
Mario (11:54):
Yeah. And and I don't know about you guys, but
sometimes I'll get, you know, aa call like right on my cell
phone, you know, from anotherbusiness owner, you know, a
customer. And they don't wannago through the proper channels.
You know, they don't wanna gothrough like the the technicians
or the opening up a thing likeMario. I clicked on something
and I don't know what this isand stuff like that.
(12:16):
And they, a, they feel likethey're you know, all the stuff
that we go through in trainingand stuff like that does not
apply to them. And And just anexample that they don't even
wanna go through the properchannels to get a result, you
know. So it's it just shows thatlike some of these people feel
like it does not apply to them.And those are a lot of times,
(12:37):
you know, the the cause, youknow, like and, you know, we
talked about it in a previousepisode a long time ago, you
know, where before we started todo the whole managed services,
when I was just a one man shopbreak fixed. I did have one
breach and it was like whenfirst ransomware was first
(12:58):
starting and it started by theon the owner's computer.
You know? Like, was the one thatclicked on something because he
just felt like you should clickon it, and the whole network
came down because of them.
Justin (13:13):
Yeah. It's crazy stuff. I've I've debating whether I
should tell a similar story. Wemight get bogged down in
stories, but you know what?Stories are fun.
So let's do
Mario (13:22):
it. Fuck it.
Bryan (13:23):
Yeah. Fuck it. I had
Justin (13:26):
a client and I the guy was just just an unpleasant
human. And he had my cell phoneand he wanted to be able to get
support, know, like basically 20He called me up, I think it was
nine, maybe 10:00 at night, justscreaming at me. He's like, I
pay you to protect my computer.Now I've got a virus. This was
back in the days of viruses.
(13:48):
What are we talking ten, fifteenyears ago? Because it's not
really the way we at least talkabout it anymore. Anyways, he
had gotten himself a virus andI'm like, all right, Bob, let's
take a look. I'm gonna remote onyour computer while he's
screaming at me. And on hisscreen, it's just like tabs and
(14:11):
tabs of porn.
Bryan (14:13):
I thought that's where I was going.
Justin (14:16):
Gay porn no less. Whatever. No judgment there, no
judgment. I'm just saying. Doyou guys remember back in the
days of dialers?
So what they would do is you'dlook at something and they're
like, hey, click here for thenext better stuff. And it would
disconnect your modem and dial anew one. That was like a 900
(14:38):
number. Do you guys ever have todeal with that?
Mario (14:41):
One tell me up.
Justin (14:42):
Phone bills get hundreds, thousands of dollars,
just nuts. And that's what thisguy had going on. I'm like, Bob,
listen, I don't care what youdo, but just understand that it
only takes one click and itundoes everything that we're
working on. It's like perfectillustration of what we're
talking about right now. If youwant to do that, fine, go get a
(15:03):
computer that just just for thatstuff, that doesn't have your
bank account information on itfor fuck's sake.
Right? That doesn't have allyour company's IP, that doesn't
have QuickBooks on it.Everything in his business was
on this computer that he wasjust blasting out there to the
whole world anyways. So if youthink technology is a problem,
don't understand the problem.
Bryan (15:23):
Or if I guess if
Justin (15:23):
you think technology can solve your problems, we really
have to dive into this humanelement of cybersecurity. And I
talk about culture, we can labelthis however we want. But let's
get into that. Why is it that,one of the phrase that got
kicked around while we'replanning this is that people
actually are more important thanfirewalls. Right?
Bryan (15:42):
Mhmm.
Justin (15:43):
Guys, give me some thoughts on that one.
Bryan (15:46):
I can dive in here. From my understanding and, you know,
statistics, about 89.2% of allstatistics are made up on the
spot. Including this one? Yes.According to the statistics I've
read, about ninety five percentof breaches involve human error.
And we talked a little bit aboutthat from clicking bad links and
reusing passwords. And again,people are the ones that are
(16:08):
opening up the doors to thecyber criminals. If purposely
download something into yourcomputer thinking it's a really
cool game that you really wantedto play but you didn't wanna pay
for, you've just downloaded avirus. Anything that you put on
your computer that you don't payfor, you are the product. You
and your computer.
And so the human element iswhere a lot of these breaches
(16:29):
happen and they're using socialengineering to trick people into
doing things they're notsupposed to or or shouldn't. So
I will Well,
Justin (16:41):
let me
Bryan (16:41):
floor to Mario.
Justin (16:42):
Go go ahead, Mario. Then I wanna I wanna deep dive on the
social engineering part for asecond. Go ahead, Mario.
Mario (16:48):
Yeah. So most firewalls, we when we configure them, we're
configuring them so the bad guyscan't come in, you know. But
going from inside out is mucheasier, you know. And we have
now content filtering and allthis stuff to kind of because
people just click on shit theyshouldn't be clicking, you know.
So it it and it's not gonna be a% because it still has to go and
(17:11):
analyze the the site or analyze,you know, has to have been
previously reported and stufflike that.
But it's still, you know, it'sno matter what it is in
protection, you know, like justlike Brian said earlier, you
know, your house, your building,you know, your car, You know,
obviously, you're on the inside,you should be able to get out
(17:35):
and going out, you know, is youhave to be directed into a safe
area, you know, but the becausethe world in general, there's a
lot of unsafe things out there.So if you're leaving the inside
of your protection and goingout, that's where the
vulnerability is gonna come in.
Bryan (17:52):
Yeah. I've actually seen situations where the individual
is giving up information onpurpose, I. Uploading files or
sending information, and thatwould be the equivalent of
opening up a window and justtossing out all the jewelry
outside. Right? You know, youcan't protect against that.
You can't put bars on thewindows. You can't put security
protections preventing somebodywho's already in throwing good
(18:16):
things out.
Justin (18:18):
Yeah, mean I'm just gonna keep going. You guys have
already said it, I'm gonna sayit again a little bit maybe in a
little bit different way. You'retalking about putting bars on
the windows and locks on thedoors and you can put cameras in
and you can great big magneticlocks, have to buzz somebody in
but breaking that technology canbecome almost impossible. The
(18:42):
problem is getting somebodyinside to push that button to
release the lock is super easy.Mhmm.
Right? And and and by design forsafety reasons, have to be able
to get out, you know, we can usethat analogy. Here's what
hackers prey on. The human brainis wired for two very specific
things that get exploited. Oneis the desire to help.
(19:04):
Know, I'm trying to think of agood example. I don't wanna say
damsel in distress because thatbecomes sexist and whatever. But
we can't help our need to helppeople. Somebody on the side of
the road with a broken down tireand you know, somebody on the
side of the street with hungrykids and a sign like we, it
just, it, it it just tweaks ourbrain to see somebody needing
(19:28):
help and to choose not toprovide help for them. Right?
So hackers love to exploit that.Yes, they do.
Mario (19:36):
Then Saudi prince that needs needs that sends you an
email and
Justin (19:41):
Correct. False, Mario. That's not what I'm talking
about at all. So our desire tohelp, and then the other one is
our our need to avoid conflict.As humans, we are wired to avoid
conflict.
So you either get some versionof, oh, please help me. I'm
desperate. I've got to get thisdone right now. Or you get some
version of, you will help me outright now. I'm gonna have you
(20:01):
fired.
I know your boss. I've got acell phone number right now. I'm
texting him. You better get youknow, like that. Right?
So some version of this is now Idon't have any firsthand
information, but I keep hearingover and over. So I'm gonna call
it reliable. The MGM GrandBreach was some version of this
type of social engineering thatended up costing. I don't
remember how many hundreds ofmillions of dollars. So just
(20:23):
very, very, very expensivebecause somebody was able to
hack the human brain.
So why is it the firewalls areimportant? However, people are
more important. It's because weare so easy to hack so we we
Right. We are designed to behacked. Where firewalls are
designed not to be, we aredesigned to be hacked.
Bryan (20:43):
And the part there is is, you know, making sure people are
trained in what to do and whatnot to do. The most memorable
example of social engineeringthat I've seen is a young lady
was sitting with a reporter andthey were sitting at a table
together and he says, can, shesaid, I can get into your phone
(21:03):
and get access to your entirecontents of your account without
you being involved whatsoever,and he said, There's no way. And
she said, All I need is to knowis your phone number and who
your provider is. So he gave hegave her the phone number and
who the provider was. She thenhopped on a call with a customer
(21:24):
service person at that cellularoperator and within three
minutes had access to the entireaccount by pretending she was
her husband or her wife, hiswife, putting a baby crying in
the background, to simulatestress.
And she was pretending she was,anxious and needed help and that
her husband's gonna get mad ather if she doesn't get this
(21:46):
thing done. And before anybodyknew, she was put on the account
because she wasn't already onthe account, had removed him
from the account and had changedthe password. And essentially
that then from there, she couldgo anywhere and gain access to,
the account because she could goin person, show her ID, get the
SIM chip, put in a new phone,and basically take over the
whole account if she reallywanted to. And he couldn't he
(22:07):
couldn't remove him her becausenow he was removed from the
account. Yeah.
