Speaker: Connor Swalm
Welcome to Gone Phising, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swan, CEO of Phin Security, and welcome to Gone Phising.
Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, CEO at Phin Security. And today we're going to talk about the importance of cybersecurity education.
So, cybersecurity education, there's really a whole spectrum of education. There are people who understand very little about cybersecurity to begin with, and then there are cybersecurity experts. And it's very important that regardless of where you lie on the range of understanding, that you get the education that's right for you.
So let's talk about the extremes. So the people who have very little understanding of cybersecurity, what does the education for them look like?
This is something I actually talk about a ton with not only my entire team, but a lot of practitioners in the industry and a lot of friends of mine so that we can help people of all abilities understand cybersecurity. A lot of things that we're thinking about teaching people with little initial understanding of cybersecurity are basic concepts, like, think about super basic concepts such as multifactor authentication.
We go even so far as to say, let's make sure we're not using any acronyms. Let's make sure if we use words that are industry specific, like, I don't know, I'll use an acronym, MdR or XDR or anything like that we take the time to explain what that is.
What I see when talking with people who are just getting into their understanding of cybersecurity is there's not only a disconnect of the actual definitions of like, hey, here are what these things are. MFA. Multifactor authentication means having more than one way to verify that you are who you say they are. But then the application.
So there's the definition of the application that you need to make sure that you get, that you cement in their understanding when they're learning something for the first time.
So, for instance, for MFA, we'd say, hey, this is the text message you get this is the authenticator on your phone where you have to enter in the six digit code. This is your thumbprint. This is a security question. There's hundred different ways to do multi-factor authentication, but that's physically what it's going to look like.
The second piece, the application is. Why is that so important? I used to do a lot of talking for small business development centers, and.
I would do specifically a presentation for business owners who wanted to learn basic cybersecurity principles.
And this is how I would say to them is, picture your personal email address. Sometimes it's your name@gmail.com. Sometimes it is an incredibly embarrassing email that you made when you were twelve years old, and you really hope nobody ends up having. You have to give it out to nobody.
But at the end of the day, what would happen to your life if you lost access to that email? Right?
If somebody got your email password and lost access to it, and the only thing you had was your password, what would happen? Most people who I would talk to on these calls would say that their life would be over, basically.
Whether it was their calendar, whether it was their bank accounts, whether it was their retirement, whether it was things that they do with their friends and family. Or their Facebook, or hundreds and hundreds of different things they use in their daily life.
They would just immediately lose access to that. So it's like all somebody would need is that tiny little password, which is usually the name of their dog in the year they were born, or something like that to begin with.
We also went over password hygiene for these folks, and basically their life was over. That's the way they would say it. But to not be climactic, it's just a huge pain, at least. And so what I would say is, okay, now picture that you lose your password, but that person who has your password would also need your cell phone.
I got my cell phone right here. They'd also need to text you, and they'd also need a little code that you got on your cell phone, or nobody else got on their cell phone. In order to actually steal access, how much safer would you be? Or how much harder would it be for somebody to not only get your password, but also have access to your cell phone?
Whenever you need that code, it's much harder. That's an application of MFA, basically. Hey, it's not just twice as hard to steal, it's much harder than, twice as hard to steal access to a cell phone and a password.
And trust me, passwords get leaked all the time. Have I been poned? Is a really popular website where you can just go look that up. Now, just because your password is not on there, your accounts aren't on there doesn't mean your account hasn't been compromised. But Apple's doing this. Google's doing this now, too, where they'll tell you, hey, we found an email address in a leak that got leaked several months ago, or as recent as a few weeks ago with your information in it. You should probably go change your passwords.
If you have MFA involved, it'll prevent that from immediately turning into a problem for you in terms of getting your thing stolen. So that's like the layman. You need to explain the definition, and then you need to explain the application so that they understand. Why are these things important to begin with?
Then there are the security practitioners. What is the kind of education they would need?
Well, I'm going to draw upon the advice that a friend of mine and a previous guest, Wes Spencer, if you want to go look at some of the episodes that I've done with him, that he gives to these cybersecurity practitioners, not only as one himself, but also to these people who have been working in it or cybersecurity for sometimes 20, 30, 40 years. And the biggest piece of education that they end up or the gap that they have in their education is all centered around communication. Now, to those of you that are listening, you're probably like, well, of course, everyone can work on communication.
But what I mean by that specifically when it pertains to cybersecurity, is you're used to selling or understanding the ins and outs of the implementation of security tools or even security frameworks, and you're not used to having to understand and communicate the value of the tool and the framework.
