Podcasts
Hacking Humans
Ep 161
Hacking Humans 8.19.21
Ep 161 | 8.19.21

Effective cybersecurity training has to be meaningful to employees.

Show Notes
Transcript

Jann Yogman: In order to be effective, we need to find the most advantageous way to impact, to reach, to make a difference for the employee.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bittner from the CyberWire. And joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: Got some good stories to share this week. And later in the show, my conversation with Jann Yogman. He is a senior director of product management at Mimecast, and he's sharing his thoughts on the ransomware epidemic and the cybersecurity awareness training problem. 

Dave Bittner: All right, Joe. Before we jump into our stories this week, I just want to swing around real quick and thank everybody who wrote in with ideas for helping me with my Discord issues. 

Joe Carrigan: Our audience is nothing if not helpful. 

(LAUGHTER) 

Dave Bittner: I would say, of all the things we've talked about on the show, this has... 

Joe Carrigan: You hit a nerve (laughter). 

Dave Bittner: This has triggered - well, yeah, I think that's a good way to frame it. Because I think so many people have had this happen to them. 

Joe Carrigan: Yeah. 

Dave Bittner: They've felt this frustration and have had to figure things out. So I appreciate all of the kind notes from people, several suggestions for various password managers that could help with this, so ways to store and restore backup codes, preventive ways to keep this from happening in the first place. And some people even just wrote in with sympathy for my situation... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Which I appreciate as well (laughter). 

Joe Carrigan: Sent you a little card that said, sorry for your loss of your Discord account. 

Dave Bittner: Yeah, just, you know, I feel you, we've all been there, and that stinks to have to go through this, and hopefully, you know, you'll be OK, and it won't happen again. So again, thanks to everybody for taking the time. We do appreciate that. And of course, we love to hear from you all. You can write us, too - hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, let's jump into some stories here this week. Why don't you start things off for us? 

Joe Carrigan: Dave, recently, the American Rescue Plan was passed. Are you familiar with this law? 

Dave Bittner: I would - I certainly know of it, but I can't say that I know the nitty-gritty details of it. 

Joe Carrigan: Part of this law is that there is a new child tax credit that's worth either $3,000 or $3,6000, depending on the age of your child. 

Dave Bittner: OK. 

Joe Carrigan: Right. Unfortunately for me, my children are all much older. So... 

Dave Bittner: (Laughter) I believe I still have one child... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Who is of age that I will benefit from this. So yay me. 

Joe Carrigan: Well, not me. 

Dave Bittner: (Laughter). 

Joe Carrigan: But these are credits that will be paid directly to taxpayers. 

Dave Bittner: Yeah. 

Joe Carrigan: OK, so everybody's going to get checks for this. 

Dave Bittner: Yes. 

Joe Carrigan: And guess what? It's a prime target for scammers, Dave. 

Dave Bittner: (Laughter) Of course. 

Joe Carrigan: And the IRS is warning American taxpayers about the scams. In fact, Jim Lee, who is the chief of the IRS' Criminal Investigation Division, was interviewed by ABC News. And we'll put a link in the show notes to connecticutradio.fm (ph). That's the station that had this story. And he says, quote, "Right now, we are seeing scammers trying to take advantage of the American public by attempting to gain information using phone calls, emails, text messages and social media, all targeting families eligible for the credit." 

Joe Carrigan: I think it's interesting that they're targeting families eligible for the credit. I don't know if that means that they're just, like, shooting these out willy-nilly, or do these scammers have enough information to know which people are eligible for the credit and then going after them? Like, are they going to go after you and not me? 

Dave Bittner: Yeah. 

Joe Carrigan: It would be interesting to know that. I'd like to know if these guys have that kind of information. 

Dave Bittner: Right. Yeah. Does it matter? Yeah. 

Joe Carrigan: Right. 

Dave Bittner: Do they lead off by saying, you know, because your child is such and such an age... 

Joe Carrigan: Right. There's a lot of information out there on the internet for us. 

Dave Bittner: Yeah. 