So it it is And all that withinfive minutes.
Justin (22:13):
The absolute classic damsel in distress I was trying
not to talk about. But it istrue. Like you can't, you almost
can't protect the brain againstthis. It's so hard. Yeah.
And I I love that video. I'veseen that video. I used to use
that in my my presentation thatI would do. Yeah.
Mario (22:32):
I mean, we we see it all the time, like in our office.
Like, we'll we'll get somebody,you know, like a manager or
somebody's like calling and he'skinda being, you know, a little
obnoxious and to thetechnicians, like, like, I need
this today. I need like, youknow, what the hell is taking
you guys so long? You know, Ineed this today. And then, you
(22:53):
know, sometimes being under thatkind of distress, you you they
make mistakes, you know, likethey they do stuff that, you
know, we reset a password and wenormally would reset it, you
know, obviously we have othersteps like we have to verify the
person and all that stuff.
But, you know, we usually willreset it and set it where they
have to change the passwordafter the first login. And if
(23:17):
they forget that, that's aproblem, you know. You know, you
could easily have somebody makea mistake when when they're like
that.
Bryan (23:27):
So with that said, what do we how do we you know, what
steps could we use? What what dowe train our people on on how to
prevent these type of things?What are all the different
things that we could train onawareness training?
Mario (23:41):
Mario? I I would say, you know, obviously you have to have
guidelines and and proceduresand stuff like that and tell
them like no matter what, haveto stick to to to the rules.
Stick to what we you know, theguidelines that we have put into
place. You know, if you're ifyou're following these, you
should be 97% protected.Alright?
(24:05):
Goddamn it, Justin. Don't youknow we're recording?
Justin (24:09):
I told you that they pushed an update on my phone and
I cannot figure out how to mutethis goddamn thing. I shit you
not. I'm pissed. You keeptalking. I am literally trying
to figure out how to mute myphone.
Mario (24:20):
I'm gonna You have an Android.
Justin (24:21):
Yeah. I know it. Oh, there it is. I found it.
Bryan (24:24):
So what I would say is a couple of things. One is I would
concentrate heavily on There'sthe obvious things, you know,
password stuff, making sure youhave good passwords, how to spot
an email, things. Those are allthe obvious things, the things
that we've been trained on thewhole time. I would say the
majority of our training shouldbe focused on how to spot social
engineering and what are the redflags. Specifically, I don't if
(24:46):
you've ever seen physicalsecurity being breached, but,
you know, if you put on a vest,you can pretty much get in
anywhere.
You know what? Those reflectivevests, those orange ones?
Justin (24:54):
And a name tag. Just get a name badge.
Bryan (24:56):
And and a name badge, and you can walk into pretty much
anywhere. So just training yourstaff to be hyper vigilant. If
they see somebody that theydon't recognize, stop them
because it could potentially besomebody who's not supposed to
be there, right? If somebody'scalling in with, Hey, I'm really
stressed. I need to get this,this, this.
No, I will not break theircompany policies. You know, it
(25:19):
sucks. I hate, you know, Ireally hate to see you needing
something, but I can't help youright now because you haven't
authenticated yourself, right?So just training on those social
engineering red flags and how tospot suspicious people is where
I would concentrate my effortson. And then and then testing
them on it.
Right? Purposely going out of myway to try to get somebody to
(25:42):
breach the security and thenfigure out who and and if
anybody does fail, then doremedial training on them. So in
our in our industry, we dophishing simulations, but we
could also do physical breachsimulations by, you know, having
somebody walk in with a aclipboard, a vest, and a name
tag and see if they can getthrough. Right?
Justin (26:01):
Yeah.
Mario (26:04):
See something, say something, right?
Justin (26:06):
Well, right. So reporting is another part that
needs to be part of this programis creating a system and a
culture that rewards it forreporting things that you see.
There is a lot of shame in theworld of cybersecurity where
like don't ask stupid questions,know, there's no stupid
(26:27):
question, but yeah, we say itone way and then we treat it
another way. There's alwaysshame around stupid questions to
get asked, right? That has to beremoved.
There has to be a reward forreporting whether it's useful or
not. We've got to reward peoplefor bringing that information
that putting a spotlight onthings that they see. Because if
(26:49):
you're just relying on your ITcompany, guess what guys, we're
not there when things happen.You've got to get your people,
Everybody has to have their eyeson this stuff.
Bryan (26:58):
Yeah. There's also go ahead.
Mario (27:01):
Sorry, go ahead, Abroad.
Bryan (27:02):
I was just gonna say there's something to be said too
about creating an environment ora culture where people feel
comfortable bringing thingsforward. People feel comfortable
saying, Hey, I screwed up and Iclicked this link, right? Now,
with that said, if they'reignoring the training and
they're not taking the trainingthat's being provided, I would
(27:22):
treat that the same way that Iwould treat somebody not
following health and safetyregulations because they're
putting everybody in jeopardy.But if they're following all of
the procedure or they're doingall of the training and they
messed up and they clicked thelink they weren't supposed to,
that should be a no shame, noblame type of environment,
right? Don't blame them, don'tshame them, don't make them feel
(27:44):
like they did something wrongbecause then they're gonna hide
it next time, right?
A good story is, you know, oneof my kids, you know, at one
point, once upon a time, youknow, gave them trouble for
taking a sandwich when theyweren't supposed to. And then
one day I walked into thekitchen and my son was acting
all suspicious. I was like,wonder what's going on here. So
I didn't say anything, but thenhe left. And a week later I find
(28:05):
like a sandwich in the drawersomewhere all like molding up
because he had hit it.
Like, right? That's the kind ofthing you shame them and you
blame them, they're gonna hideit in the future. That's human
nature. And so just creatingthat environment of no blame is
very important.
Mario (28:20):
Yeah. And then to add on to what both of you said, like
sometimes we feel like thesepeople are just working against
us, You know, like, even, youknow, something as simple as
like recovering a backup ortrying to re you know, fix
something or whatever. We'relike, we part of us wants to
say, well, what the hell did youdo? You know? But we have to ask
them like in a nice way.
(28:41):
Okay. Was there something thatyou clicked on, maybe accidental
or whatever? And they always sayno, no, no. And then when we
show them like, oh, you didn'tclick on this? Oh, well, you
know, besides that one.
Yeah. Yeah. We did do that. Youknow?
Bryan (28:54):
Did you put in your password? No. No. But, yeah, I
put in my password.
Mario (28:57):
You know? Because sometimes sometimes, you know,
it's critical to really addresssomething in a very, you know,
timely manner. And, you know,time time is of the essence and
and it's like, well, don't makeit as more difficult than it
needs to be, you know. Sometimesthey'll call us just bitching.
Like, yeah, I didn't click onanything and, you know, they
(29:20):
start getting all angry orwhatever.
Then the second or you tellwell, did you reboot your
computer? Yes. I rebooted it. Iokay. Because the computer says
here it hasn't rebooted in,like, thirteen days.
Bryan (29:33):
That's one.
Mario (29:33):
It's you know, it's stuff like that. It just drives you
crazy. You're like, this couldhave easily been avoided such a
long time ago.
Justin (29:44):
Alright. So I've got a story. I'm I'm gonna have to
bring this up here. So you'vegot you've got the shame. You
you we have to and and I'm notsure Mario if your points
illustrated that you you mighthave undone some of it because
you just said behind the sceneswe're shaming them.
Bryan (30:03):
I I don't. Mario does. Come to before next, we'll help
you. No shame,
Mario (30:07):
no blame. I do. I do. I
Justin (30:09):
don't think there's any industry where behind the scenes
there isn't some, shall we saybanter that goes on. I used to
always have to point out to mytechnicians like, listen, they
knew everything about IT wewouldn't have a job. It is true,
but what we need to do it, Ifirmly believe this is we have
(30:31):
to find a way to reward. Likeway before we're talking about,
did you click on a link? Did youdo something bad?
We have to be very, veryproactive. We have to be on
offense, not on defense wherewe're training, but we're doing
it in a way that people actuallywant to participate. So with
that, I'm gonna give you twoexamples. Number one, if we go
(30:53):
back years and years, I I put aplatform in place that does have
a score, a security score foreach employee. And internally, I
just saw my technician startbragging about their score.
And they loved it if they couldget their score higher than
mine. They always wanted tocompare it to to Justin, to the
boss, you know, we're smarterthan the boss, which I
(31:15):
absolutely loved. Now that weactually went away from that
platform for a while, tried someothers and recently came back to
it. And so I introduced it againto my team and you guys got to
meet Liana last week, right? Soa little bit of background about
Leanna.
