Hacking Humans 9.2.21
Ep 163 | 9.2.21

Don't blindly test your colleagues.


Javvad Malik: Build trust with your colleagues. Don't blindly go out and test them or give them a list of don'ts. Build a relationship with them.

Dave Bittner: Hello, everyone, and welcome to the CyberWire's "Hacking Humans" podcast, where each week we look behind the social engineering scams, the phishing schemes and criminal exploits that are making headlines and taking a heavy toll on organizations around the world. I'm Dave Bitner from the CyberWire, and joining me is Joe Carrigan from the Johns Hopkins University Information Security Institute. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: We've got some good stories to share this week. And later in the show, Carole Theriault returns. She's got a conversation with Javvad Malik from KnowBe4. They're going to be talking about bad security training. 

Dave Bittner: All right, Joe. Let's go ahead and jump right into our stories this week. I'll kick things off for us. I have a story from WIRED, and it's titled "Deepfakes Are Now Making Business Pitches." 

Joe Carrigan: What? (Laughter). 

Dave Bittner: Yeah. Yeah - so an article by Tom Simonite. So we're familiar with deepfakes, been out for a couple - I don't know - a couple years now, I suppose... 

Joe Carrigan: Yes. 

Dave Bittner: ...Where folks can take existing footage of someone, and they can manipulate that footage to make it appear as though that person is saying something different than what they had originally said. 

Joe Carrigan: Some of these can even generate new content. 

Dave Bittner: Right, right. And that's what we're getting at here. Of course, started out, as many of these things in technology do, where people were applying it to pornography, you know, applying celebrity faces to pornographic scenes and so on and so forth. 

Joe Carrigan: Right. 

Dave Bittner: Well, in this case, there is a company, who is named Synthesia, and they are offering a product of taking deepfake technology and using it for business cases. So, for example, I could send out a custom email to everyone on my potential customer list. And in that email, there is a video of me saying - let's say I was sending it to you. And I would say, hello, Joe. I'm really happy to send you this email. I think this is a great product that you and your friends at Johns Hopkins could really benefit from. Right? 

Joe Carrigan: Right. 

Dave Bittner: So what this... 

Joe Carrigan: But the video - in the video, you don't make a personalized video for everybody. 

Dave Bittner: Exactly. 

Joe Carrigan: Right. 

Dave Bittner: Right, right. So the idea is I record one video of myself, and then this system uses the deepfake to custom generate the fake video for everyone. And I suppose fake - I don't know - artificial, synthesized (laughter). 

Joe Carrigan: Synthetic - synthetic... 

Dave Bittner: Synthetic video. 

Joe Carrigan: ...Content is the buzzword. 

Dave Bittner: Right, right. And, you know, it - so I have a couple of thoughts on this. 

Joe Carrigan: OK. 

Dave Bittner: First of all, I'm reminded of that old episode of "The Simpsons" where the kids go off to Krusty Kamp. 

Joe Carrigan: Kamp Krusty, yes. 

Dave Bittner: Right (laughter). 

Joe Carrigan: (Singing) Hail to you, Kamp Krusty. 

Dave Bittner: Right. And it says... 

Joe Carrigan: I remember that episode well. 

Dave Bittner: And it says, (imitating character) hey, kids, I'd like to introduce your camp counselor - Mr. Black. 


Dave Bittner: So that's kind of what's going on here - much more sophisticated than that. 

Joe Carrigan: Right (laughter). 

Dave Bittner: And they have some demos on their website, the Synthesia people. And my take is it's not quite there yet. It's... 

Joe Carrigan: No? 

Dave Bittner: Well, it's got that kind of... 

Joe Carrigan: Uncanny valley? 

Dave Bittner: There's - I feel as though we're most of the way across the uncanny valley in terms of it making me uncomfortable the way the person in the video looks. 

Joe Carrigan: Right. 

Dave Bittner: It's more the cadence of the way they're talking. 

Joe Carrigan: Mm hmm. 

Dave Bittner: It's more - hello, Joe. How are you today? I'm so glad to see you. Here's something that I think you will find very beneficial. 

Joe Carrigan: Right. They need to set the diction setting a little lower on that one (laughter). 

Dave Bittner: Yeah, there's just something a little bit off by it. 

Joe Carrigan: Yeah. 

