0:00:03

Luke Connolly

Welcome to The Cyber Insider, the podcast that takes you behind the scenes of the cyber world with exclusive interviews, insights, and expert analysis. Tune in and stay ahead of the game. Welcome to the Cyber Insider Emsisoft's Podcast. All about cybersecurity. Your hosts today are Brett Callow, threat analyst here at Emsisoft, and I'm Luke Connolly, partner manager. Today's guest is David Shipley. David's a recognized global expert in cybersecurity, regularly speaking at events around the world and interviewed in the media to address cybersecurity stories and topics.

0:00:39

Luke Connolly

David is CEO and co founder of Beauceron Security. Founded in 2016 with more than 700 clients across North America, Europe and Africa, it has an innovative approach to cybersecurity awareness and risk management, which empowers everyone within an organization to know more and care more about their role in protecting against attacks. Prior to co founding Beauceron Security, david was the security lead for the University of New Brunswick and developed its Incident Response threat intelligence and awareness practice.

0:01:11

Luke Connolly

He's a former journalist and a Canadian forces veteran. Welcome, David, and maybe we can start by you telling us how you got into security awareness training. And how have the requirements for the training changed over time.

0:01:29

David Shipley

Thank you so much, Luke, and it's a pleasure join you and Brett. So I'm an accidental cybersecurity professional. I have been a proud Canadian forces soldier, I'm an ex tanker and eight Tazar for those familiar with Canadian regiments. Then I became a newspaper reporter, which was a passion I had since I was a kid and loved it. And then saw the writing on the wall for newspapers in 2008 and made the jump to the university I had studied at and joined the digital marketing team. And I had the best work life balance of my entire career. It was a magical time. It was amazing.

0:02:05

David Shipley

And I was getting paid twice what I made as a journalist for half the hours and was part of a mission that was amazing and really enjoyed that. On Mother's Day 2012, my life changed. I got a nasty email early that Sunday morning from an activist group called Team Digital, and it said that they had gotten into our internal systems and posted a co op student password database and some non public budget information.

0:02:32

David Shipley

Odly, enough. It told us how badly we sucked and then it signed off with hugs and kisses, Team Digital, which I thought was rather affectionate from a hacktivist group. Now, I looked at this email and I said that this could be real. I raced back into the house, went downstairs, looked at the links, looked at Pacemen, looked real, and then I called my colleagues in the It team and that could have been the end of the story, but it wasn't.

0:02:56

David Shipley

Because the next thing I said after I said, I think this is real, I said, how can I help? And I joined my It colleagues in a cramped conference room over a mother's day Sunday, much to the chagrin of my relatives, to actually roll up my sleeves, use military skills that I had from crisis management, journalism skills and communication skills to help the CIO deal with it, doing what we would now call Incident response.

0:03:20

David Shipley

And afterwards, the CIO invited me to become a cybersecurity professional in the It department. And because universities are amazing, not only did I get a job and get a chance to learn on the job, I got a chance to learn the job with some of the world's then top technology, QRadar, being a particular software that actually came out of the University of New Brunswick where I was working. So I was using an industry leading SIM. I was learning about all this technology.

0:03:44

David Shipley

I became a Certified Information Security Manager. But what I realized in my time at UNB from 2012 to 2017 is that every single cybersecurity incident, every single one, and we had hundreds, stuff that you wouldn't believe. Everyone involved the combination of people, process, culture and technology. There was not a single cybersecurity incident that was well, the firewall just failed. No one could ever have foreseen that doing X, Y or Z. 

0:04:15

David Shipley

It was always the human side. And so we started looking at how do we train users? I'll add to this story a little bit about the effectiveness of training and what we learned about this. And keep in mind, my audience includes extremely intelligent individuals. You're talking PhD leaders in a variety of fields from social sciences to Stem and other things. They're also, let's be honest, sometimes crusty academics who've hit the pinnacle of learning and aren't exactly super jazzed about a mandatory computer based training module.

0:04:48

David Shipley

So we had to think about how do we motivate people to care more and know more about cybersecurity. To not just think that this is it's problem, but to be part of the team. And so we created this concept of a personal cyber risk score that people could see and then by doing the training, doing well, by reporting phishing simulations, so they couldn't just lose by clicking on the simulation, they could win by reporting it. We created this gamified overall experience and it was a hit.