Joe Carrigan: It's all for sale on the dark web, but also through some of these marketing companies. You know, these marketing companies have built large dossiers of us. 

Dave Bittner: Yeah. 

Joe Carrigan: And here in America, we don't have GDPR (laughter). 

Dave Bittner: Right. 

Joe Carrigan: So we can't say, yeah, destroy that data. 

Dave Bittner: Yeah. 

Joe Carrigan: I want to be forgotten. Several scam emails and text messages were obtained by ABC News, and they appear to show official documents. They're not official documents. But one email appears to be written on official letterhead and says, economic impact payments status available July 26, and then has documents inside of it. 

Dave Bittner: Right. OK. So are they - they're trying to gather your information... 

Joe Carrigan: Exactly. 

Dave Bittner: ...By saying, come log on and make sure - verify that you're eligible for this money... 

Joe Carrigan: Right. 

Dave Bittner: ...That sort of thing. 

Joe Carrigan: And Lee says that they are sending thousands of text messages and emails every day. Once you click on the link, it sends you to a fake IRS website, where you're then prompted to enter all your personally identifiable information to claim this child tax credit. And just like that, the scammers have all your information. 

Dave Bittner: Wow. 

Joe Carrigan: In another example, there was a text message that purported to be from Janet Yellen, secretary of treasury. Right. Because, as we've said before... 

Dave Bittner: She spends a lot of time on her phone (laughter). 

Joe Carrigan: Right, yeah. She sends you text messages. 

Dave Bittner: Right. OK (laughter). 

Joe Carrigan: And it asks you to complete an eligibility form. 

Dave Bittner: OK. 

Joe Carrigan: The IRS is getting complaints as well about phone scammers. They're calling people directly and saying, hey, you need to get this child tax credit. You need to give me some information. They're also talking about the age-old scam of, hey, you owe us money, and you need to send us gift cards or we're going to arrest you... 

Dave Bittner: Right. 

Joe Carrigan: ...Which is something that has been going on for many years. 

Dave Bittner: Yeah. 

Joe Carrigan: And we've been talking about it on this show. But the IRS will never - these are the things that Jim Lee wants you to know the IRS will never do. 

Dave Bittner: OK. 

Joe Carrigan: They will never send you emails or text messages requesting you to fill out a form with personal information on it. That's something that never happens from the IRS. 

Dave Bittner: OK. 

Joe Carrigan: Right. They will never leave prerecorded or urgent, threatening messages. 

Dave Bittner: Right. 

Joe Carrigan: They will never make aggressive phone calls warning individuals about lawsuits or arrests. That's not how they operate. They do have other stuff that they do, though (laughter)... 

Dave Bittner: Yeah. 

Joe Carrigan: ...That can be kind of intimidating. But it's all - if you're in that situation, you already know that you're in that situation. 

Dave Bittner: Yeah. 

Joe Carrigan: Those things... 

Dave Bittner: It starts with a letter. 

Joe Carrigan: Yeah. Those things do not come out of the blue. 

Dave Bittner: Right. 

Joe Carrigan: They'll never ask you to pay in cryptocurrency. 

Dave Bittner: (Laughter). 

Joe Carrigan: The IRS does not deal in cryptocurrency. 

Dave Bittner: Right. 

Joe Carrigan: They just tax your capital gains on it. That's all. And they'll never call taxpayers asking them to provide or verify financial information so that they can obtain the monthly child tax credit. 

Dave Bittner: I'll also add to this list, the IRS will never offer to come to your house and wash your car. 

Joe Carrigan: Yes, of course not. 

Dave Bittner: (Laughter). 

Joe Carrigan: Why would they do that? 

Dave Bittner: I don't know. I just - I think I'm just being silly. 

(LAUGHTER) 

Joe Carrigan: Remember the old 1970s commercial from the IRS? It was a public relations commercial. 

Dave Bittner: No. 

Joe Carrigan: People serving people just like you. 

Dave Bittner: Oh. Hmm. 

Joe Carrigan: I remember that. 