Dave Bittner: Now, I'll say - I mean, I think this technology is very interesting. We actually have access to it at the CyberWire. We use a tool that we use for editing audio clips, and it does automatic transcription. And it has a function where I can go in and read a script, a predetermined script. And based on that script, the system analyzes my voice and then can synthesize my voice with a high degree of accuracy. 

Joe Carrigan: Right. 

Dave Bittner: And what's useful for that is let's say I'm reading a daily news report for the CyberWire. And if I misspeak - if I say the wrong word, it means my editors don't have to come back to me and say, hey, Dave, you knucklehead, you said this word wrong. 

Joe Carrigan: Right. 

Dave Bittner: They could put the correct word in... 

Joe Carrigan: Using AI. 

Dave Bittner: ...Using A.I. It'll substitute that word in my own voice. Chances are, you know, a single word, a word or two, it's good enough smoke and mirrors, no one will ever notice. 

Joe Carrigan: Right. 

Dave Bittner: It starts to break down if you try to do complete sentences... 

Joe Carrigan: Yes. 

Dave Bittner: ...Because it doesn't have that special something, that secret sauce that is all of our personalities that we apply to our speaking. 

Joe Carrigan: Just not Dave. 

Dave Bittner: It's just not, Dave. No, no - for better or for worse. And similarly, these folks, it's the same sort of process. You sit down for about 40 minutes reading a special script, and then their algorithms analyze everything that you say, and then you can basically have it say anything you want it to. So I don't - I'm - I know - I think this is interesting from a technology point of view. I think it's interesting that people are trying to make business cases for this. 

Joe Carrigan: Yeah. 

Dave Bittner: And I think they have made a business case for this. I don't know that it's something I would sign up for because my take is it's not quite there yet. 

Joe Carrigan: Right. 

Dave Bittner: I think at this point, it's something where you could get attention. You could get people to listen to your message just because it's a little bit different. 

Joe Carrigan: It's a novelty. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Exactly. It's a novelty. That's a - yeah. 

Joe Carrigan: I see this quickly becoming something that we are that - at least I'm irritated with. Oh, here's another deepfake that... 

Dave Bittner: Well, now, Joe, let's be fair. You have a low threshold for irritation. 

Joe Carrigan: Yes, I do. Agreed. 


Joe Carrigan: Agreed. 

Dave Bittner: Yeah. Yeah, I think you're right. I think you're right. Why would this irritate you specifically? 

Joe Carrigan: Mainly because just marketing irritates me to begin with. 

Dave Bittner: Yeah. 

Joe Carrigan: You know, I get tons of marketing emails every day. 

Dave Bittner: Right. 

Joe Carrigan: And to the person who put me on the PR Newswire mailing list, thank you very much. 

Dave Bittner: (Laughter). 

Joe Carrigan: I don't know who did that, but I can't stand it. I get, like, eight of those every single day. And for some reason, I have a disdain for it. And there are people I know, people whose names I see repeatedly in my inbox that I have resolved to never do business with because of the number of emails they send me. It just bugs me. I know that sounds petty and maybe a little grumpy old man about things, but it just - I don't know. And this - I can see this doing the same thing. Hello, Joe. I would like to talk to you about my product and, you know, it - mm. 

Dave Bittner: Yeah. Well, I think that's part of the equation here, too. 

Joe Carrigan: Yeah, yeah. 

Dave Bittner: As a marketer, that's a line you have to balance. 

Joe Carrigan: Right. 

Dave Bittner: You have to walk that line between reaching out to people frequently and effectively, but annoying them... 

Joe Carrigan: Right. 

Dave Bittner: ...On the other side of that. 

Joe Carrigan: Yeah. I'm all about advertising. I'm not anti-advertising, but I think I am anti-marketing. 

Dave Bittner: (Laughter). 

Joe Carrigan: Maybe - you know, there's a difference, right? 

Dave Bittner: Yeah. 

Joe Carrigan: Like, sending me unsolicited emails bothers me. Of course - I've said this before - email's terrible. Anybody can send you anything. 

Dave Bittner: Right. 

Joe Carrigan: And if you don't have security or protections in place, that includes malicious actors. If you go out and set up a mail server to receive mail, anybody can put something into it. And that's a holdover from the '60s - the 1960s. That's how old email is. Yeah. Is it the '60s, maybe the '70s. I don't know - a really long time ago... 

Dave Bittner: Right. 

Joe Carrigan: ...In terms of the internet. But it - yeah. 