0:05:16

David Shipley

And we took that and we decided how do we capture this effect? The same thing that I went through when I reported that attack back in 2012, what we've now harnessed by dramatically increasing our report rates and decreasing our click rates, something we called the sheepdog effect, and create a scalable technology that can do this. And that's where Beauceron was born because a bosron is actually a breed of sheepdog from northern France.

0:05:42

David Shipley

And so we took these ideas and this journey and now 650,000 plus people use this experience every year to get better at being a cybersecurity. I wouldn't say expert, but certainly being aware and motivated to do their part to protect their organization.

0:06:04

Brett Callow

Training isn't exactly universally popular. Lots of employees seem to grumble. Here we go again. What are companies getting wrong? How can they make it better?

0:06:17

David Shipley

So right now I am deeply concerned about this trend where I'm seeing, which is what I'm going to call the let's make the cough syrup taste better trend. And so there's a big push towards entertaining content. So dramatic series, humorous series, let's address the complaint that the cough syrup doesn't taste well and make it go away instead of actually making sure that we're actually giving the right medicine for the right actual problem.

0:06:47

David Shipley

And this is what I mean by relevancy. A lot of organizations just want to take something off the shelf, plug it in, send it out to their users, yell at them about the same three things we've been yelling at people since 20 years ago when we started Security Awareness Month. And check a box and we're done. But if you want to actually engage adult learners inside your organization, it's going to take more.

0:07:13

David Shipley

Particularly if you've done security awareness more than once in your organization, you need to actually take some time and say, why does this actually matter to our business? This is where we encourage our customers to actually do a two minute video with a senior leader and forget about the talking head experts, the David Shipley's and everybody else out there. Have your own leadership say, this is why we care about this in our private sector organization, public sector organization, not for profit. If we have a cyber incident, these are the consequences to our ability to deliver products, services that people rely on.

0:07:49

David Shipley

And all of a sudden, management cares about this. And then if you can have the courage to give real examples of threats you've faced or in your industry, and even better, examples of how people in your organization have stepped up to report a fish that stopped an attack in progress, then all of a sudden, you've addressed the single most important thing. Why am I spending time on this? The next part, I think that's really important.

0:08:13

David Shipley

We're doing a lot of research around return on investment of security awareness programs, and we're increasingly concerned that you can actually overtrain for the risk. What do I mean by that? I mean the biggest cost of a security awareness program is not the cost of licensing a security awareness platform. That's fractional take 100,000 person global enterprise. If you take an hour of each of those employees time per year to talk about security and privacy and your content is not as effective or efficient as possible, that cost is staggering.

0:08:52

David Shipley

But what if you could do it in 30 minutes? And what if I could tell you that in 30 minutes spread throughout the year, we can actually give you better risk outcomes for less cost? And that's where we need to get at as an industry relevancy for the end users, not just trying to entertain them, give them a laugh or not bore them and actually demonstrated risk reductions against verifiable metrics for time actually spent.

0:09:21

Luke Connolly

Cybersecurity software has adapted over the years in sort of an ongoing cat and mouse game as criminals develop, deploy and develop new tactics. Is the same true for training? Can we train people to the point where the threat of phishing, for example, approaches zero?

0:09:42

David Shipley

Phishing is a form of social engineering which is the ability to expertly manipulate someone's emotions to then get them to make a series of decisions they wouldn't otherwise make. And so there's no amount of education or training that can dehumanize an emotional human being. Never going to happen. You can lower that rate to an acceptable percentage that then your other security controls have a much greater chance of success. Here's my example of this.

0:10:19

David Shipley

We could do defensive driving every year, mandatory for every driver on the road, and you have to prove it, do it, have a certificate, etc. And we're still going to have accidents and we're still going to be grateful for seatbelts airbags, the Ford collision sensors, the whole nine yards. So we have to have both in balance. So really good defensive driving as part of a cultural value that you actually care about.

0:10:46

David Shipley

And then when you do make a mistake, the other technology control is there to save you. But what I find is too emphasized in our industry is don't worry about the driver training, just throw the gas pedal down, close your eyes, the airbags will get you if you screw up. No, that's not really a good idea. Here to test your airbags the hard way. So that's my thought on this. My second thought, and I'm going to get academic for a second, is we need to talk less about training.