I'm gonna use her name, I'mgonna call her out because I
(31:35):
love this story so much. She isnot a technical person, like her
background is not in technology.Her previous job had nothing to
do with technology other thanusing a computer in an office
environment. So she comes in andshe's helping me with marketing
and some other administrativetasks. And at one point I said
something to her about, I sendyou emails, you don't even look
(31:57):
at them, you don't open myemails, you gotta read my
emails.
Then we put this this stuff inplace. Right? Phishing
simulation and all this. And shegoes in and she sees her scores
down. And I've never seensomebody so hell bent on getting
a score back up.
She's digging in and she findsout, oh, she clicked on an email
and she's like, it's your faultbecause you made me, you shamed
(32:20):
me and not reading my emails andI started just clicking on
everything and now then she wentto, she spent I think two full
days. Now this is not a successstory on productivity within the
company. But I tell you what,two days of doing all the micro
trainings, the full training,going back in and looking all of
the emails. And she now knowsmore about cybersecurity than I
(32:43):
do. I swear to God, I could askher anything.
Knows all the terms and I did,even quiz her. I'm like, all
right, let's see what you reallyknow. And I started throwing
some things at her and she'sjust like, bam, bam, bam. I
swear to God, could get on hereand do this podcast better than
me at this point because of thatstupid score. And it's not
because she caused a breach, butit is because she failed a
(33:03):
phishing simulation test thatdropped her score down and she
will not lose.
You talk about a competitivespirit. This girl's got a
competitive spirit. This is whatI wish I could create in every
organization. This mindset, thisatmosphere where it's not a
shame based, it's a, don't know,gamifying. Handing out trophies,
(33:28):
like your score and it's noteven like I have to say it.
She's running around showing herscore to everybody. So if we
could do nothing else, like thisis always a question. If we
could do one thing to get thebest bang for the buck, it would
be this in my opinion. It wouldbe solid cybersecurity awareness
(33:48):
training programs. And that's acompliment.
We're talking about what'sinvolved in that and it can be
complicated. Just make sure it'sthere. But on top of that, you
have to have the atmosphere thatsupports that. You just throw
training out, I said on apodcast a while back, right? I
was like, if you just send alink and say, take the training,
that's spam.
That's not cybersecurityawareness training. That's
(34:10):
sending out an email and tryingto get people to click on it.
It's spam. It'scounterproductive. We have to
get this culture piece in place.
Bryan (34:17):
Yep. I like the gamifying idea. So the score really helps
with that because then you'reright, like my team, they're
notorious about trying to beateach other. I'm thinking of even
implementing, and we've donethis in the past for clients
where a little bit ofcompetition, you know, the
person with the highest score,everybody who's taken the
training gets entered in for,you know, a draw or everybody
(34:39):
who's got a score above this andhas taken a training gets
entered into a draw for, youknow, some sort of gift
certificate or some sort ofprize. All of a sudden people
are like fighting each other totake the training.
Mario (34:50):
Actually that's Yeah, we should probably try to do
something with our clients tryto get them like to do this
because, and if the whole pointof, you know, phishing training
and stuff like that is kindalearning from your mistakes and,
you know, you know, Steve, youknow, that works with me, you
(35:10):
know, a couple months ago, heactually, maybe a year now, he
had something that came in, youknow, as a training or a
phishing test, and it came infrom Capital One. And he saw it,
and it's like, all your accountsis overdue. So he forwarded it
to his wife, And, you know, hiswife is sitting there trying to
(35:31):
log into it, clicking on thelink, whatever. And meanwhile,
my phone is going off. And meand him are on our way to a
meeting.
And I my phone look goes off andI'm looking at him like, hey.
Did you just fail a phishingtraining? Like, what the hell
are you doing? And he's like,no, I didn't click on anything.
And then later we found out itwas his wife.
And from then on, he stoppedforwarding stuff to his wife. He
(35:54):
stopped clicking on stuff. He'sbeen pretty good and he learned
from his mistakes. But it's goodthat he learned from a
controlled environment, not ahacker.
Bryan (36:07):
Yeah. The irony there is that his wife received the email
from a trusted source, him.Yeah. And so she's probably not
even, no no red flags are upbecause she's like, well, my my
husband sent me this so it mustbe legit. And he's sitting there
fiercely trying to log in.
Whoops. Yeah.
Justin (36:26):
Alright guys, let's go ahead and move to wrap this up.
Any final thoughts or was thereanything that we missed? We're
gonna do key takeaways here in asecond, but is there anything
that we missed as far as thewe'll call this the human
element of cybersecurity? We arethe weakest link, like
(36:47):
absolutely truth. What else didwe miss that we
Bryan (36:51):
need talk It's making it simple, fast, nothing long and
complex. Know, if you tellsomebody to take a one hour long
Training session on cybersecurity. They're probably gonna
wanna. You know. Lose their mindand you know jump over a bridge-
but if you do you know fiveminute.
Here and there five minutes aweek- I think that that's a lot
easier to handle. Or maybe justduring a huddle right just like
(37:13):
very quick and simple thingslike if you do a company huddle
the morning just talking aboutit for like one minute. I will
have a bigger impact than. Youknow a one hour training
session. Just constantlyreinforcing things on a weekly
basis.
Keeps it top of mind keeps itawareness on an ongoing basis
versus like a once a yeartraining. So maybe that that
would be
Mario (37:32):
my biggest. Span that you know like the world that we live
in the attention span of peopleyou know you can't you can't
they you can't have them formore than five minutes. That's
why like TikTok and all this thereels and stuff like that is so
popular now because peoplepeople like to just click on and
then you keep going and keepgoing and keep going. But when
(37:53):
you try to have them to sitthere for a half hour or thirty
minutes, they're not gonnaremember any of it past maybe
the opening, you know, seat.That's it.
You know?
Justin (38:04):
Yeah. And I've already said that, but I just think
rewarding good behavior is isreally where all this needs to
start. However you choose to doit, you know, have the plan in
place, have the program, and andget with your IT consultant. Go
Google it. It doesn't matter.
Put a put a security awarenesstraining plan in place, and then
build that culture. Rewardpeople for for taking the
(38:29):
training, for having a score,for saying, hey, boss, look what
I saw on the news yesterday.Does this impact us? Mhmm. And
and Brian, you mentioned on adaily huddle.
I've said before, if you have aweekly meeting, make it an
agenda item on your meeting. Andjust find a way. Everybody has
to do this their own way becauseit's your culture, but you have
to find a way to get everybodyinvolved. There's just there's
(38:54):
just no other answer to it in myopinion.
Mario (38:57):
Now this doesn't say that that's the only thing you guys
need to do, you know, like it's,you know, one out of every five
people will still click a link.It it just it's the stat that's
been there for years. It'sthey're still gonna click on it
and you still need to havestuff, you know, it's all about
(39:18):
layers, you know. Yeah.Protection in case they do click
on it.
Bryan (39:22):
And, you know is one of the layers. Right.
Mario (39:25):
That's the first layer. Like, when we go over our
security stack, the first layerof defense, the one that you can
can help you avoid the most, youknow, problems is education,
training for your employees.
Justin (39:38):
And I'll be honest, I guess, I I kinda think of this
as the icing on top of the cake.Right? You have to have that
foundation in place or none ofit matters. I I don't usually
start with a client and say,here's the most important thing
you need to do. Let's do thisfirst.
Although I have done that if Idepending on the scenario,
(40:01):
sometimes it is. But generallyspeaking, we're gonna go in
first. We're gonna protect theendpoints. We're gonna check the
firewall. We're gonna, you know,put a good solid antivirus in
place.
But then if you don't, if youstop there, there's there's
almost no point in having donethe basics. Right?
Bryan (40:18):
This this is just where we have
Justin (40:20):
to really put our biggest effort moving forward
ongoing. Alright, guys. I Ithink we've kinda kinda nailed
it. If you just had, I like tojust say if if somebody listened
one of your clients or prospect,if they were to listen to this
and only this of today'sepisode, what would you want
them to know? And I'll I'll I'lllet you guys decide who goes
(40:44):
first.
Mario?
Mario (40:45):
Uh-oh. Okay. We will shame you if you don't do it.
No. It's like I said, it's thefirst layer of your defense to
make sure that you provide youremployees with the proper tools
to succeed.
Educate them so that they can besafe and keep you safe.
Justin (41:08):
Perfect. Brian?
Bryan (41:11):
My so not or my short version of of what is the most
important things to pull out oftoday's episode is that is is
similar. People matter more thanfirewalls. Training is
important, making sure peopleare aware of what's out there.
We can't protect against what wedon't know. And just making sure
that we make it a culture oflearning where we're not shaming
(41:33):
and we're not blaming if peopledo something wrong With the
caveat that if they'rerepeatedly doing it and not
taking the training then thereof a liability and that's a
different.