Dave Bittner: (Laughter) They're not using that one anymore. 

Joe Carrigan: No, they're not. No. Because people were like, hey, can you come wash my car? Maybe that's where it came from. 

Dave Bittner: (Laughter) There you go. Right. Exactly. 

Joe Carrigan: Yeah. 

Dave Bittner: Yeah. 

Joe Carrigan: So be on the lookout for these scams. These are - these things happen every time something is in the news. 

Dave Bittner: Yeah. 

Joe Carrigan: So when you see something in the news like this child tax credit, be on the lookout for scams about it. And this is just another example of that. 

Dave Bittner: Right. Right. And I think it's important to remember that if there's any organization in the world that already has all of your personally identifiable information... 

Joe Carrigan: Right. 

Dave Bittner: ...It's the IRS. 

Joe Carrigan: They do. They have a lot of it. 

Dave Bittner: They don't need to ask you for more of it. 

Joe Carrigan: Right. 

Dave Bittner: They have it. So yeah, just be on the lookout. 

Joe Carrigan: And they have other ways of verifying your identity as well. 

Dave Bittner: Sure. Sure. All right. Interesting. Good stuff. Good stuff. 

Dave Bittner: All right. Well, my story this week - this comes from the folks over at Atlas VPN. And they did some research looking at U.S. military personnel and the degree to which military personnel had been falling victim to scams. And according to this research, they say that since 2017, U.S. military personnel lost over $822 million to scams. 

Joe Carrigan: Wow. 

Dave Bittner: And they put people into - military folks into various categories. The first category is reservists and military personnel families. And they had the lion's share of the losses - $484 million, which is 59% of the military monetary damages. They had veterans and military retirees, who had 35% of the damages. That was $290 million. And then finally, $47 million from active duty service members. 

Joe Carrigan: Really small amount from active duty. 

Dave Bittner: Which is kind of interesting - right? - that most of the people targeted were either the family members of service members or the retired... 

Joe Carrigan: Right. 

Dave Bittner: ...Or veterans, those kind of folks. And then interestingly, they go through the types of scams that are targeting folks in the military. What do you think was top of the list, Joe? 

Joe Carrigan: Veterans benefits. 

Dave Bittner: Good guess. 

Joe Carrigan: OK. 

Dave Bittner: Not right. 

Joe Carrigan: Ah, dang. 

Dave Bittner: (Laughter) Romance scams. 

Joe Carrigan: Romance scams. 

Dave Bittner: Yeah. 

Joe Carrigan: That would be a good guess. 

Dave Bittner: Top of the list. This report says heartless criminals lured as much as $92 million from U.S. military members. The second-most damaging internet crime for military members was miscellaneous investments - so investment scams. 

Joe Carrigan: Investment scams. Yeah. 

Dave Bittner: Yeah. Third on the list was business imposters, and that's where they pretend to be someone from a well-known business brand, and they'll call, and they'll offer some kind of a, you know, extra special deal. You know, all you need to do is pay this, and you'll get a special deal that no one else can get. 

Joe Carrigan: Right. 

Dave Bittner: And then last on the - second to last on the list was government imposters - so people pretending to be, sort of like what you were talking about, folks from the IRS, other government organizations. I suspect if you're in the military and they know that, they'll pretend to be military-specific organizations... 

Joe Carrigan: Yeah. 

Dave Bittner: ...Veterans organizations, things like that. 

Joe Carrigan: Now, if I were a scammer and I was unethical enough to go after a military person, that is exactly the arc I'd take... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Is I'd go after them because they're steeped in that culture. They're steeped in the government culture. 

Dave Bittner: Right. Right. And, you know, I don't have a sense - because I have never been in the military. My father was - served in the Navy for many years, but not really, I don't know, an active part of my life. So I don't really have a good sense for the degree to which active duty military folks are trusting in the institutions that they interact with day-to-day. In other words, are they - is there a high amount of trust, or is there an amount of cynicism? I don't know the answer to that. 