Dave Bittner: (Laughter). 

Joe Carrigan: I digress. I mean, this is interesting. I think this is a really, really cool use of the technology, and I don't doubt that this company will do well 'cause I think that - I think that other marketer - people who are in marketing are going to think this is cool, this is new, this is interesting. I can reach a large audience with personalized messaging. 

Dave Bittner: Yeah. 

Joe Carrigan: And maybe that has value. 

Dave Bittner: Yeah. I think it's also interesting that - how readily this is available now. 

Joe Carrigan: Yeah. 

Dave Bittner: It's not exotic. You know... 

Joe Carrigan: No. 

Dave Bittner: ...You can go out and buy it, and it's affordable, and there are many applications for it. And I think as it continues to develop - and if these - you know, I could see this becoming something that can be done in real time. So your website chatbot customer service rep isn't just going to be a text robot. It could be a face (laughter) staring back at you. 

Joe Carrigan: That would be a good use of this, though. That I would not object to. 

Dave Bittner: Really? 

Joe Carrigan: Yeah. If you could do AI tech support like this, at least Tier 1 tech support - right? - I don't know that I'd object to that as much. You know, like if I could get - if somebody - a lot of these computers have webcams now, right? Or they're built in. My computer at home, I actually have to plug a webcam into it... 

Dave Bittner: Yeah. 

Joe Carrigan: ...'Cause it's one I built and deliberately omitted a webcam. But again, I digress. But yeah, if you're on a tech support issue - like, let's say you're having problems with your internet service provider and instead of getting the annoying chatbot that walks you through things, you get a face of somebody who has licensed their image and their voice, and this image and voice walks you through Tier 1 tech support. And it says, OK, I can't solve your problem, or maybe it does solve your problem. But I can't solve it. Let's pass you on to Tier 2, which is an actual person. That would be a great use for this technology. 

Dave Bittner: Yeah, yeah. It's interesting - certainly more to come. But I think, also, just we need to be mindful of it, that - more to come, right? 

Joe Carrigan: Right. Yeah. 

Dave Bittner: For better or for worse. All right. We'll have a link to that in the show notes. Again, it's from the folks over at WIRED. And the article is titled "Deepfakes Are Now Making Business Pitches." That's my story this week. Joe, what do you have for us? 

Joe Carrigan: Dave, last month - actually two months ago, as this podcast drops, in July, Proofpoint released their "State of the Phish Report." And we haven't talked about it on this show yet. We've been a little remiss. 

Dave Bittner: (Laughter). 

Joe Carrigan: This is a good report. They do this annually. 

Dave Bittner: Yep. 

Joe Carrigan: This year, the data comes from two surveys, one which was a survey of 3,500 working adults in seven countries, another survey that was 600 IT professionals in the same seven countries. They also use their own data from 60 million simulated phishing attacks and 15 million emails that were reported via their platform. So they have a lot of data to go through in this... 

Dave Bittner: Right. 

Joe Carrigan: ...And to draw from including those two surveys, which they go out and they gather the information themselves. They actually contracted with a third party. Across the seven countries, 57% of organizations experienced a successful phishing attack. So that means that a phishing attack came in, and somebody took action on that phishing attack that they shouldn't have taken. 

Dave Bittner: Right. 

Joe Carrigan: And of those who suffered the successful phishing attack, 60% of them lost data. 

Dave Bittner: Wow. 

Joe Carrigan: Fifty-two percent of them had accounts compromised. Forty-seven percent had a ransomware infection... 

Dave Bittner: Yikes. 

Joe Carrigan: ...Of some kind. Twenty-nine percent had a malware infection, some other malware that wasn't ransomware. 

Dave Bittner: Yeah. 

Joe Carrigan: And 18% had experienced direct financial loss, like through wire transfer fraud or something like that. Now, there's a lot of overlap in that number - right? - those numbers. So some of these companies experienced multiple types of these events. 

Dave Bittner: Right. 

Joe Carrigan: All right? So it's even possible that one of these companies experience all of these things... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...Which would be a bad day at that company. 

Dave Bittner: (Laughter) Yeah, yeah. 

Joe Carrigan: A bad day at any company. 

Dave Bittner: Right. 

Joe Carrigan: Right? So I feel for these guys. There's also significant regional differences in this data as well. For example, 69% of Spanish participants - from - people from Spain - reported experiencing data loss versus only 47% of Australian respondents. I thought that was interesting. 