And that's one of the biggest things that Wes is working on. This thing called MPAs cyber, that they aim to bring to security experts is, hey, you understand infinitely more about actual security and implementation and how to get it done and how to combine these tools on the right way to get an actual blanket of security. However, have you learned how to communicate that to a person who doesn't understand that, who has no idea of what's going on, and they might never understand what's going on, you need to explain to them the value of that as well.
So if you neglect these, if you find people on both ends of this security understanding spectrum, what are the risks of neglecting doing that? Like, what's going to happen?
Well, I see a lot of this in, I'll go back to the conversations I'd have at SBDCs. I see a lot of people who, they're trying to understand it for the first time. They get a cyber insurance questionnaire and they start freaking out or they get a fake email that says they've been hacked and they have no idea what to do.
I won't say who, but a family member of mine called me saying they'd been hacked and they were freaking out. And lo and behold, they had just clicked a bad link on some spam email and it was malicious. And if you know what I'm talking about, it hid the URL of their browser so it looked like they were actually getting their computer ransom.
But it wasn't. It was just their chrome tab with the URL hidden that made it look like you needed to pay bitcoin in order to get your computer back. Usually people neglect education until it arrives at their doorstep in some fashion like that. And the reason is, it's really hard to understand the importance, or it's really hard to understand what you don't know. Especially in such a broad topic and a deep topic such as cybersecurity.
But one of the risks is, quite frankly, just falling behind, is technology will continue to implement itself in my life, in your life, in everyone's life, at a faster and faster rate. It's just my parents, when they were born, the Internet wasn't a thing, and even computers weren't a thing, really.
And then when I was born, the Internet was already in existence. And I have grown up on and in and around computers since the day I was born. And then if you look at Gen Z or people being born in the 2000S, it's even different. They can't remember a time when mobile phones didn't exist, when cell phones didn't exist.
I remember growing up without a cell phone. Nobody that I talked to that is currently in high school or even early in college even understands what that's like because it was always implemented in their life. And so if you consistently get to a point where you're only handling your education when it arrives on your doorstep in a fashion that requires an emergency.
Let's say you're going to continue to not. That's just going to keep happening. It's going to be wasteful, you're not going to get ahead of implementation, you're not going to get ahead of understanding. And you're not going to be able to integrate that technology into your life to be just more effective at what you want to do, or just to use new technology, which you could make arguments about, should we continue to implement new technology and whatnot?
But I believe you should. For the folks who understand security and are security practitioners, and I see this time and time again, you get to a point where you know, so much like an inch wide and a mile deep kind of statement here.
You know so much about a very specific set of cybersecurity tools or implementations that you find it impossible to communicate the value of that to somebody who has no idea what you're talking about.
Which, speaking from experience, most people will have no idea what you're talking about. I'm one of those people that have no idea most of the time. But then when you sit down, I find that when I sit down with them and I ask them to unpack it piece by piece, and I ask really insightful questions about how is this actually valuable? Is this creating additional security, how is it doing that?
How does this integrate with the rest of the business that we're talking about? Because at the end of the day, MSPs, the people that I serve, they're working with small to medium sized businesses, which are usually mom and pop shops or family run organizations most of the time. Not these enormous fortune 1000 companies that are run by conglomerates or owned by investment firms and have thousands and thousands of employees.
These are people who use it for their livelihood. So if you're unable to communicate to them these things, because these people don't have the time to invest in understanding security, they're running a business. That's what they do. They might understand it at a cursory or an introductory level, but if you can't explain your services and your solutions at an introductory level, it's just not going to work out and you're going to continue talking past each other.
So that brings me to a really good point that I often tell my partners, my MSP partners, is, what role. Do you have in this education piece? And the answer that I'll give is like, 110%.
I have a reading list, and one of the books on there is Extreme Ownership by Jocko Link. And if you just pretend, even if it's not the case, that you are in control of the outcome 100%, you'll usually arrive at a place where you have a decent amount of control over the outcome because you acted as if it existed, you planned for it, and then you just did it. You went out and you did it.
And so the reason I bring that up is your clients will be as educated as you sit down and take time to educate them. As an MSP, that's largely what I believe. Now, some of that involves them doing their own homework, and you sometimes assigning that homework, so to speak. I don't want to make too many classroom analogies because I'm getting ptsd from school. But that's basically where it's at, is.
You have all of this broad understanding of security and it infrastructure, and now you're trying to communicate to a business owner why they should bother to spend what is usually a ton of money for them with you to protect themselves.