0:11:15

David Shipley

And training is about teaching a set of repeatable skills and more about education, which is helping people develop frameworks and thought models they can apply in different circumstances. So really good awareness. Education versus training. Training is here's how to tell if a link or a from address is from potential malicious actor. That's training. That's a skill you can then repeat and do. Education will say listen to your emotions when you're reading an email and you feel overly afraid or excited.

0:11:48

David Shipley

That's how you're potentially being hijacked. When you explain the why and how to repeat that framework, you now have something that's useful not just for phishing emails, but also for phone based social engineering attacks, text messages and others. And I'll go one layer deeper. When you teach people about the risk reward balance of technology that there is no risk free technology, when you teach them that cyber is all about being in control of the decisions you make, about when, where and how. To use technology, they not only learn to avoid malicious actors, they also learn to make more informed decisions about how they use technology to help their organization accomplish its objective.

0:12:30

David Shipley

And that is when we've really hit peak value to an employee or a leader in an organization because we're helping them do their job better. We're helping them make more money or serve the public. Sorry, I get super fired up about this stuff.

0:12:45

Brett Callow

Bruce Schneer once said that when I quote here, training users and security is generally a waste of time. And he went on to say that the money could typically be used or better spent on other things. I assume you don't agree with that assessment.

0:13:03

David Shipley

Now, Bruce is a very smart guy, very well respected. But obviously the most valuable asset in any organization is its people. It is the one sustainable competitive advantage that can be unique to every single organization. How we harness the tremendous potential of our people is how we build great organizations. It's not easy and it's not easily measurable, and it's not as cool as looking at technology controls and how they can show us how many pieces of malware were stopped or malicious traffic.

0:13:42

David Shipley

It's dirty, hard work. It's the messy, emotional side of things. And yet, I'll tell you this. Most technologists, when they look at cybersecurity, either they will explicitly say the following thing or they'll implicitly believe it. And that following thing is this our users are stupid, and you can't fix stupid. But here's the problem with that. If any given organization is full of stupid people, I'm not going to make a joke about dysfunctional democracy right now, but let's just take a regular business is full of stupid people. The single biggest problem for that business is no longer cybersecurity. It's full of stupid people.

0:14:21

David Shipley

But most organizations are not full of stupid people. They're full of very intelligent, inspired people. And when we actually measure user attitudes, which is part of the work that we do, 90% of employees before they started the training program say they want to do the right thing. So they already have the initial motivation. Now you need to meet them where they are. So is there a limit to training?

0:14:49

David Shipley

Yeah, there is a limit to where training is. Is there more to be done on education? Absolutely. Because, again, it's a difference between teaching a repeatable definable skill set and teaching people frameworks and tools. And the other thing is we can't just solve cyber risk with technology or with training education. We also have to have culture. And you hear a lot of people use the word security culture, but security culture is more than just we deployed an awareness platform. We have a security culture.

0:15:25

David Shipley

It's how do your executives value incent and talk about security? In your initiation of new processes, projects, or technologies for your business, how do you celebrate when people do the right thing, even if that means that it's going to cut into your profit margins because long term, this is better for the business? And how do we build cultures that recognize that risk reward requires good thorough debate and discussion.

0:15:52

David Shipley

So that's kind of my answer back to Bruce is that there is a value, a return on investment for every single thing we do in cyber risk management. We currently spend about one cent of every cyber dollar. On the human side, I think we can do better.

0:16:11

Luke Connolly

In terms of risk. Do you think that there's a sweet spot that cybercriminals target and that therefore is in need of security awareness training? So for example, are small companies at greater risk than large companies or private companies over government organizations?

0:16:28

David Shipley

Well, I think the numbers we're seeing coming out of ransomware attacks against healthcare and our experience in healthcare demonstrate this is an area that's prime for security awareness, education and motivation as a risk reduction measure. And why do I say healthcare specifically? Number one, they never are going to be in a position to implement enterprise security controls to the same way that a bank or a telco or somebody else can do. Because slowing down nurses logging into a workstation can actually influence patient care.

0:17:01

David Shipley

So how they do the application of security controls has to be mitigated so it gets a real human safety and life outcome stuff that's unique to healthcare. What do we know about awareness? We know that awareness, while it can never get you to zero risk, I just want to be really clear there is no silver bullet in the awareness work. What it can do is reduce your risk from certain things like phishing by as much as 80% within 90 days and a sustained effort can keep that risk down below 5%, creating a much greater chance of success for your other security controls regardless of the context.