Story altogether. But if they'retaking the training and they
made a mistake. No shame noblame- you know- that way
they're not. Using that as areason to not come forward next
time- use mistakes as teachingopportunities- so you can. Up
(41:57):
your game I'm a very bigbeliever in getting 1% better
every day.
And becoming your own. Greatestfull time. So that would be my-
shortened summary of today.
Mario (42:09):
I missed that Brian. I miss it. The 1% better.
Bryan (42:13):
1% my friend, 1%.
Justin (42:15):
I mean really if it's gonna get better doesn't it
eventually have to become 2%better every day?
Bryan (42:20):
No. Because 1% compounds against tomorrow's and the one
after and by the end of the yearit's 238 times or something. I
don't know. I'm bad at math.
Mario (42:27):
Damn. How many days do you guys have up there in
Canada?
Justin (42:34):
I'm rolling my eyes so hard. You didn't even catch my
my stupid joke, Brian. Onepercent better. If you're going
to improve 1% better, you haveto do it by 2% better. And never
mind.
We're gonna I'm gonna go backand edit this part out.
Bryan (42:44):
Oh, I see what you're saying. Yeah.
Justin (42:49):
Alright, guys. I my my key takeaway, the the one thing
I want people to understandabout security awareness
training, if we're going to justalready assume we know it's
important, then what I'm gonnasay is that the reason it gets
missed is because of overwhelm.And you know this, the story
that I told earlier about Liana,where I watched her set aside
(43:11):
and she's very meticulous aboutgetting her work done every day.
Then I watched her for two daysdo nothing but cyber security
awareness training to get herscore up to the point where I
did. I I never said anything,but I'm thinking in my mind, I'm
like, yeah, but did you get yourother work done?
And I never said that because Iswear to God if if an employee
is gonna sit for two days anddeep dive on this for a score, I
(43:35):
don't care what it is. Thereality is she's not gonna get
hacked. She's not going to bethe weakest link in my company
right now because she can answerthis shit better than me almost.
I will say almost, she does liketo win so I'm going give her
that one. That is the culture weneed.
That is what we need to havewithin our companies. That type
of almost OCD aroundcybersecurity because otherwise
(43:58):
we will never win this war. Withthat, guys, let's go ahead and
wrap for this week. Unhacked.Live.
Go to our website and you canget all the show notes. You can
get the complete transcripts,complete recordings. You can,
follow us. Well, social medialinks. We have all these
published on YouTube.
We put clips out on Facebook,out on LinkedIn, all over the
place. So, and actually, Ihaven't done it yet, but spoiler
(44:21):
alert, I'm going start buildingout a resources section on the
website where we can havedownloadables, you know,
checklists, frameworks, justactionable, useful resources
that you can use to to just getstarted. Start that journey.
Yes, Brian, get better everysingle day, and we'll even give
you the roadmap for how to dothat. Go to unhacked.live and
(44:45):
also schedule a free assessmentwith any of us.
We've all got that offer on thetable. Guys, thank you for being
here. Mario, Brian, thanks forbeing here. Say goodbye, and
then we're gonna sign off. Bye,guys.
Take care. See you next week.
Welcome, everybody, to episode 50 of Unhacked. Guys,
the team is back together. OGstyle. Just the three of us. I
love it.
No guest today. We actually haveone. She no showed. But We're
scrambling, but honestly, Ithink sometimes we do better
(00:34):
when it's just the three of us.So we're gonna test that theory
today.
Here's the truth. Most, if notall breaches could have been
prevented. Right? And we arehere to coach, to educate, to
train, business owners on how toprevent. Because guys, once you
get hit, you can't get unhacked.
Alright? I named the whole thingafter it because it's all
(00:58):
bullshit. You can't do it. Youcan't get unhacked once you get
hit. So let's do a coupleintros.
Brian, it's been a hot minutesince you've been with us. So so
absolutely thrilled to have youback. Tell everybody who you
are, what you do, and who you doit for because we've all
forgotten.
Bryan (01:13):
Yeah. I think I've even forgotten myself. Okay. My name
is Bryan Lachapelle with B4Networks based out of beautiful
Niagara Region, Ontario, Canada,And we support, other businesses
in their journey oncybersecurity as well as
technology. And just, the way Ilike to say it is I make the
headaches go away when it comesto dealing with technology.
Justin (01:32):
Perfect. Mario, same question.
Mario (01:35):
Mario Zake, CEO of Mastech IT located in New Jersey
right outside of, Manhattan.Been in business for twenty
years and helping, you know,small to medium sized businesses
stay protected on the web andspecializing in having CEOs
sleep better at night.
Bryan (01:54):
Alright. I like that.
Justin (01:57):
I am Justin Shelley, CEO of Phoenix IT Advisors and today
I am wearing the shirt that Iwear in all my profile pictures
on across all social media.Random fun fact, if you look me
up on LinkedIn, Facebook,anywhere, this is the shirt I'm
wearing and this shirt mostlysits in the closet because I'm
self conscious about it. And forthat reason, I call it out and
(02:18):
put a spotlight on it. Guys, Iwork with businesses in Texas,
Nevada and Utah. And what I dois I keep you protected safe
from the Russian hackers.
Yes, Mario, they're mostly inRussia from the government
because they're gonna come andsue you if the Russian hackers
don't get you. And then finallyto clean up anything that's
left, we've got the attorneysthat are gonna come in and file
(02:39):
these class class actionlawsuits. So that is my
specialty, that is what I eat,breathe and sleep and that is
the shit that keeps me up atnight is making sure that none
of that happens to my clients.Guys.
Mario (02:51):
Dustin, it seems like this episode, episode 50, is a
is somewhat of a little jinx.This is you know, every time we
try to record episode 50,there's a there's an issue.
Justin (03:04):
I know. I know. Why why don't you tell us more about
that, Mario? Let's talk about wejust our no show, I guess, we'll
call that failure number two.What was failure
Mario (03:13):
number one? Failure number one is, you know,
somebody that we got on here, westarted recording and going
through everything. And aboutwhat? Forty five seconds into
it, you know, during intros,we're like, woah. What hell?
What the hell did we sign upfor? This guy is just like a
lunatic. He started screamingand getting in the middle of the
(03:33):
like, in the face of the cameraand then, like, you know, we're
we're all on on this on thisplatform, but me and Justin,
technically, like, we looked ateach other. We're like
Justin (03:43):
Oh, what the fuck?
Mario (03:44):
The fuck did you just put us into?
Bryan (03:48):
I'm glad I wasn't there for that. Yeah.
Mario (03:52):
Afterwards, camera goes out. We're like, are we stop
recording? And he's like,listen, let me sell you my
service. And we're like, okay.Yeah.
Justin (04:00):
I don't
Mario (04:00):
think so.
Justin (04:00):
He he had no interest in the podcast. He was just there
to talk about himself, to sellhis stuff to us, not even to our
our audience. It was crazy.
Mario (04:08):
And the whole thing, Justin booked them because, you
know, he this person wassupposed to be in charge of,
like, IT for, like, largecompanies. And Justin asked them
a simple question, like, wouldyou see this when you're trying
to work? He's like, honestly,he's like, no. I don't I don't
really see it too often. Andthat's it.
The conversation ended there.Like, are where are we supposed
to take it from here?
Justin (04:31):
Yeah. It was crazy. It was crazy. So we're it's
recorded. It's in the archives,and I'm gonna pull clips out
from time to time, but neverwill I publish that as an actual
episode.
We're just gonna use it to say,here's what not to do.
Bryan (04:44):
Shadow 50.
Justin (04:46):
Yes. B side or whatever. Yeah. So today is the real
episode 50. And I love that it'sthe three of us back together
again.
Sans, guests, sans problems thatthey bring and just breaking
down the real, the raw, thedirty of cybersecurity. Guys, I
have long for quite a while I'vetalked about the human element
(05:07):
of cybersecurity. I did a wholewe did about a year where every
single month we held a seminarin the Dallas area talking about
this. This very it was eventitled that the human element of
cybersecurity. You know, and Ialways say 97% of breaches could
have been prevented.
You can almost use, I thinkninety five. So very close to
that when they talk about thepercentage of breaches that are
(05:31):
caused by us, caused by humans.It's almost all of them. In
fact, I did an episode beforethe three of us got together.
This is going way back with aformer employee of mine.
And I posed that question. I'mlike, hey, I always say 97% of
breaches. Damn it. I'm messingthat up. I always say, you know,
that whatever percent is humancaused.
(05:54):
And he looked me straight in theeyes like, no, I don't think so.
I think it's a %. Like whateverpercent we assigned to it,
really we could go back and finda human screw up in that chain
and that breach somewhere everysingle time. What are your
thoughts on that?
Mario (06:10):
Absolutely.