Protect themselves from what? Well, the cyber ether, the threats that exist in the world. And so what I see is if you accept, if you pretend that you have the responsibility of educating these folks and then you set out to actually do that, you can usually use a lot of resources, a lot of partners to do that, but it's really your job.
So your role in cybersecurity education as an MSP, speaking frankly, is all of it. It's your job not only to run an awareness training program for your clients.
So their employees understand things, but it's your job to fight for budget or to fight for mind share, or whatever you'd like to call it at the executive table of your clients because they're working with you, because they don't have in house it and in house cybersecurity talent that they can rely on 100%. Maybe they have some of that, but they're working with you to supplement that at the very least, it's your job to advocate for all of that, and it's your job to understand the risks that they're going to face.
And then it's your job to communicate them in such a way that they understand them effectively. Some things that I would do if I were looking to do this to this day, highly recommend YouTube.
YouTube is great at continuing to recommend things that you are likely to interact with based upon things you have already interacted with. So if you go to YouTube right now and you say cybersecurity basics, you'll probably find 100 to 1000 presentations on understanding cybersecurity basics.
One thing that might not be readily available that would be interesting to take a look at is there are really five main things that cyber insurance policies recommend.
That is multifactor authentication, security awareness training, immutable, segregated backups, managed AV, NextGen AV, and then EDR. Some kind of endpoint solution. Usually those are the five things that they recommend. That's probably a great place.
That's what I would recommend if cyber insurance companies are getting on the bandwagon.
And requiring those go learn what those five things are. All right, what does that look like to be implemented? What is endpoint detection and response? Why is that a thing? What is next gen antivirus and why.
Is it the next generation of antivirus? These are all things that I have at least a cursory understanding of that it would take you. You're listening. 510 15 minutes to also gain a cursory understanding of a guest we had on board, Tom Lawrence. He spends a ton of time making YouTube videos, just like I'm talking about on networking and infrastructure related questions.
So if you want to understand how a firewall works, or PF sense, I think is the big one I use with him, if you want to understand how that works, there's a video of him sitting there and explaining it and going through the ins and outs of it, all the way from the cursory understanding to you're a technician that has to implement this properly. What does that look like, and why should you implement it this way? That's just one person out of hundreds and hundreds of thousands of people who are making videos like that. You want something more structured.
I would say a lot of people benefit from structure, especially when they're learning new concepts. There's a ton of free courses online, or at the bare minimum, you could pay like 20 or $30 and get access to a coursera course where you could understand cybersecurity.
You could learn at your own pace, and you could see what is an actual structured program that teaches modern day cybersecurity.
For those of you who are not an MSP and listening, go ask them. Go ask your MSP hey, what would you recommend I learn for additional cybersecurity? And make sure it's not just the awareness training program that they'll recommend, but actual security concepts, because that's two different types of learning, right? One is teaching you how to change your behavior and understand your behavior in the context of the business.
The other is seeking to educate you on actual cybersecurity concepts so that your business can apply them.
So it's like an individual perspective versus an entire business wide perspective of a program is different from an individual's behavior. But both of them have to do with each other, if that makes sense.
So those are the things that I would recommend. If you work at a big company there are 100% resources that you could take advantage of somewhere. And speaking frankly, if you, as an employee at a company, reached out to your security team and said, hey, I'd love to learn more about security, how can I do that? They'd probably end up circulating that email in various slack channels, because that just never happens.
That would blow them away, that somebody's taking that level of initiative. That's how easy it would be to stand out in terms of understanding cybersecurity today and taking the initiative to go do that.
It just doesn't happen. Security is a topic that most people avoid because of how it's like a black box of understanding. It's like once if you're viewing it like a black hole, information doesn't get out. I have no idea what's in there.
And I don't want to go find out. It's usually most people's understanding and their belief. So those are the things I would recommend. If you have any comments, questions, concerns.
Find me on LinkedIn or reach out. There's probably a way to get in touch with us on our website. Happy to chat about all things cybersecurity. Whether you're a practitioner or just somebody who's trying to get an understanding, I'd be happy to talk about it with you. So once again, I'm Connor, host of the Gone Phishing podcast, and I will see you next time. Thanks so much for tuning in to Gone Phishing. If you want to find out more about high quality security awareness training campaigns, how to launch them in ways that actually engage employees to change their habits, then check us out fin security at Phinsec IO. That's p h I n s e c IO or click all of the wonderful links in our show notes. Thanks for phishing with me today and we'll see you next time.