Joe Carrigan: I don't know. I know someone I can ask. But... 

Dave Bittner: Yeah. I do, too. 

(LAUGHTER) 

Dave Bittner: I have just a couple coworkers here who are former Army guys. I should ask them, see what they say. I suspect it's probably a mix. And like most of these things, I bet it depends on the quality of interactions that they've had with folks. You know, I know, for example, my father has had excellent interactions with the VA, you know? And lots of people haven't. 

Joe Carrigan: Right. 

Dave Bittner: But my father's been lucky. So anyway, this is an interesting report. Lots of statistics here. And I think the main thing is that if you or one of your loved ones are somehow connected to the military, this is a good report to have them look through just so these things can be on their radar, we can heighten their awareness of these things. And hopefully if someone tries to come at them, they'll know what to do, or at least it'll ring a bell that they can think twice before being scammed. 

Dave Bittner: All right. Well, those are our stories this week. It is time to move on to our Catch of the Day. 

(SOUNDBITE OF REELING IN FISHING LINE) 

Joe Carrigan: Dave, our Catch of the Day comes from Sawyer Dickey on Reddit. We've had him on here before, some of his scambaiting that's hilarious. Somebody sent him an email that was a prize email. And he decides he's going to just insist that he is not the winner. 

Dave Bittner: OK (laughter). 

Joe Carrigan: So the person that sent him the email is somebody calling themselves Agent Franklin. 

Dave Bittner: OK. 

Joe Carrigan: And Sawyer will - I'll play the part of Sawyer. 

Dave Bittner: OK. 

Joe Carrigan: And you play the part of Agent Franklin. 

Dave Bittner: All right. 

Joe Carrigan: And I will say immediately, (Reading) Dear Mrs. Franklin, I am not the winner. 

Dave Bittner: (Reading) Why? 

Joe Carrigan: (Reading) Dear Mrs. Oscar, because I did not enter a drawing, I cannot be the winner. 

Dave Bittner: (Reading) What do you mean? 

Joe Carrigan: (Reading) Dear Mrs. Oscar, because I did not enter the drawing, I cannot be the winner. 

Dave Bittner: (Reading) Why? So give me your WhatsApp number. Let's talk on WhatsApp, OK? 

Joe Carrigan: (Reading) Dear Mrs. Edo, there's no reason to talk on WhatsApp. You have nothing to send or deliver. 

Dave Bittner: (Reading) Let's talk on WhatsApp because I need you to believe, OK? Just give your WhatsApp number - OK? - because your winning funds is ready to proceed immediately, OK? 

Joe Carrigan: (Reading) It's not my winning fund. There is no need to talk on WhatsApp. You have nothing to send or deliver. 

Dave Bittner: (Reading) If I do not have your delivery, how can I contact you? 

Joe Carrigan: (Reading) But you have nothing to deliver. 

Dave Bittner: (Reading) The only thing holding me now is to confirm the right person that I'm going to deliver, OK? Because your car is ready to proceed immediately, OK? 

Joe Carrigan: (Reading) OK. But you have nothing to deliver. 

Dave Bittner: (Reading) So I'm waiting for you to confirm your information, OK? 

Joe Carrigan: (Reading) OK. 

Dave Bittner: (Reading) What is holding you to send your address? 

Joe Carrigan: (Reading) The fact that you have nothing to deliver and really do not need my address. 

Dave Bittner: (Reading) I don't understand you. 

Joe Carrigan: (Reading) Why not? 

Dave Bittner: (Reading) What you talking about? 

Joe Carrigan: (Reading) What do you mean? 

Dave Bittner: (Reading) I mean that I need to confirm your full information, OK? 

Joe Carrigan: (Reading) Why do you need to confirm my information if you have nothing to deliver? 

Dave Bittner: (Reading) Because I need to confirm the right person that I'm going to deliver, OK? 

Joe Carrigan: (Reading) I am not the winner, so I'm not the right person. 

Dave Bittner: (Reading) Why are you sounding like this? Just let me confirm your full information, OK? What is going to tell you you are talking like this, OK? 