Dave Bittner: Yeah. 

Joe Carrigan: Spear phishing and whaling attacks versus business email compromise attacks - spear phishing and whaling they have in one category, and then business email compromise they have another category - they're about the same at 66- and 65%. 

Dave Bittner: OK. 

Joe Carrigan: I think these numbers are low. Because what they're asking is they're saying some - these - in the survey, they asked people, and this was their response. Sixty-five percent said, oh, yes, we have been hit by a business email compromise attempt or a spear phishing or whaling attack. I think that there are companies out there that don't know they're being targeted by these. I think that a significant portion of that 35% is actually attacked. 

Dave Bittner: Well, I also think that they're unwilling to admit that they've been attacked. 

Joe Carrigan: It could be that they're unwilling to admit it. It could be that they don't know that it happened. Or it could be that they were actually attacked, but they were protected by their technology. 

Dave Bittner: Yeah. Yup. 

Joe Carrigan: So there's a number of possibilities, but I think that number is low. I don't think anybody should take solace in the fact that, oh - see? - only two-thirds of companies are targeted by this. I think... 

Dave Bittner: (Laughter). 

Joe Carrigan: I think 100% of companies are targeted. 

Dave Bittner: That's cold comfort, yeah. 

Joe Carrigan: Right, it is (laughter). 

Dave Bittner: Geez. (Laughter) Only two-thirds of the homes on my block have been broken into. 

Joe Carrigan: Right (laughter). 

Dave Bittner: That's great. 

Joe Carrigan: Hey, I... 

Dave Bittner: (Laughter). 

Joe Carrigan: There's a one-third chance that won't happen to me. 

Dave Bittner: Yeah. 

Joe Carrigan: Here's something interesting - attacks over social media. Sixty-one percent of the companies reported experiencing attacks over social media. 

Dave Bittner: What does that mean? What's a attack over social media? 

Joe Carrigan: That just means the vector of attack is - happens via social media. 

Dave Bittner: OK. 

Joe Carrigan: So it could be over Facebook. It could be over LinkedIn... 

Dave Bittner: Gotcha. 

Joe Carrigan: ...Or Twitter. Somebody could click on a link that's malicious or be sent an attachment that's not bona fide. 

Dave Bittner: I see. 

Joe Carrigan: The same with smishing. I hate that term, by the way - smishing. 

Dave Bittner: (Laughter). 

Joe Carrigan: That's just sending people text messages. 

Dave Bittner: Right. 

Joe Carrigan: Sixty-one percent were targeted by that. Phone scams and vishing - another term I hate. 

Dave Bittner: (Laughter). 

Joe Carrigan: But 54% of these companies reported being targeted by phone scams. 

Dave Bittner: OK. 

Joe Carrigan: People calling in trying to get information or trying to get people to do things. This is interesting, Dave - malicious USB drops. Take a guess at what was reported as people - what percentage of businesses reported being attacked by a malicious USB drop. 

Dave Bittner: Oh, my goodness. I mean, that seems so old-school to me - like, obvious. 

Joe Carrigan: Right? 

Dave Bittner: I'm going to say 10%. 

Joe Carrigan: Fifty-four percent. 

Dave Bittner: (Laughter) Holy smokes. 

Joe Carrigan: That... 

Dave Bittner: Really? 

Joe Carrigan: Yeah, that surprised me. 

Dave Bittner: Fifty-four percent? 

Joe Carrigan: That surprised me for a couple of reasons. One, it is an old-school attack... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Like you say. But that means somebody had to go to these organizations and drop USB - this is an expensive attack speaking... 

Dave Bittner: Right. 

Joe Carrigan: ...Relative to a phishing attack. 

Dave Bittner: Right. 

Joe Carrigan: A phishing attack is almost free. This requires time and money... 

Dave Bittner: (Laughter). 

Joe Carrigan: ...To go and do. 

Dave Bittner: I'm imagining - you know how when they go - or, like, around, you know, where you and I live in the wintertime, we get snow sometimes. And they have those trucks that go around spreading salt. 

Joe Carrigan: Yes. 

Dave Bittner: And they have, like, a motorized spreader on the back that just... 

Joe Carrigan: (Laughter). 

Dave Bittner: ...Sprays salt all over the road and... 

Joe Carrigan: You're just... 

Dave Bittner: ...The parking lot. 