0:17:40

David Shipley

And we've had the privilege of working with numerous hospitals across the country and the one complaint that we got from users was not what we expected. We had created cybersecurity content specific to healthcare. We had used image and iconography and examples from healthcare settings. We had acknowledged the importance of timely patient care as the number one business organizational concern. The one complaint we got was at the time, the healthcare organization we worked with hadn't deployed our mobile report of fish button.

0:18:15

David Shipley

And so doctors and others were complaining they couldn't get their points on their score because they were trying to report it on the mobile and they weren't seeing how easy it was to do so. When we deployed the button, people could actually get rewarded and acknowledged for winning at the game. And it was a welcome kind of fun new thing to deal with even in the midst of deploying in the pandemic. So that's the organization that I would love to see much more work done. And it's an organization that is culturally aligned to continuous learning and development and does things like safety and hygiene moments and other things of which cybersecurity can simply be another consistent way of delivering good quality patient care.

0:18:57

Brett Callow

Most phishing emails stuck. They're not sophisticated. They don't look legitimate. Why are people clicking on them? As you said, most people aren't stupid. Yet these very obviously fake emails still do get clicked.

0:19:13

David Shipley

So I am an amateur neuroscientist and I happen to have many, many smart friends in the social sciences. And we've had this very interesting discussion. And the first thing that came to my mind, and Michael Joyce was the first one, he runs the Human Centric Cybersecurity Partnership out of the University of Montreal and he's currently working on his PhD. And he reminded me that thinking takes calories.

0:19:40

David Shipley

I was like, what do you mean? It's like, well, your brain burns calories to think. And over human evolution, we developed automated systems that would reduce the amount of calories we need to burn. When we saw familiar information, we would fill in the blanks. We would have that automated decision making process so we didn't have to go to that deeper, more calorie intensive neocortex that would actually discuss and debate and look at those things. So what happens is human biology starts playing a role in information processing. Just kind of stunning when you stop and think about it. Yeah.

0:20:15

David Shipley

When you're tired, when you're hungry, you are much more likely to get into automated decision making mode and your brain will fill in the blanks. That Microsoft logo does not need to be perfect to look just enough that your brain's not going to bother processing the rest of it. Yeah, it's the Microsoft logo. I've seen this before. Yeah, this looks like from the It help desk. I'm not going to scrutinize this before. I'm going to be efficient with my time.

0:20:40

Luke Connolly

Looking at the other end of the threat spectrum, what are some of the more sophisticated threats out there? And can they be mitigated with proper awareness?

0:20:51

David Shipley

We need to have really good process inside an organization that recognizes there are things that we can do before the bad thing happens. This is the left of boom equation. So often in cybersecurity, we're all focused on right of boom after the explosion happens. And for those not familiar, the left of boom, right of boom is an analogy that developed the last 20 years over the various wars on terror, deal with improvised explosive devices, et cetera. And when militaries were trying to understand what are the things we could have done to prevent that IED incident from happening in the first place versus how we react during the incident and after the incident.

0:21:31

David Shipley

The reason, by the way, Beauceron's logo faces left, which is one of the few logos that actually does that, is because we want to focus on left of boo, the maximizing, the preventative possibilities. So avoiding people clicking on links is one thing. Getting them to report attacks so that you see what's getting by your email filters and even tell you after they've fallen victim is all about trying to minimize or prevent the boom as much as possible.

0:21:58

David Shipley

So that's really important on that side. But process goes beyond just having good training in place. It also means practicing your incident response. So people actually at the executive level do tabletops and make tabletops that make you have that hard swallow moment. What do I mean by that? It's when you're sitting around the executive table and you're going through this incident tabletop, which is a lot like Dungeons and Dragons for business, right? So you get the dice roll and you're like, okay, your backups didn't work. The ransomware gang got into them, and you had that moment where you swallowed. You go, well, what do we do now? The backups are gone.

0:22:37

David Shipley

Practice those moments and think about what resilience actually means. Because when you're in the actual moment of dealing with it, all that human, messy, emotional stuff we just talked about is going to be at play. Stress, fatigue, all these things, your decision making will be impaired. So preparing to react and then having really good layered technologies that give you the best possibility of survival is really important.