Joe Carrigan: (Reading) I am talking like this because you refuse to understand that I am not the winner of the fund. 

Dave Bittner: (Reading) It's your funds, OK? Just only thinking holding your is to submit your full information, OK? That is the only thing holding your package, OK? Just believe me, OK? 

Joe Carrigan: (Reading) But you have nothing to deliver. It's not OK. You have no package to deliver. 

Dave Bittner: (Reading) Why? Hello? 

Joe Carrigan: (Reading) I am not the winner. I am not the winner. I did not enter a drawing. 

Dave Bittner: (Reading) Why are you saying that? Just to read my message very well so you can get back to me and confirm your full details immediately, OK? These your funds, OK? The only thing you can do is reconfirm your full information and get back to me so I can proceed your funds to your home address without any wrong delivery, OK? 

Joe Carrigan: (Reading) Why do you need my details if you have nothing to deliver? It is not my winning fund. 

Dave Bittner: (Reading) So that is the only thing that's holding me, and your funds just got back to me. And text me, and bring your full details, OK? I told you that is your winning funds, OK? Just get back to me and bring your full details that I will submit to our office. OK. What's immediately, you'll get your full details. Everything will proceed to your home address without anything wrong delivery. 

Joe Carrigan: (Reading) But you have no winning fund to deliver. 

Dave Bittner: (Reading) This is your phone, OK? Just pay attention to me. And get back to what I told you to do because I'm here for your help. I'm here to deliver your package, OK? The only thing I need is to believe me and focus what I told you, OK? 

Joe Carrigan: (Reading) This is not a phone. It is not my winning fund. 

Dave Bittner: (Reading) Your fund's with me here. The only thing you will do is to bring your details so that our manager will confirm everything. I will start to be on my way to deliver your funds. OK? 

Joe Carrigan: (Reading) But you have no funds to deliver. 

Dave Bittner: (Reading) So are you understand what I'm saying? Just bring it. I need to bring it. I will confirm your funds. I will get back to you and stop by on my way, OK? Just do what I told you. I'm - believe me. 

Joe Carrigan: (Reading) How are you going to stop by when you're all the way over in West Africa? 

Dave Bittner: (Reading) Why are you saying that is not your winning funds? Tell me the reason why you are saying that. Because you do have to do what I told you to believe me, but I'm telling you because I'm not here for anything. I'm here for you to help. The only thing I need is to reconfirm your full information. I will start to be on my way, OK? Just believe me and stop saying that is not your funds, OK? 

Joe Carrigan: (Reading) It is not my winning fund because you have no winning fund to send. 

Dave Bittner: (Reading) Listen to me. Stop saying that, OK? I'm not from West Africa, OK? 

Joe Carrigan: (Reading) Then why is your email coming from West Africa? 

Dave Bittner: (Reading) OK, listen to me. If I don't have your funds, how can I contact you, and how can I wasting your time? Tell me. 

Joe Carrigan: (Reading) Because you have nothing better to do with your time. 

Dave Bittner: (Reading) You have to believe me. And stop insulting me because I'm here for your help. I'm not here for scanning or doing anything bad, OK? Just believe me and get what I told you, OK? I'm not here for cheating you. I'm here for your help, OK? So just believe me what I told you. You will have testimony for this, OK? I'm not here for hurt or do anything bad for you. I'm here for all your own good. 

Joe Carrigan: (Reading) I do not know you will do me good when you have no fund to send. 

Joe Carrigan: And that's the end of it, Dave. 

Dave Bittner: OK. 

(LAUGHTER) 

Joe Carrigan: At recording time, this has been going on for four days. 

Dave Bittner: (Laughter). 

Joe Carrigan: And, I mean, this is beautiful... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Sawyer. I got to send him a thanks 'cause he said any time I see something, I can use this. But this is absolutely amazing because, I mean, first of all, all he does in this case is just insist that he's not the right guy, and this scammer will not let it go. 

Dave Bittner: Yeah. 

Joe Carrigan: It's great. 