Bryan (06:11):
I I would confirm because even if if nobody screwed up,
there's still a human element toit because there's a hacker at
the other end that's a human. Sono matter which way you look at
it, it's caused by a human.
Justin (06:23):
Well, alright, alright, alright. That's that's a good
point. That's a good point.
Mario (06:27):
Well, I I mean, you know, like, I I don't know what the
exact percentage is. It's justlike the number one source of
breaches are, you know, comingin through a phishing email. You
know? So obviously, there arepeople there you know, it's a
numbers game. If they send outthe same email to, you know, a
thousand or 10,000 people, It'sthey're even if they get one
(06:49):
person, which, you know, to themthat's a very successful number.
If they get one out of 10,000people to click on an email, you
know, guess what? They're gonnaclick on something and something
bad is gonna happen. I mean,yesterday, I'll give you an
example. And part of it issometimes it's the curiosity to
see what this really is. I knowyesterday, I got an email.
(07:12):
If somebody sent me a DocuSign,and I knew it was I knew it was
bullshit. I knew it wasn'tanything that, you know,
somebody I'm I was expectingfrom somebody that I knew. But
part of me kinda just, like, youknow, for some I didn't click
it, by the way. Just, you know,I didn't click it. But part of
me is like, I love I wanna seewhat these guys are doing.
(07:35):
Like, what are they trying toget me to do? You know, I know
it's bullshit, but it's thecuriosity in in that in me that
wants to click on it.
Bryan (07:43):
Yeah.
Mario (07:44):
But, you know, we'll never know.
Bryan (07:46):
I did a webinar seminar actually live in person for the
construction association in myarea. And my my theme of of the
entire night or the day, thesession was who is responsible
for cybersecurity at yourorganization? And so I challenge
all our listeners to askthemselves that question right
(08:08):
now before we get started in thesubject for today. Who is
responsible for cybersecurity atyour organization? You know, who
ultimately bears thatresponsibility?
And just leave it at that, thinkof that question and then we'll
dive into the rest of the topicthat we have today. And then at
the end, I'll come back and askthat same question.
Mario (08:24):
Sure, we have a topic that forgot.
Justin (08:30):
And what was the answer? Well
Mario (08:32):
Should be everybody.
Justin (08:34):
No, but what was it Keep it up.
Bryan (08:37):
Oh, so when I asked the audience, they were like, oh,
well like this person that wealways responsible for
cybersecurity or our IT companyis responsible for
cybersecurity. And Mario justgave it up. But ultimately
security is a team sport. It'snot just an IT thing. It's not
just a, oh, this person's incharge of IT for their
organization.
It is everybody's responsibilityfrom the top top ranks all the
(09:00):
way down to the bottom ranks.Everybody is responsible for IT
but it starts at the top. You tohave a culture
Justin (09:06):
of security. Absolutely. So then we have to get into the
nitty gritty though of whatwe're talking about because
we've got who's responsible orwhose job is it, which I think
is what you're asking and thenyou've got who's accountable or
who's the throat that's gonnaget choked when something goes
sideways. And oftentimes thatmean that is spoiler alert,
(09:29):
that's the guy at the top,that's the CEO, the guy, the
gal, the whatever. Andoftentimes they're the ones that
we have the hardest time gettingto adopt the training and to
work with culture, which is kindof what we're gonna talk about
today.
Going back a little bit to thethe fact that the problem is
(09:50):
humans when I was doing Sohere's you asked that question
to your audience, Brian, when Idid my tour on the human
element, my introductoryquestion was, what is the number
one problem in cybersecurity?Where where is the you know,
what's the biggest threat?Right. The biggest weakness?
However you wanna frame that.
(10:11):
And almost nobody would get theanswer, which is us. We are the
problem. Right?
Bryan (10:16):
Right. Inaction is the problem. Not thinking it's a
problem is a problem. Believethat we're too small, so it
doesn't apply to us. Nobodywould want my information
anyway.
Those are all
Justin (10:27):
God, that's the best one. Always a best one. Have any
of you either of you guys read,Mark Goodman's book, Future
Crimes? Oh, I love it.
Bryan (10:36):
That was a good book.
Justin (10:36):
Okay. So I have a stack of those books with the page
folded down and highlighted. Andthe quote that I always read
from that is, if you thinktechnology can solve your
security problems, then youdon't understand the problems
and you don't understand thetechnology. It is not a
technology problem.
Bryan (10:54):
It is not.
Justin (10:55):
And honestly is hard we can make it really hard to hack
technology, we can hardenfirewall servers, endpoints, we
can set up seams and like allthis stuff we can do to protect
the technology. But that humanbrain, oh my God, is that easy
to hack. All you've got to do isjust pick the right emotion and
(11:17):
you can get anything you want.
Bryan (11:19):
Yep. I always like to use the analogy that I can have a
building and I can secure thatbuilding with a guard at the
front. I could put bars all overthe windows. I could put locks
on every single door. But ifyou've got that numpty who goes
and puts a brick in the backdoor and props it open because
he wants to carry some big boxoutside and he doesn't wanna
have to, you know, use a key toget back in, that criminal is
just gonna sneak right on inthere and there's nothing
(11:41):
anybody can do about it.
Right. All those securityprotections are gone because of
one one person who circumventedit all by giving up information
and or access without realizingwhat they were doing.
Mario (11:54):
Yeah. And and I don't know about you guys, but
sometimes I'll get, you know, aa call like right on my cell
phone, you know, from anotherbusiness owner, you know, a
customer. And they don't wannago through the proper channels.
You know, they don't wanna gothrough like the the technicians
or the opening up a thing likeMario. I clicked on something
and I don't know what this isand stuff like that.
(12:16):
And they, a, they feel likethey're you know, all the stuff
that we go through in trainingand stuff like that does not
apply to them. And And just anexample that they don't even
wanna go through the properchannels to get a result, you
know. So it's it just shows thatlike some of these people feel
like it does not apply to them.And those are a lot of times,
(12:37):
you know, the the cause, youknow, like and, you know, we
talked about it in a previousepisode a long time ago, you
know, where before we started todo the whole managed services,
when I was just a one man shopbreak fixed. I did have one
breach and it was like whenfirst ransomware was first
(12:58):
starting and it started by theon the owner's computer.
You know? Like, was the one thatclicked on something because he
just felt like you should clickon it, and the whole network
came down because of them.
Justin (13:13):
Yeah. It's crazy stuff. I've I've debating whether I
should tell a similar story. Wemight get bogged down in
stories, but you know what?Stories are fun.
So let's do
Mario (13:22):
it. Fuck it.
Bryan (13:23):
Yeah. Fuck it. I had
Justin (13:26):
a client and I the guy was just just an unpleasant
human. And he had my cell phoneand he wanted to be able to get
support, know, like basically 20He called me up, I think it was
nine, maybe 10:00 at night, justscreaming at me. He's like, I
pay you to protect my computer.Now I've got a virus. This was
back in the days of viruses.
(13:48):
What are we talking ten, fifteenyears ago? Because it's not
really the way we at least talkabout it anymore. Anyways, he
had gotten himself a virus andI'm like, all right, Bob, let's
take a look. I'm gonna remote onyour computer while he's
screaming at me. And on hisscreen, it's just like tabs and
(14:11):
tabs of porn.
Bryan (14:13):
I thought that's where I was going.
Justin (14:16):
Gay porn no less. Whatever. No judgment there, no
judgment. I'm just saying. Doyou guys remember back in the
days of dialers?
So what they would do is you'dlook at something and they're
like, hey, click here for thenext better stuff. And it would
disconnect your modem and dial anew one. That was like a 900
(14:38):
number. Do you guys ever have todeal with that?
Mario (14:41):
One tell me up.
Justin (14:42):
Phone bills get hundreds, thousands of dollars,
just nuts. And that's what thisguy had going on. I'm like, Bob,
listen, I don't care what youdo, but just understand that it
only takes one click and itundoes everything that we're
working on. It's like perfectillustration of what we're
talking about right now. If youwant to do that, fine, go get a
(15:03):
computer that just just for thatstuff, that doesn't have your
bank account information on itfor fuck's sake.
Right? That doesn't have allyour company's IP, that doesn't
have QuickBooks on it.Everything in his business was
on this computer that he wasjust blasting out there to the
whole world anyways. So if youthink technology is a problem,
don't understand the problem.
Bryan (15:23):
Or if I guess if
Justin (15:23):
you think technology can solve your problems, we really
have to dive into this humanelement of cybersecurity. And I
talk about culture, we can labelthis however we want. But let's
get into that. Why is it that,one of the phrase that got
kicked around while we'replanning this is that people
actually are more important thanfirewalls. Right?
Bryan (15:42):
Mhmm.
Justin (15:43):
Guys, give me some thoughts on that one.
Bryan (15:46):
I can dive in here. From my understanding and, you know,
statistics, about 89.2% of allstatistics are made up on the
spot. Including this one? Yes.According to the statistics I've
read, about ninety five percentof breaches involve human error.