0:23:04

David Shipley

The ODS of you never having a cyber incident. Even the CIA and the NSA have got their stuff hacked and breached, right? Like, if they can't be perfect, nobody can. It's not about being perfect. It's about getting through it as best you can and avoiding it as long as you can and not repeating it often because if you have continuous breaches, you will eventually lose customer trust. Hopefully that answered the question in a relatively roundabout way.

0:23:34

Brett Callow

You mentioned briefly the importance of corporate culture before. What did you mean by that? What should organizations be shooting for in terms of a culture?

0:23:45

David Shipley

Okay, a couple of different things, and I'll start with the don't do this number one, the amount of American organizations that I talk to that have if you click on three phishing emails, we'll fire you kind of approach to things. Don't do that. That creates a security culture where people are like, oh God, if I tell someone I screwed up, that could be a strike against me. So I'm just going to pretend this didn't happen and hopefully nobody notices.

0:24:08

David Shipley

It's a super bad idea, by the way. Also, if you're only tracking simulations, which seem to be what majority of organizations do when they have this execute on three strikes policy and they're not actually tracking the real clicks, you're setting yourself up for all kinds of hilarious failure because your real clicks actually require you to do more work and investigate and close incidents. And if you're not holding people accountable to those, but you're getting them for clicking on the simulations, how is that fair?

0:24:36

David Shipley

That's bad security culture. What does good security culture look like? Give an example of a brewery. And I'm particularly proud of this brewery. I'm a Canadian. We love our few remaining independent large breweries. I'm in New Brunswicker, so moose head comes to mind. And I remember when we first started with them, their CEO had a town hall, said, we implemented security awareness training. I thought I was too smart to fall victim to phishing or something along those lines, and in a moment of vulnerability said, but I clicked on a phishing email

0:25:08

David Shipley

Even I clicked on a phishing email. Here's what I learned from that experience, and this is why it matters to me and to our organization, why we're secure.

0:25:17

Luke Connolly

I think you've answered this or touched on it, but I want to dive specifically into it. Is security awareness training different than training for Excel or any other subject for that matter?

0:25:31

David Shipley

I think there's an element of security awareness that's pure training, where you're showing people how to use tools and be successful. So, for example, when we onboard employees at Beauceron, we show them how to set up their password manager beloved. We show them how to use SharePoint successfully and securely and what sort of the risks and the pitfalls are. So we teach them the tools that we expect them to use to be successful. That's training.

0:25:59

David Shipley

And then we spend time educating people about cybersecurity and teaching them why cybersecurity is an issue, how the cybercrime industry is a problem, what are the limitations or options for dealing with this and why they actually matter. The training, when you teach people skills can be similar to teaching about Excel. Showing people how to report a fish is training. So go here, click this button, report the fish.

0:26:27

David Shipley

But when you tell them why and the difference it makes and how they're helping the organization, you're educating, moving onwards.

0:26:36

Brett Callow

AI, what role do you think that will have when it comes to cyber risk and training?

0:26:44

David Shipley

Yeah, let me delineate between a couple of different things. First of all, we don't actually have artificial intelligence in the sense that the way that Sci-fi talks about, like a generalized intelligence, that's equivalent to humanity that's I think, therefore I am, that doesn't exist. Yet. When it does, we're going to have a whole other set of problems, but it doesn't exist. We have two different ways for machines to solve problems.

0:27:17

David Shipley

We have what I consider good old fashioned machine learning, which seems weird to say, but it's just really well understood ways of applying statistical probability and computation against problems. And that has been used for years in all kinds of beneficial ways, in all kinds of technologies. And then we have this hilarious generative AI shenanigan that's playing out. And the reason I say generative AI shenanigans is that one out of five times, this thing can be not just wrong, not just comically wrong.

0:27:51

David Shipley

I mean, it makes stuff up, like a five year old caught with his hand in the cookie. Mean, there's been examples of New York Times reporters actually quizzing it about a restaurant, and it made up a restaurant location and then tried to gaslight the reporter to make it seem like it was real. Generative AI in this large language learning mess is 2020 three's answer to blockchain and Crypto Bros a couple of years ago.

0:28:16

David Shipley

There is going to be a lot of money blown on this before we actually figure out where the value lies. And I really encourage people to read this academic paper and you'd be like, oh, that sounds like fun, David, but it is. It's actually a really good paper. It's called on the Limitations of Large Language Models, or LLMs. It's called stochastic parrots. And it's what got two Google AI ethicists fired. But they do a really good job of picking apart this wizard of Oz technology that we're all obsessed about.