Dave Bittner: Yeah. I mean, he could practically set up an automated chatbot that just says, it's not me, it's not me, it's not me and just waste this person's - of course, I could imagine you end up with dueling automated chatbots, but... 

Joe Carrigan: (Laughter). 

Dave Bittner: Could cause a rift in the space-time continuum, but that's all right. 

Joe Carrigan: Is it, though? 

Dave Bittner: Oh, maybe... 

Joe Carrigan: I like to avoid rifts in the space-time continuum. 

Dave Bittner: Maybe it's already happened. It would explain a lot. 

Joe Carrigan: Yes, it would. 

Dave Bittner: Yeah. All right, well, our thanks to Sawyer Dickey from Reddit for sending that in and posting that on Reddit. We appreciate it. That's... 

Joe Carrigan: It's great stuff. 

Dave Bittner: ...Good stuff - yeah, yeah. 

Dave Bittner: And, of course, we would like to hear from you. If you have something you'd like us to consider for our Catch of the Day, you can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe, I recently had the pleasure of speaking with Jann Yogman. He is a senior director of product management at Mimecast. And our discussion focused on this ongoing problem of ransomware, of course, but also his views on the continuing issues with getting everybody up to speed when it comes to security awareness training. Here's my conversation with Jann Yogman. 

Jann Yogman: I think the challenge for a long time has been having the end user, having the employee realize the role that they play in their company's security, and it seemed like security was something that happened over there, it didn't apply to me, and I would just kind of hope for the best. But we know that that's not true, that so many of the breaches that we're seeing now can track back to a simple security mistake - a weak password, somebody clicking on a link that they, you know, that they shouldn't have. 

Jann Yogman: And so the approach started about five years ago with the startup version of what we're doing now, where we said, you know, just because we're talking about maybe boring but important stuff doesn't mean that the way we talk about it has to be boring. And so we made a real effort to engage the employee, to show them why all security matters and to ultimately get them to a point they could have a lot of fun along the way. 

Dave Bittner: Well, describe to us how you're coming at this. How is what you all are doing different than some of the other types of things you've seen out there? 

Jann Yogman: So it is a - you know, my background is a comedy writer. I worked in television for a long time, so I'm taking everything that I know from the TV world, from the way we write our awareness training to the way we film it, the way we cast it, the way we edit it, sound design, music, all of it. So our intention is to create a very viewable experience where we are layering in the key takeaway or the message within a module that is meant to be entertaining, meant to get your attention, meant - made to get your focus and leave you, you know, thinking about security maybe just a little bit more than you were before. 

Dave Bittner: You know, I think a lot of us think about our security awareness training or, indeed, you know, many of the types of trainings that we all have to go through, that we get that email from HR or from the security folks. And we kind of let out a sigh and think, it's that time of year again. But it doesn't have to be that way. I mean, you can produce this sort of stuff, and it can be engaging and actually, dare I say, entertaining. 

Jann Yogman: Yeah. And I think the other key difference is a lot of places - and whatever the type of training is, it often tracks back to that annual it's time to get this done again and check the box. What we do is monthly, and so our customers and users every month get one video that's less than three minutes long. They watch it. They answer a question. They find out why they got it right or wrong, and they're done. And so this steady drip of information where you are thinking about these things more often than just once a year and hoping that you pass the test, so you don't have to think about it for another year - we're trying to keep security top of mind. We're trying to keep it really, really bite-size, manageable, easy to swallow. In fact, that's a metaphor that I use quite a bit, that if you've ever had a dog that you've needed to give medicine to, you can't just shove the pill in the dog's mouth. But if you put it in peanut butter or meat or whatever it is, the dog thinks it's getting a treat when it's actually getting something that's pretty good for it. So that is a little bit of the way we approach this - not to make light at all of the message, but just make sure that message is wrapped up in the right peanut butter. 

Dave Bittner: How do you strike that balance? I mean, I've - certainly, in my experience, I've spoken with some managers who, you know, consider something like humor to be potentially dangerous. You know, how do you walk that tightrope? 