And we talked a little bit aboutthat from clicking bad links and
reusing passwords. And again,people are the ones that are
(16:08):
opening up the doors to thecyber criminals. If purposely
download something into yourcomputer thinking it's a really
cool game that you really wantedto play but you didn't wanna pay
for, you've just downloaded avirus. Anything that you put on
your computer that you don't payfor, you are the product. You
and your computer.
And so the human element iswhere a lot of these breaches
(16:29):
happen and they're using socialengineering to trick people into
doing things they're notsupposed to or or shouldn't. So
I will Well,
Justin (16:41):
let me
Bryan (16:41):
floor to Mario.
Justin (16:42):
Go go ahead, Mario. Then I wanna I wanna deep dive on the
social engineering part for asecond. Go ahead, Mario.
Mario (16:48):
Yeah. So most firewalls, we when we configure them, we're
configuring them so the bad guyscan't come in, you know. But
going from inside out is mucheasier, you know. And we have
now content filtering and allthis stuff to kind of because
people just click on shit theyshouldn't be clicking, you know.
So it it and it's not gonna be a% because it still has to go and
(17:11):
analyze the the site or analyze,you know, has to have been
previously reported and stufflike that.
But it's still, you know, it'sno matter what it is in
protection, you know, like justlike Brian said earlier, you
know, your house, your building,you know, your car, You know,
obviously, you're on the inside,you should be able to get out
(17:35):
and going out, you know, is youhave to be directed into a safe
area, you know, but the becausethe world in general, there's a
lot of unsafe things out there.So if you're leaving the inside
of your protection and goingout, that's where the
vulnerability is gonna come in.
Bryan (17:52):
Yeah. I've actually seen situations where the individual
is giving up information onpurpose, I. Uploading files or
sending information, and thatwould be the equivalent of
opening up a window and justtossing out all the jewelry
outside. Right? You know, youcan't protect against that.
You can't put bars on thewindows. You can't put security
protections preventing somebodywho's already in throwing good
(18:16):
things out.
Justin (18:18):
Yeah, mean I'm just gonna keep going. You guys have
already said it, I'm gonna sayit again a little bit maybe in a
little bit different way. You'retalking about putting bars on
the windows and locks on thedoors and you can put cameras in
and you can great big magneticlocks, have to buzz somebody in
but breaking that technology canbecome almost impossible. The
(18:42):
problem is getting somebodyinside to push that button to
release the lock is super easy.Mhmm.
Right? And and and by design forsafety reasons, have to be able
to get out, you know, we can usethat analogy. Here's what
hackers prey on. The human brainis wired for two very specific
things that get exploited. Oneis the desire to help.
(19:04):
Know, I'm trying to think of agood example. I don't wanna say
damsel in distress because thatbecomes sexist and whatever. But
we can't help our need to helppeople. Somebody on the side of
the road with a broken down tireand you know, somebody on the
side of the street with hungrykids and a sign like we, it
just, it, it it just tweaks ourbrain to see somebody needing
(19:28):
help and to choose not toprovide help for them. Right?
So hackers love to exploit that.Yes, they do.
Mario (19:36):
Then Saudi prince that needs needs that sends you an
email and
Justin (19:41):
Correct. False, Mario. That's not what I'm talking
about at all. So our desire tohelp, and then the other one is
our our need to avoid conflict.As humans, we are wired to avoid
conflict.
So you either get some versionof, oh, please help me. I'm
desperate. I've got to get thisdone right now. Or you get some
version of, you will help me outright now. I'm gonna have you
(20:01):
fired.
I know your boss. I've got acell phone number right now. I'm
texting him. You better get youknow, like that. Right?
So some version of this is now Idon't have any firsthand
information, but I keep hearingover and over. So I'm gonna call
it reliable. The MGM GrandBreach was some version of this
type of social engineering thatended up costing. I don't
remember how many hundreds ofmillions of dollars. So just
(20:23):
very, very, very expensivebecause somebody was able to
hack the human brain.
So why is it the firewalls areimportant? However, people are
more important. It's because weare so easy to hack so we we
Right. We are designed to behacked. Where firewalls are
designed not to be, we aredesigned to be hacked.
Bryan (20:43):
And the part there is is, you know, making sure people are
trained in what to do and whatnot to do. The most memorable
example of social engineeringthat I've seen is a young lady
was sitting with a reporter andthey were sitting at a table
together and he says, can, shesaid, I can get into your phone
(21:03):
and get access to your entirecontents of your account without
you being involved whatsoever,and he said, There's no way. And
she said, All I need is to knowis your phone number and who
your provider is. So he gave hegave her the phone number and
who the provider was. She thenhopped on a call with a customer
(21:24):
service person at that cellularoperator and within three
minutes had access to the entireaccount by pretending she was
her husband or her wife, hiswife, putting a baby crying in
the background, to simulatestress.
And she was pretending she was,anxious and needed help and that
her husband's gonna get mad ather if she doesn't get this
(21:46):
thing done. And before anybodyknew, she was put on the account
because she wasn't already onthe account, had removed him
from the account and had changedthe password. And essentially
that then from there, she couldgo anywhere and gain access to,
the account because she could goin person, show her ID, get the
SIM chip, put in a new phone,and basically take over the
whole account if she reallywanted to. And he couldn't he
(22:07):
couldn't remove him her becausenow he was removed from the
account. Yeah.
So it it is And all that withinfive minutes.
Justin (22:13):
The absolute classic damsel in distress I was trying
not to talk about. But it istrue. Like you can't, you almost
can't protect the brain againstthis. It's so hard. Yeah.
And I I love that video. I'veseen that video. I used to use
that in my my presentation thatI would do. Yeah.
Mario (22:32):
I mean, we we see it all the time, like in our office.
Like, we'll we'll get somebody,you know, like a manager or
somebody's like calling and he'skinda being, you know, a little
obnoxious and to thetechnicians, like, like, I need
this today. I need like, youknow, what the hell is taking
you guys so long? You know, Ineed this today. And then, you
(22:53):
know, sometimes being under thatkind of distress, you you they
make mistakes, you know, likethey they do stuff that, you
know, we reset a password and wenormally would reset it, you
know, obviously we have othersteps like we have to verify the
person and all that stuff.
But, you know, we usually willreset it and set it where they
have to change the passwordafter the first login. And if
(23:17):
they forget that, that's aproblem, you know. You know, you
could easily have somebody makea mistake when when they're like
that.
Bryan (23:27):
So with that said, what do we how do we you know, what
steps could we use? What what dowe train our people on on how to
prevent these type of things?What are all the different
things that we could train onawareness training?
Mario (23:41):
Mario? I I would say, you know, obviously you have to have
guidelines and and proceduresand stuff like that and tell
them like no matter what, haveto stick to to to the rules.
Stick to what we you know, theguidelines that we have put into
place. You know, if you're ifyou're following these, you
should be 97% protected.Alright?
(24:05):
Goddamn it, Justin. Don't youknow we're recording?
Justin (24:09):
I told you that they pushed an update on my phone and
I cannot figure out how to mutethis goddamn thing. I shit you
not. I'm pissed. You keeptalking. I am literally trying
to figure out how to mute myphone.
Mario (24:20):
I'm gonna You have an Android.
Justin (24:21):
Yeah. I know it. Oh, there it is. I found it.
Bryan (24:24):
So what I would say is a couple of things. One is I would
concentrate heavily on There'sthe obvious things, you know,
password stuff, making sure youhave good passwords, how to spot
an email, things. Those are allthe obvious things, the things
that we've been trained on thewhole time. I would say the
majority of our training shouldbe focused on how to spot social
engineering and what are the redflags. Specifically, I don't if
(24:46):
you've ever seen physicalsecurity being breached, but,
you know, if you put on a vest,you can pretty much get in
anywhere.
You know what? Those reflectivevests, those orange ones?
Justin (24:54):
And a name tag. Just get a name badge.
Bryan (24:56):
And and a name badge, and you can walk into pretty much
anywhere. So just training yourstaff to be hyper vigilant. If
they see somebody that theydon't recognize, stop them
because it could potentially besomebody who's not supposed to
be there, right? If somebody'scalling in with, Hey, I'm really
stressed. I need to get this,this, this.
No, I will not break theircompany policies. You know, it
(25:19):
sucks. I hate, you know, Ireally hate to see you needing
something, but I can't help youright now because you haven't
authenticated yourself, right?So just training on those social
engineering red flags and how tospot suspicious people is where
I would concentrate my effortson. And then and then testing
them on it.
Right? Purposely going out of myway to try to get somebody to
(25:42):
breach the security and thenfigure out who and and if
anybody does fail, then doremedial training on them. So in
our in our industry, we dophishing simulations, but we
could also do physical breachsimulations by, you know, having
somebody walk in with a aclipboard, a vest, and a name
tag and see if they can getthrough. Right?