Joe Carrigan: ...Envisioning that with USB sticks? 

Dave Bittner: Yeah, exactly. Somebody just cruising around parking lots spraying USBs... 

Joe Carrigan: Right. 

Dave Bittner: ...(Laughter) All over the place. 

Joe Carrigan: Let's get back to the phishing and to the simulated attack data that comes from Proofpoint's products. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? This is Proofpoint's own data. They get the overall failure rate. When they're talking about failure rate, this is actually - you can think of it as, like, the phishing success rate. 

Dave Bittner: OK. 

Joe Carrigan: So it's the employees failure rate. Guess the overall failure rate for phishing emails. 

Dave Bittner: Twenty percent. 

Joe Carrigan: Twenty percent, you say? 

Dave Bittner: I say 20%. And I'm just thinking of - because in our own organization, we use phishing simulations. And so when someone fesses up (laughter)... 

Joe Carrigan: Right. 

Dave Bittner: ...And says, oh, I fell for one - because, you know, they're effective. 

Joe Carrigan: It happens. 

Dave Bittner: Yeah, it happens, you know? And these are not dumb people. 

Joe Carrigan: Right. No, that's important to note. 

Dave Bittner: Yeah. So I'm just trying to sort of think about how often, you know, it happens. So I'm... 

Joe Carrigan: Well, I got... 

Dave Bittner: I'm going to say 20%. 

Joe Carrigan: I have good news, Dave. 

Dave Bittner: Yes. 

Joe Carrigan: It's 11%. 

Dave Bittner: OK. 

Joe Carrigan: And that is actually down from last year at 12%. 

Dave Bittner: OK. 

Joe Carrigan: So that's good news. 

Dave Bittner: Headed in the right direction. 

Joe Carrigan: Heading in the right direction here. 

Dave Bittner: OK, good. 

Joe Carrigan: We're making progress. You and I have been screaming into the void long enough people are starting to listen. 

Dave Bittner: (Laughter) Right. 

Joe Carrigan: They simulate phishing attacks with three different types of attacks. One is just a URL that you have to click. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? Another one is - has a URL, but actually asks you to enter information... 

Dave Bittner: OK. 

Joe Carrigan: ...Which - so it's a two-step process. And the third is a malicious attachment. Of those three, which do you think had the highest success rate? 

Dave Bittner: Boy, that's a good question. I could - 'cause I can see - I'm going to say the middle one, the log in one, is the lowest... 

Joe Carrigan: Ah, you are correct. 

Dave Bittner: ...Because it's multiple steps. 

Joe Carrigan: That's right. 

Dave Bittner: But I'm a little torn between clicking a link because it's so easy to do - but a malicious attachment - if someone says, oh, here's a PDF, I could see people saying, oh, a PDF, that's benign. I'll just - what's this say? You know? So I don't know. I'm split between the two. Which one is it? 

Joe Carrigan: It's a malicious attachment, Dave. And there's your 20%. 

Dave Bittner: Oh. 

Joe Carrigan: Twenty percent of those are successful, right? 

Dave Bittner: Wow. 

Joe Carrigan: But in the data, only 9% of the phishing simulations are with a fake malicious attachment. 

Dave Bittner: OK. 

Joe Carrigan: So - but when they're sent, they're successful 20% of the time. Clicking on the link is 12%. And clicking on the link and adding information - you're 100% correct - because that's two steps, that's 4% - 4% of those are successful. 

Dave Bittner: OK. 

Joe Carrigan: There is a ton of information in this report, and because of time, we can't go into the whole thing. 

Dave Bittner: Yeah. 

Joe Carrigan: I may do another episode on this... 

Dave Bittner: OK. 

Joe Carrigan: ...Because there's a lot of stuff in here to talk about. This is a good report. We'll put a link in the show notes. They want some contact information to get it, but I think they're owed that for this report. It's a good report. 

Dave Bittner: All right, good. All right, well, as you say, we'll have a link to that in the show notes. It is time to move on to our Catch of the Day. 


Joe Carrigan: Dave, our Catch of the Day comes from a listener named Henning who writes, hello, I love your podcast. A friend of mine got a PGP-verified message on Discord with mountains of indisputable proof. And he sends screenshots. Dave, I think this is the first time we've had a Discord Catch of the Day. 

Dave Bittner: I think that's right. 