Jann Yogman: Well, it's really interesting. I say that at the end of the day and at the other end of that experience, whether - whatever the corporate culture is at a company, people are human beings, that no matter how serious their job may be, how much pressure they're under, how much stress they are, at the end of the day, they're regular people who like to just relax and laugh the way anybody else does. And I think there's this tendency that if something is important or if you want to sound intelligent, that you've got to use big words and make it so only top-level people can understand it. And I think if you - you know, it's a little cliche to meet people where they are. But because I came into this with no cybersecurity education experience whatsoever, I'm an outsider. This isn't about thinking outside the box. This was me not even knowing the box was there. So I think it's important to let security professionals know that in order to be effective, we need to find the most advantageous way to impact, to reach, to make a difference for the employee. We're not going to be right for everybody. That's simply the case, but I think in most cases, you know, our humor is not meant to be, you know, juvenile or elementary. We're trying to be as smart as we can about it - without making the subject matter light but, again, you know, making the way we talk about it and the examples that we do - making it relatable, you know, being able to look at our characters and say, yeah, I know that guy, or, there's a woman in our office who's like that - just relatable the same way that, you know, you want to tune into a sitcom, you know, next week to find out, you know, what these people did. 

Dave Bittner: Yeah. It also strikes me that in a way, you know, when we're talking about things like social engineering, that's kind of what you're using here in a positive way because through laughter, that puts our guard down. And it opens us up to learning and to accepting things. It sort of breaks down some of those emotional and mental walls that we all kind of build up throughout the day. 

Jann Yogman: Yeah. I think that's right. And, you know, one of the reasons why I'm convinced we're going about this the right way - and we've seen it all over the world, really, where, you know, I've had the opportunity to travel with Human Error, our main character, and to see what the reaction is to, you know, people in their cubicles when they actually meet the star of our - you know, our videos. They're paying attention. They tell us that they ask when the next training is coming. So think about that for a second. You've got people in their offices or, more recently, in their home offices actually wanting more training because they just enjoy the experience. And that is - that's half the battle. You could have the most informational presentation, but if everybody's sitting in your audience half asleep, you're not getting anywhere. 

Dave Bittner: Yeah. No, I think it's a really interesting insight but also a fascinating sort of competitive advantage. You know, if you can make something that people are looking forward to, you know, that next episode - boy, what a difference. 

Jann Yogman: Yeah. I mean, it really is that there is this following, you know, of our characters. And, you know, it's funny because I'll start to write - you know, I'll call it an episode for - you know, but for educational purposes, it's a module. And I'll be a page and a half into my script, and I'll realize, oh, I haven't said anything about security yet. And then I can peel back. But I never start these thinking coming out of the gate swinging where, this is what we're teaching you today. It's - here are these people in their office situation in a restaurant at home. And all of a sudden, they get caught up in a security decision and likely make a security mistake. And then we see the fallout of what could happen. It's also meant not to scare people. I think if we show situations where somebody maybe dodges a bullet - they make the mistake. Or there are consequences, but we realize it could have been a lot worse. We don't have to approach this as, you know, putting the fear of everything in these people but, like, letting them extrapolate. All right, if this could happen, well, imagine if that had gotten out to a larger audience or, you know, whatever that might be. 

Dave Bittner: How do you all measure success? I mean, how do you get feedback to know that the stuff you're putting out there is really having an impact? 

Jann Yogman: So I think it comes from two places. One, again, is is the employees who are watching the training, asking for more training and answering survey questions that we give them periodically throughout the year that says, are you thinking about this stuff differently? Are you making decisions differently at work and at home, you know, based on the training? So they tell us that it is having an impact. On the other side of it, it's the security professionals, the CISOs who are the ones - the decision makers who decide to use our training and tell us that the impact that it's having, the - it may prove itself in results in a phising test. How - you know, how many people are - how many fewer people are clicking now than they were? You know, what kind of fires is that CISO putting out on a regular basis? And is that workforce joining the fight? So we're hearing it from - you know, from both sides. And I don't have the statistics in front of me, but there are some impressive ones that do say with Mimecast awareness training, you know, the likeliness of clicking on a bad link are - is significantly less. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: A lot of good stuff in this interview, Dave. 