Justin (26:01):
Yeah.
Mario (26:04):
See something, say something, right?
Justin (26:06):
Well, right. So reporting is another part that
needs to be part of this programis creating a system and a
culture that rewards it forreporting things that you see.
There is a lot of shame in theworld of cybersecurity where
like don't ask stupid questions,know, there's no stupid
(26:27):
question, but yeah, we say itone way and then we treat it
another way. There's alwaysshame around stupid questions to
get asked, right? That has to beremoved.
There has to be a reward forreporting whether it's useful or
not. We've got to reward peoplefor bringing that information
that putting a spotlight onthings that they see. Because if
(26:49):
you're just relying on your ITcompany, guess what guys, we're
not there when things happen.You've got to get your people,
Everybody has to have their eyeson this stuff.
Bryan (26:58):
Yeah. There's also go ahead.
Mario (27:01):
Sorry, go ahead, Abroad.
Bryan (27:02):
I was just gonna say there's something to be said too
about creating an environment ora culture where people feel
comfortable bringing thingsforward. People feel comfortable
saying, Hey, I screwed up and Iclicked this link, right? Now,
with that said, if they'reignoring the training and
they're not taking the trainingthat's being provided, I would
(27:22):
treat that the same way that Iwould treat somebody not
following health and safetyregulations because they're
putting everybody in jeopardy.But if they're following all of
the procedure or they're doingall of the training and they
messed up and they clicked thelink they weren't supposed to,
that should be a no shame, noblame type of environment,
right? Don't blame them, don'tshame them, don't make them feel
(27:44):
like they did something wrongbecause then they're gonna hide
it next time, right?
A good story is, you know, oneof my kids, you know, at one
point, once upon a time, youknow, gave them trouble for
taking a sandwich when theyweren't supposed to. And then
one day I walked into thekitchen and my son was acting
all suspicious. I was like,wonder what's going on here. So
I didn't say anything, but thenhe left. And a week later I find
(28:05):
like a sandwich in the drawersomewhere all like molding up
because he had hit it.
Like, right? That's the kind ofthing you shame them and you
blame them, they're gonna hideit in the future. That's human
nature. And so just creatingthat environment of no blame is
very important.
Mario (28:20):
Yeah. And then to add on to what both of you said, like
sometimes we feel like thesepeople are just working against
us, You know, like, even, youknow, something as simple as
like recovering a backup ortrying to re you know, fix
something or whatever. We'relike, we part of us wants to
say, well, what the hell did youdo? You know? But we have to ask
them like in a nice way.
(28:41):
Okay. Was there something thatyou clicked on, maybe accidental
or whatever? And they always sayno, no, no. And then when we
show them like, oh, you didn'tclick on this? Oh, well, you
know, besides that one.
Yeah. Yeah. We did do that. Youknow?
Bryan (28:54):
Did you put in your password? No. No. But, yeah, I
put in my password.
Mario (28:57):
You know? Because sometimes sometimes, you know,
it's critical to really addresssomething in a very, you know,
timely manner. And, you know,time time is of the essence and
and it's like, well, don't makeit as more difficult than it
needs to be, you know. Sometimesthey'll call us just bitching.
Like, yeah, I didn't click onanything and, you know, they
(29:20):
start getting all angry orwhatever.
Then the second or you tellwell, did you reboot your
computer? Yes. I rebooted it. Iokay. Because the computer says
here it hasn't rebooted in,like, thirteen days.
Bryan (29:33):
That's one.
Mario (29:33):
It's you know, it's stuff like that. It just drives you
crazy. You're like, this couldhave easily been avoided such a
long time ago.
Justin (29:44):
Alright. So I've got a story. I'm I'm gonna have to
bring this up here. So you'vegot you've got the shame. You
you we have to and and I'm notsure Mario if your points
illustrated that you you mighthave undone some of it because
you just said behind the sceneswe're shaming them.
Bryan (30:03):
I I don't. Mario does. Come to before next, we'll help
you. No shame,
Mario (30:07):
no blame. I do. I do. I
Justin (30:09):
don't think there's any industry where behind the scenes
there isn't some, shall we saybanter that goes on. I used to
always have to point out to mytechnicians like, listen, they
knew everything about IT wewouldn't have a job. It is true,
but what we need to do it, Ifirmly believe this is we have
(30:31):
to find a way to reward. Likeway before we're talking about,
did you click on a link? Did youdo something bad?
We have to be very, veryproactive. We have to be on
offense, not on defense wherewe're training, but we're doing
it in a way that people actuallywant to participate. So with
that, I'm gonna give you twoexamples. Number one, if we go
(30:53):
back years and years, I I put aplatform in place that does have
a score, a security score foreach employee. And internally, I
just saw my technician startbragging about their score.
And they loved it if they couldget their score higher than
mine. They always wanted tocompare it to to Justin, to the
boss, you know, we're smarterthan the boss, which I
(31:15):
absolutely loved. Now that weactually went away from that
platform for a while, tried someothers and recently came back to
it. And so I introduced it againto my team and you guys got to
meet Liana last week, right? Soa little bit of background about
Leanna.
I'm gonna use her name, I'mgonna call her out because I
(31:35):
love this story so much. She isnot a technical person, like her
background is not in technology.Her previous job had nothing to
do with technology other thanusing a computer in an office
environment. So she comes in andshe's helping me with marketing
and some other administrativetasks. And at one point I said
something to her about, I sendyou emails, you don't even look
(31:57):
at them, you don't open myemails, you gotta read my
emails.
Then we put this this stuff inplace. Right? Phishing
simulation and all this. And shegoes in and she sees her scores
down. And I've never seensomebody so hell bent on getting
a score back up.
She's digging in and she findsout, oh, she clicked on an email
and she's like, it's your faultbecause you made me, you shamed
(32:20):
me and not reading my emails andI started just clicking on
everything and now then she wentto, she spent I think two full
days. Now this is not a successstory on productivity within the
company. But I tell you what,two days of doing all the micro
trainings, the full training,going back in and looking all of
the emails. And she now knowsmore about cybersecurity than I
(32:43):
do. I swear to God, I could askher anything.
Knows all the terms and I did,even quiz her. I'm like, all
right, let's see what you reallyknow. And I started throwing
some things at her and she'sjust like, bam, bam, bam. I
swear to God, could get on hereand do this podcast better than
me at this point because of thatstupid score. And it's not
because she caused a breach, butit is because she failed a
(33:03):
phishing simulation test thatdropped her score down and she
will not lose.
You talk about a competitivespirit. This girl's got a
competitive spirit. This is whatI wish I could create in every
organization. This mindset, thisatmosphere where it's not a
shame based, it's a, don't know,gamifying. Handing out trophies,
(33:28):
like your score and it's noteven like I have to say it.
She's running around showing herscore to everybody. So if we
could do nothing else, like thisis always a question. If we
could do one thing to get thebest bang for the buck, it would
be this in my opinion. It wouldbe solid cybersecurity awareness
(33:48):
training programs. And that's acompliment.
We're talking about what'sinvolved in that and it can be
complicated. Just make sure it'sthere. But on top of that, you
have to have the atmosphere thatsupports that. You just throw
training out, I said on apodcast a while back, right? I
was like, if you just send alink and say, take the training,
that's spam.
That's not cybersecurityawareness training. That's
(34:10):
sending out an email and tryingto get people to click on it.
It's spam. It'scounterproductive. We have to
get this culture piece in place.
Bryan (34:17):
Yep. I like the gamifying idea. So the score really helps
with that because then you'reright, like my team, they're
notorious about trying to beateach other. I'm thinking of even
implementing, and we've donethis in the past for clients
where a little bit ofcompetition, you know, the
person with the highest score,everybody who's taken the
training gets entered in for,you know, a draw or everybody
(34:39):
who's got a score above this andhas taken a training gets
entered into a draw for, youknow, some sort of gift
certificate or some sort ofprize. All of a sudden people
are like fighting each other totake the training.
Mario (34:50):
Actually that's Yeah, we should probably try to do
something with our clients tryto get them like to do this
because, and if the whole pointof, you know, phishing training
and stuff like that is kindalearning from your mistakes and,
you know, you know, Steve, youknow, that works with me, you
(35:10):
know, a couple months ago, heactually, maybe a year now, he
had something that came in, youknow, as a training or a
phishing test, and it came infrom Capital One. And he saw it,
and it's like, all your accountsis overdue. So he forwarded it
to his wife, And, you know, hiswife is sitting there trying to
(35:31):
log into it, clicking on thelink, whatever. And meanwhile,
my phone is going off. And meand him are on our way to a
meeting.
And I my phone look goes off andI'm looking at him like, hey.