Joe Carrigan: Before we begin this, I want to say that - I should explain what a carder is because this an email alleging to be - a message, not an email - but a Discord message allegedly from a carder. And in black markets, on the darkweb or even on the open web, a carder is someone who deals in stolen credit card numbers. So they have either breached them themselves, or they've collected them from other people who breach them, and then they're out there brokering these deals. So, Dave, why don't you read to us this Discord message that this guy received? 

Dave Bittner: All right, it goes like this. 

Dave Bittner: (Reading) I'm a carder and reputable darknet vendor, very high rep on Empire and DNM, PGP verified. This is your only invitation to really research this offer. It'll change your life. Online carding is when you buy hacked or phished credit card details for $10 to $20 via autoshops, jstash, FE Shop, Yale Lodge, et cetera, and use it to place big orders on web stores like Amazon, Best Buy, et cetera. What I do is simple. I provide a mentorship where I will, one on one, walk you through making thousands per week via defrauding Amazon. This is 100% digital. What I'm about to show you will be heavily substantiated with mountains of indisputable proof. 

Joe Carrigan: (Laughter) 

Dave Bittner: (Reading) Legit. Over 1,600-plus positive rep on Empire. Omniscient. Teaching carding since 2017. Students follow guidelines when vouching that provide absolute proof that their success is real, current. All students make over $3,500 per week from this, some nearing $6,000. Safety. Any associated risk of being caught will be methodically eliminated through proper digital OPSEC procedures. These will be explained in detail, as many people hold a false narrative that anything online can or will be traced back to you. 

Joe Carrigan: Well, that's the end of the conversation. Then this guy goes on to post a bunch of links and videos to convince the person to click on some of them or maybe to join. 

Dave Bittner: (Laughter). 

Joe Carrigan: I don't know what the end game here is. Maybe the links are malicious. I certainly wouldn't click on any link that anybody sent me with this kind of thing in Discord. 

Dave Bittner: Right. 

Joe Carrigan: It could also be that this guy is just another scammer who's trying to get people to, you know, pay him for allegedly teaching them how to be a carder. 

Dave Bittner: Right. 

Joe Carrigan: When you're doing this kind of criminal activity, there is no way to totally eliminate the risk. You are taking a risk if you card. 

Dave Bittner: (Laughter) Right. This reminds me of, you know, those things you used to see in the back of magazines and comic books... 

Joe Carrigan: Right. 

Dave Bittner: ...That said, you know, send $29.95... 

Joe Carrigan: (Laughter) Right. 

Dave Bittner: ...For this plan on how to make money through mail order. 


Joe Carrigan: Right. Put it on the back of a comic book that charges people $29.95 for... 

Dave Bittner: Right. Exactly. Yeah, yeah. 

Joe Carrigan: Works for me. 

Dave Bittner: This person, whoever they are, at the outset, just says we're crooks. We're defrauding Amazon. Join us. Profit. 

Joe Carrigan: Right. Yep. 

Dave Bittner: Wow (laughter). 

Joe Carrigan: So I thought this was a great one. Thank you for sending it to us, Henning. 

Dave Bittner: All right. Yes, thank you very much. That is our Catch of the Day. Of course, we would love to hear from you. If you have a Catch of the Day for us, you can send it to us at hackinghumans@thecyberwire.com. 

Dave Bittner: All right, Joe. It is always a pleasure when Carole Theriault joins us on our show. She always brings us interesting interviews with interesting people, and today is no exception. She recently spoke with Javvad Malik from KnowBe4. And they came at this from an interesting perspective. They're sharing thoughts on bad security training. Here's Carole Theriault. 

Carole Theriault: So we are here today with Javvad Malik. He is a security awareness advocate at KnowBe4. Javvad, thank you so much for coming on the show. 

Javvad Malik: Oh, you're welcome. Thank you for inviting me. 

Carole Theriault: Well, I'm so glad you're here because you know your cybersecurity onions, especially when it comes to training employees. So I thought you could help us understand how not to train people. So there have been a number of things in the press, haven't there, about bad training? 

Javvad Malik: Yes, there have. There have been some unfortunate incidents where people have sent out some training campaigns, and they've not been received very well at all. And it's had the opposite effect. It's actually enraged people. And they've come out with pitchforks against security teams. 