Dave Bittner: Yeah. 

Joe Carrigan: First off, security is everyone's job. And that's how Jann starts off the interview. People think security is something that happens or is done somewhere else. But I've said this before on this show, and I say it frequently - that if I was ever put in charge of security awareness or just security in general at some company, the first thing I'd do is I'd have an all-hands meeting and tell everybody they're on my team. They're part of my security team. And that's very important. It is part of everybody's job description. 

Dave Bittner: Yeah. 

Joe Carrigan: The material can be boring. I understand that. I mean, the listeners to this show hopefully don't think that we're boring. Hopefully, we make it entertaining. 

Dave Bittner: (Laughter). 

Joe Carrigan: And that's kind of what we try to do. And Jann's doing the same thing, right? But it's going to be much more successful at sticking if it isn't boring, if it's entertaining. 

Joe Carrigan: Right. 

Joe Carrigan: And the thing I think about is, are you familiar with "The Dice Man"? 

Dave Bittner: I am, actually. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. 

Joe Carrigan: In a past life, Dave, I had I had to work in a job where I had to have regular security briefings. 

Dave Bittner: OK. 

Joe Carrigan: And we had a various - various kinds of speakers. But there was always this one guy that stood out, the Dice Man. And when people heard that he was going to be giving the the security briefing, they were more - they were actually excited to go see this presentation because he was - he had a routine, rehearsed practice routine that was entertaining and informative. And it was good. And that's what Mimecast is doing here. But they're doing it differently. They're doing it with a monthly over the internet kind of delivery. 

Dave Bittner: Right. Right. 

Joe Carrigan: And keeping it relatable is very, very important. And one of the things - I can't remember where I first saw the Human Error character. It may have been in a commercial or something. But when I saw that, I said, that's a great idea. And I went out onto YouTube. There are a couple of videos out there. I have a link here. Can we put it in the show notes? I guess. 

Dave Bittner: Yeah. 

Joe Carrigan: ...Of one of Mimecast's videos. It's great. It's very well-done. And the character is well played. And there are - there were a couple of - for me at least, there were a couple of laugh-out-loud moments... 

Dave Bittner: Right. 

Joe Carrigan: ...In the presentation. It's a five-minute video that tells you a lot of operational security and security awareness information that's conveyed in a memorable format. 

Dave Bittner: Yeah, I think - the way I think about it - and I can't remember if I mentioned this in our interview - but it's sort of the spoonful of sugar that makes the medicine go down, right? 

Joe Carrigan: Right. 

Dave Bittner: You're learning something, and you're not even realizing it because you're being so well-entertained. 

Joe Carrigan: Yep. 

Dave Bittner: And to me, that's the most effective way to - if you can bring people - if you leave them wanting more, you can't ask for more than that when it comes to training, right? 

Joe Carrigan: Yeah. What's amazing to me in this interview is Jann talks about how people are actually asking when the next video is coming out. That - if you have customers asking that, you've hit a home run. 

Dave Bittner: Yeah, yeah. All right. Well, our thanks to Jann Yogman for joining us. We do appreciate him taking the time. 

Dave Bittner: That is our show. We want to thank all of you for listening. And, of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.

Hacking Humans
Podcast Info
HOST(S):
Dave Bittner
Joe Carrigan
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Joe Carrigan, is a Senior Security Engineer with the Johns Hopkins University Information Security Institute. He has been a Software Engineer for over twenty years and has been working in the security field for more than ten years focusing on usable security and security awareness. He has experience in a broad range of fields including authentication systems, embedded systems, data migration, and network communication.
Schedule: Thursdays
Creator: CyberWire, Inc.
ADVERTISEMENT
KnowBe4
KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. Their new school security awareness training platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Learn more at KnowBe4.com.