Did you just fail a phishingtraining? Like, what the hell
are you doing? And he's like,no, I didn't click on anything.
And then later we found out itwas his wife.
And from then on, he stoppedforwarding stuff to his wife. He
(35:54):
stopped clicking on stuff. He'sbeen pretty good and he learned
from his mistakes. But it's goodthat he learned from a
controlled environment, not ahacker.
Bryan (36:07):
Yeah. The irony there is that his wife received the email
from a trusted source, him.Yeah. And so she's probably not
even, no no red flags are upbecause she's like, well, my my
husband sent me this so it mustbe legit. And he's sitting there
fiercely trying to log in.
Whoops. Yeah.
Justin (36:26):
Alright guys, let's go ahead and move to wrap this up.
Any final thoughts or was thereanything that we missed? We're
gonna do key takeaways here in asecond, but is there anything
that we missed as far as thewe'll call this the human
element of cybersecurity? We arethe weakest link, like
(36:47):
absolutely truth. What else didwe miss that we
Bryan (36:51):
need talk It's making it simple, fast, nothing long and
complex. Know, if you tellsomebody to take a one hour long
Training session on cybersecurity. They're probably gonna
wanna. You know. Lose their mindand you know jump over a bridge-
but if you do you know fiveminute.
Here and there five minutes aweek- I think that that's a lot
easier to handle. Or maybe justduring a huddle right just like
(37:13):
very quick and simple thingslike if you do a company huddle
the morning just talking aboutit for like one minute. I will
have a bigger impact than. Youknow a one hour training
session. Just constantlyreinforcing things on a weekly
basis.
Keeps it top of mind keeps itawareness on an ongoing basis
versus like a once a yeartraining. So maybe that that
would be
Mario (37:32):
my biggest. Span that you know like the world that we live
in the attention span of peopleyou know you can't you can't
they you can't have them formore than five minutes. That's
why like TikTok and all this thereels and stuff like that is so
popular now because peoplepeople like to just click on and
then you keep going and keepgoing and keep going. But when
(37:53):
you try to have them to sitthere for a half hour or thirty
minutes, they're not gonnaremember any of it past maybe
the opening, you know, seat.That's it.
You know?
Justin (38:04):
Yeah. And I've already said that, but I just think
rewarding good behavior is isreally where all this needs to
start. However you choose to doit, you know, have the plan in
place, have the program, and andget with your IT consultant. Go
Google it. It doesn't matter.
Put a put a security awarenesstraining plan in place, and then
build that culture. Rewardpeople for for taking the
(38:29):
training, for having a score,for saying, hey, boss, look what
I saw on the news yesterday.Does this impact us? Mhmm. And
and Brian, you mentioned on adaily huddle.
I've said before, if you have aweekly meeting, make it an
agenda item on your meeting. Andjust find a way. Everybody has
to do this their own way becauseit's your culture, but you have
to find a way to get everybodyinvolved. There's just there's
(38:54):
just no other answer to it in myopinion.
Mario (38:57):
Now this doesn't say that that's the only thing you guys
need to do, you know, like it's,you know, one out of every five
people will still click a link.It it just it's the stat that's
been there for years. It'sthey're still gonna click on it
and you still need to havestuff, you know, it's all about
(39:18):
layers, you know. Yeah.Protection in case they do click
on it.
Bryan (39:22):
And, you know is one of the layers. Right.
Mario (39:25):
That's the first layer. Like, when we go over our
security stack, the first layerof defense, the one that you can
can help you avoid the most, youknow, problems is education,
training for your employees.
Justin (39:38):
And I'll be honest, I guess, I I kinda think of this
as the icing on top of the cake.Right? You have to have that
foundation in place or none ofit matters. I I don't usually
start with a client and say,here's the most important thing
you need to do. Let's do thisfirst.
Although I have done that if Idepending on the scenario,
(40:01):
sometimes it is. But generallyspeaking, we're gonna go in
first. We're gonna protect theendpoints. We're gonna check the
firewall. We're gonna, you know,put a good solid antivirus in
place.
But then if you don't, if youstop there, there's there's
almost no point in having donethe basics. Right?
Bryan (40:18):
This this is just where we have
Justin (40:20):
to really put our biggest effort moving forward
ongoing. Alright, guys. I Ithink we've kinda kinda nailed
it. If you just had, I like tojust say if if somebody listened
one of your clients or prospect,if they were to listen to this
and only this of today'sepisode, what would you want
them to know? And I'll I'll I'lllet you guys decide who goes
(40:44):
first.
Mario?
Mario (40:45):
Uh-oh. Okay. We will shame you if you don't do it.
No. It's like I said, it's thefirst layer of your defense to
make sure that you provide youremployees with the proper tools
to succeed.
Educate them so that they can besafe and keep you safe.
Justin (41:08):
Perfect. Brian?
Bryan (41:11):
My so not or my short version of of what is the most
important things to pull out oftoday's episode is that is is
similar. People matter more thanfirewalls. Training is
important, making sure peopleare aware of what's out there.
We can't protect against what wedon't know. And just making sure
that we make it a culture oflearning where we're not shaming
(41:33):
and we're not blaming if peopledo something wrong With the
caveat that if they'rerepeatedly doing it and not
taking the training then thereof a liability and that's a
different.
Story altogether. But if they'retaking the training and they
made a mistake. No shame noblame- you know- that way
they're not. Using that as areason to not come forward next
time- use mistakes as teachingopportunities- so you can. Up
(41:57):
your game I'm a very bigbeliever in getting 1% better
every day.
And becoming your own. Greatestfull time. So that would be my-
shortened summary of today.
Mario (42:09):
I missed that Brian. I miss it. The 1% better.
Bryan (42:13):
1% my friend, 1%.
Justin (42:15):
I mean really if it's gonna get better doesn't it
eventually have to become 2%better every day?
Bryan (42:20):
No. Because 1% compounds against tomorrow's and the one
after and by the end of the yearit's 238 times or something. I
don't know. I'm bad at math.
Mario (42:27):
Damn. How many days do you guys have up there in
Canada?
Justin (42:34):
I'm rolling my eyes so hard. You didn't even catch my
my stupid joke, Brian. Onepercent better. If you're going
to improve 1% better, you haveto do it by 2% better. And never
mind.
We're gonna I'm gonna go backand edit this part out.
Bryan (42:44):
Oh, I see what you're saying. Yeah.
Justin (42:49):
Alright, guys. I my my key takeaway, the the one thing
I want people to understandabout security awareness
training, if we're going to justalready assume we know it's
important, then what I'm gonnasay is that the reason it gets
missed is because of overwhelm.And you know this, the story
that I told earlier about Liana,where I watched her set aside
(43:11):
and she's very meticulous aboutgetting her work done every day.
Then I watched her for two daysdo nothing but cyber security
awareness training to get herscore up to the point where I
did. I I never said anything,but I'm thinking in my mind, I'm
like, yeah, but did you get yourother work done?
And I never said that because Iswear to God if if an employee
is gonna sit for two days anddeep dive on this for a score, I
(43:35):
don't care what it is. Thereality is she's not gonna get
hacked. She's not going to bethe weakest link in my company
right now because she can answerthis shit better than me almost.
I will say almost, she does liketo win so I'm going give her
that one. That is the culture weneed.
That is what we need to havewithin our companies. That type
of almost OCD aroundcybersecurity because otherwise
(43:58):
we will never win this war. Withthat, guys, let's go ahead and
wrap for this week. Unhacked.Live.
Go to our website and you canget all the show notes. You can
get the complete transcripts,complete recordings. You can,
follow us. Well, social medialinks. We have all these
published on YouTube.
We put clips out on Facebook,out on LinkedIn, all over the
place. So, and actually, Ihaven't done it yet, but spoiler
(44:21):
alert, I'm going start buildingout a resources section on the
website where we can havedownloadables, you know,
checklists, frameworks, justactionable, useful resources
that you can use to to just getstarted. Start that journey.
Yes, Brian, get better everysingle day, and we'll even give
you the roadmap for how to dothat. Go to unhacked.live and
(44:45):
also schedule a free assessmentwith any of us.
We've all got that offer on thetable. Guys, thank you for being
here. Mario, Brian, thanks forbeing here. Say goodbye, and
then we're gonna sign off. Bye,guys.
Take care. See you next week.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Boysober
Have you ever wondered what life might be like if you stopped worrying about being wanted, and focused on understanding what you actually want? That was the question Hope Woodard asked herself after a string of situationships inspired her to take a break from sex and dating. She went "boysober," a personal concept that sparked a global movement among women looking to prioritize themselves over men. Now, Hope is looking to expand the ways we explore our relationship to relationships. Taking a bold, unfiltered look into modern love, romance, and self-discovery, Boysober will dive into messy stories about dating, sex, love, friendship, and breaking generational patterns—all with humor, vulnerability, and a fresh perspective.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.