Javvad Malik: Just a few months ago, at a newspaper in the States, where during a very tough year of COVID, they decided it would be a good idea to phish the employees with a 10,000 bonus after having laid off several people as well. So it was probably not the best time to do it. Although in fairness, it's like - it's exactly what the bad guys would do. But I think when you catch people out without building a relationship with them, without letting them know that this is the kind of stuff we do, and it's just a ha-ha, got you or that you're - or if that's how you leave people feeling, then there's going to be a bit of resentment. 

Carole Theriault: Yeah. So you've got the IT people who are working internally who are mandated to lock down or educate employees in order to try and protect the environment. And I get that they are, you know, scrambling around, trying to find cool ways to do that. But at the same time, yeah, you don't want to be tricked, do you? If you don't know, and you get duped, it kind of sucks. 

Javvad Malik: Exactly. 

Carole Theriault: Yeah. 

Javvad Malik: You need to think about how people feel at the end of the training. If they feel like they've been tricked or duped or they're just made to feel stupid, then... 

Carole Theriault: (Laughter) They'll get a new job. 

Javvad Malik: They'll get a new job. I liken it to a bit like training in a gym, like sparring. Boxers will in spar in a gym. 

Carole Theriault: Yeah. 

Javvad Malik: And they'll have really good camaraderie about it. But the same person, you punch him in a restaurant in the face, and their reaction will be very, very different. So create that safe environment where... 

Carole Theriault: (Laughter). 

Javvad Malik: ...They're accepting of that. 

Carole Theriault: OK. So maybe you can share with us - I don't know - three top things that you should never, ever do during a cybersecurity training because some people out there don't have the resources to go third party. And they're trying to do it on their own. And maybe we can provide them a bit of guidance on what to avoid. 

Javvad Malik: OK. So three top tips - and it's really difficult - distill it into three. But I'll try my best. 

Carole Theriault: You can go to four or five if you want. I don't mind (laughter). 

Javvad Malik: No, no. I'll stick to three. No. 1 most important thing is if you're the security team, build trust with your colleagues. Don't blindly go out and test them or give them a list of don'ts. Build a relationship with them. If their first interactions with you when they join the organization are negative or the only time they see or hear from you is when you tell them, no, don't go ahead with that or you've done something stupid, they're not going to react well to anything, no matter how well-intended it may be. 

Carole Theriault: Hey, good point. 

Javvad Malik: The second thing - and I'm happy to see it's reduced a bit over the years, but it still happens enough to bear mention - is don't name and shame people or make them feel like they've done something wrong if they make a mistake. We need to recognize that security isn't these people's day jobs. They don't do it day in, day out. They might get an email, and they might click on a link. They might tell someone their credentials over the phone. They might do a whole bunch of things. As security professionals, your job isn't there to berate them, to make them feel like they've done something wrong - but, you know, just work with them to - stuff happens. Help them get better. 

Carole Theriault: I remember this campaign. It was at a very big bank in the U.K. And so they did some phishing training. I don't remember exactly how they did it. But the next morning when employees came in, there were two colored balloons on everybody's desk. So whatever - let's say it was red or white. And then it turned out that an email came from it saying everybody with a red balloon, you know, failed the phishing test. What do you think about that? 

Javvad Malik: That's horrible. You're just making people feel horrible. And, you know, why are you highlighting that? Why are you trying to make people feel less about themselves? Instead, have a leader board up there that shows - you know, maybe once a quarter, you send out an email saying, so-and-so, these people have spotted legit phishing or they've never failed for a test. 

Javvad Malik: So you reward the positive. And that's something people can be proud of. So you're not explicitly calling out people and saying, oh, they all failed or they're no good or what have you. But then people are like, oh, you know, I feel good about that. This team treats me with respect. 

Javvad Malik: As a father of four, you know, you know that if you point out people, and you - to the kids, and you say that you're bad at this, you're useless at that, it destroys their self-esteem. And then, you know, they stop caring about trying to do the right thing 'cause they're like, well, whatever I do, it's not good enough for Dad anyway. 

Carole Theriault: Yeah. I'd listen to anyone who had four kids and was alive. And what about your third tip? 

Javvad Malik: My third tip is don't make it boring. There's a tendency for training material to bore people to tears. We get people into organizations. And when they join, it's normally, hey, meet all the departments. Here's security. And security takes them into a meeting room for 45 minutes and goes death by PowerPoint saying, you will not share your passwords, you will not let someone tailgate you - and you will - it's a whole list of don'ts. 

Carole Theriault: Yeah. 