0:28:48

David Shipley

So AI is in the form of machine learning and generative AI can be used some beneficially for cybersecurity. I think there's a lot of snake oil being sold right now as the next big thing because cybersecurity does tend to sell a lot of snake oil, truth. But criminals are also figuring out new ways to use AI to skill up. If you're not a natural English as a first language speaker, boy, did you just get your grammar improved. And the old advice of look for typos and grammar errors and poor syntax just go out the window for phishing emails. So expect much more eloquent fishes.

0:29:27

David Shipley

But also the ability to harvest information to build psychographic profiles on a Luke Connolly, a David Shipley or a Brett Callow is getting much more interested.

0:29:37

Luke Connolly

I know that you've addressed this, but I want to force the issue with a scenario. There have been reports of threat actors calling tech support lines posing as company executives, and they request configuration changes that compromise security. A scenario like a young tech support technician gets a call and there's an Irate person at the end of the line. They say they're a VP and I need MFA turned off right now.

0:30:03

Luke Connolly

And so what's the person going to do? They disable MFA, multi factor authentication. They compromise the security of their infrastructure. If tech support can be bamboozled by social engineering, what hope can average users have against this kind of attack?

0:30:21

David Shipley

Well, first of all, this goes back to the culture question that Brett was asking. And so when we look at how deaths are measured for their performance, and we look at all the industry best practices, the client satisfaction level, the turnaround time, how efficiently we solve this problem, nowhere in a lot of these frameworks have I seen the help desk agent challenge the veracity of what is being claimed in the ticket as an actual value or outcome that gets celebrated.

0:30:52

David Shipley

And so that's what we actually have to change when we talk about culture, is that you actually have a help desk that feels safe psychologically and employment wise, going, hey, Mr. BP, I'm Mrs. BP. I am sympathetic to your problem. We're going to have to do. A few things together though, because this is a common way that we could actually get attacked. I know this is going to slow things down, I know it's inconvenient, but I have to be safe. And I know you want to protect the organization as well. Let's do this together.

0:31:23

David Shipley

And then we have to train people around that instead of just ticket friggin close times. But until we fix that at the cultural root of the organization, at the job description level, at the metrics, and how people are rewarded and incentive their jobs, then yeah, it's going to be really easy to socially engineer overworked, under, resourced under, oftentimes educated and exercised help desks. How many help desks right now folks listen to this podcast, have done a simulation with their own help desk of someone calling in as an actual human being and working this exercise and celebrated when someone challenged versus acquiesced and just did what the customer asked for because the customer is always right. If you have a customer is always right methodology for your help desk, I am going to social engineer you.

0:32:14

David Shipley

You've got to have a challenge and mutual respect culture within your organization. And that's hard. It's way harder than people anticipate. I'll give you an example. So there was a university in western Canada, and I won't name out who because it was just funny. They got an email to their finance team, standard business email compromise and it was like, I need you to pay x amount of dollars to this vendor, et cetera.

0:32:38

David Shipley

And they knew immediately it wasn't the university president. How did they know it wasn't the university president? The email said thank you and their president was a jerk who never said thank you. So people need to know that we have to build cultures and invest in the human.

0:32:57

Brett Callow

How can organizations tell if their training programs are working? What does working actually mean?

0:33:04

David Shipley

Oh, I love this question. So oftentimes organizations are solely focused on metrics like completion. So the activity was assigned and x amount of people completed it, but they never go back and measure outcomes. This is where I'm so frustrated right now. We are so much data. We could actually look at, for example, malware encounter rate. Did we actually have less people encounter malware that could stop by rev before it could happen? And did we have less malware incidents and more people reporting malware concerns to the organization?

0:33:44

David Shipley

Those are all measurable metrics of outcomes we could do. How many people engaged the security team to ask a question or improve a best practice? How many fishes were reported, both simulated fishes as well as real ones and the real ones? There are cool ways that we've pioneered to actually automate this and give people feedback on what they're reporting, which is awesome. The most important metric for security awareness campaign that includes phishing simulations is not the click rate, it's the report rate.

0:34:16

David Shipley

How many of your employees did the right thing. And if you can get that number to 50 plus one, it means that you are more likely than not to know about an attack as it's happening and potentially get on top of it than anything else. And if you can get that rate to 70%, you've really built your resilience. And where does that play out? When I did the work at the University of New Brunswick, that led to Bosran, one of the first ransomware attacks to hit a Canadian university and go public happened in western Canada and they paid. It was like $20,000. I mean, huge bargain. Nowadays we saw tax with malicious attachments against our university go from 125,000 a month. Keep in mind faculty and staff, 3000 students, about 15,000 at the time.

0:35:03

David Shipley

So five malicious fishes per head, roughly. And they actually saw that number go to 1.25 million. Now, our email filter was good, but it was only about 95% to 98% accurate at stopping the stuff at the border. Now, a two to 5% leakage rate of 125,000 malicious attachments is one problem, a two to 5% leakage rate of 1.25 million, whole other problem. And yet we didn't have a catastrophic incident. Why?

0:35:35

David Shipley

Because we did lower our click rate. We went from 33% falling victim to any simulation I'd send out to less than 5%. But we also dramatically increased the percentage of people spotting and reporting fishes. So that's how we can do a better job of measuring outcomes. And also for the level, god be kind to your people and don't assign 2 hours worth of training a year. I guarantee you 30 minutes. 30 minutes a year spread out over a couple of touch points will get you far further ahead than annoying the hell out of your users. You don't need a giant library of unlimited content, despite what many vendors are trying to sell you.

0:36:15

David Shipley

You need 30 minutes of good content and ideally, your own content in that mix.

0:36:24

Luke Connolly

How often should companies be thinking about running awareness training? Like, is it a monthly thing? Should they do it annually?

0:36:31

David Shipley

So what we've seen from some of our research is that top of Mind generally slides after 90 days. So if you're just doing the annual mandatory come in for your cybersecurity training beating, sorry, I just be funny about this once a year and then we're occasionally going to fish you maybe once or a couple of times a year or four times a year. You're not cutting it. Ideally, at a minimum, you've got your refresher training that's happening. And then continuously fishing at least once, actually once a month.

0:37:03

David Shipley

So you get people have an opportunity to learn and see and engage. Cool thing about this is when you tell people we randomly fish and by the way, don't blind fisher users. That piss them off. Tell them you're fishing. Them benefit of that is they start suspecting things in their inbox. That's exactly what you want them to do. Whether or not they're worried about Ivan, the Russian hacker, or David, that pain in the butt from It that does phishing simulations, I don't care.

0:37:28

David Shipley

I'm getting the behavior outcome I want. They're slowing down. They're thinking this could be a test. So once per month has been the balance of keeping them on their toes versus annoying managers, directors and others. So once per month, the simulations. Our most effective clients do a quarterly touch, .5 to ten minutes on a topic. And here's the thing rotate between what's in it for the business and what's in it for me.

0:37:55

David Shipley

The what's in it for me being talk about tax season fraud in March. Don't always just be about what they have to do to protect the company. Don't be the inatech of cybersecurity awareness where you've got the sign is it good for the company? Is it good for your people? And can they be more secure?

0:38:13

Brett Callow

Final question, and it's one we ask everybody. Should companies be free to choose whether or not to pay ransoms? Or should there be a ban? Or if not a ban, at least some restrictions?

0:38:29

David Shipley

Oh, my God. This has been a point. I hate, hate when companies pay ransoms. The only organization I give a reasonable hall pass to are healthcare organizations where life and death decisions have to be made based on the availability of patient data. I really can't say, oh, for love of God, don't pay. Because that can literally outcome either life years or life or death decisions. So healthcare is getting a hall pass. All the rest of you know, come on, let's not do this. But what I've come up with in Canada as an idea, and I'm pushing for as a policy, is a balance between this whole debate of pay, not pay.

0:39:09

David Shipley

It's a federal registry of ransomware payments. So if you're going to pay, you have to register the Bitcoin, address the payment method, the amount, the group, et cetera. And you've got to provide this data to the federal government. They'll keep it secret, they're not going to publicize it, et cetera, but they actually get an accurate measurement of what's happening. Now, what gets really cute is organizations will think twice about paying the thing just because they have to report it.

0:39:34

David Shipley

And they're like, do we really need to pay this ransom? I mean, it's going to get reported to the federal government. They're could be some questions back on this. You know what? This is optional. This is a nice to do. We don't have to do this. Away we go. And lastly, for the love of God, stop paying the ransoms where the criminals took your data and they pinky swear they're going to delete it. What a joke. I mean, at least the most honest thing that came out of the casino breach.