Javvad Malik: It sounds really, really boring. And it doesn't - and people forget it the minute they leave. And then maybe they'll repeat it once a year. So don't bore them with that. Create content that is interesting, engaging and short and memorable. And then repeat that frequently throughout the year. 

Javvad Malik: So, you know, don't focus on trying to boil the ocean. Just pick one or two behaviors you think are the most risky for your organization. Work on those. Have it as a training module. Have it as a poster. Have it as something that appears on your screen saver or your mouse mat, whatever it might be. And just, like, make it short and fun and repeatable. And those messages will sink in. Think of it a bit like a marketing campaign as opposed to a education campaign. 

Carole Theriault: Brilliant advice - Javvad Malik, security awareness advocate, KnowBe4, thanks so much. 

Javvad Malik: Thanks. 

Dave Bittner: All right, Joe, what do you think? 

Joe Carrigan: Dave, I have a saying. 

Dave Bittner: (Laughter) Yes? 

Joe Carrigan: Anything that can be done can be done poorly, it's... 

Dave Bittner: Are you an object lesson in that? Or are you a - (laughter). 

Joe Carrigan: No. Well, I have object lessons from my career in that. 

Dave Bittner: Is this a story - a hard-learned part of your life? (Laughter). 

Joe Carrigan: Yeah. Yeah, yeah. I'll tell you, Dave, when I'm in a job interview and somebody says, tell me about a project that went terribly, terribly wrong... 

Dave Bittner: Yeah. 

Joe Carrigan: ...I have a story for that (laughter). 

Dave Bittner: OK. Right. How much time do we have? (Laughter). 

Joe Carrigan: No, it's - I can't tell that story now. Maybe some other time. But... 

Dave Bittner: I mean, in the interview, you say to the person, how much time do you have? 

Joe Carrigan: Right. How much time - OK, yes. 

Dave Bittner: Yes (laughter). 

Joe Carrigan: It's a very funny story. It's a great... 

Dave Bittner: All right. 

Joe Carrigan: It's awesome. Training with a phish about a bonus after laying people off is something that the bad guys would do. 

Dave Bittner: Yeah. 

Joe Carrigan: Javvad is 100% correct about that. But there are some things that we as good guys should just let bad guys do and not try to emulate it, right? 

Dave Bittner: Right. 

Joe Carrigan: I thought about this a lot. You know, there are all kinds of things that these guys do. There are things that we should not do. There are lines that we should not cross on the good-guy side of the house, right? 

Dave Bittner: Right, right (laughter). It's like burning somebody's house down to convince them that they should have had sprinklers. 

Joe Carrigan: Right. Exactly. You know, I was thinking about this, and it reminds me of an episode of "SpongeBob SquarePants." 

Dave Bittner: OK. 

Joe Carrigan: Which is one of the best cartoons ever. 

Dave Bittner: Yeah. 

Joe Carrigan: There's one where he becomes a hall monitor, and then he becomes really, overtly security conscious. And there's a scene where he's (laughter) - those people are inside their house, and they left their window open. So he jumps in as the open-window maniac to teach them a lesson, right? 

Dave Bittner: Right (laughter). 

Joe Carrigan: That's not effective. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: It doesn't help. 

Dave Bittner: Yeah (laughter). 

Joe Carrigan: You need to think about how people are going to feel when this is done. And this is why the title of Christopher Hadnagy's latest book ends with the phrase "And Leave Them Better Off For Having Met You." That's important. 

Dave Bittner: I agree, yeah. 

Joe Carrigan: I like Javvad's top three tips here. No. 1 - build trust and rapport. I would add that - make sure that every employee in your organization feels like they're part of the security team. Do whatever you have to do to communicate that to them, that you're - you know, that this is a two-way conversation. I'm not just telling you what you're going to do; you're going to tell me what you're seeing. That's very important for me. I need to have visibility into the organization, and you are my eyes and ears. 

Dave Bittner: Right. 

Joe Carrigan: Do not name and shame. When somebody falls for a phish, they have been attacked. If your risk model does require disciplinary action - which not a lot of risk models do, but some of them do... 

Dave Bittner: Yeah. 

Joe Carrigan: Do that in private. Handle that privately. Never name and shame. This story that Carole told about the bank with the balloons, that did not leave people feeling better. 

Dave Bittner: Yeah. 

Joe Carrigan: I mean, even if you pass that phish test, the fact that your peers were all shamed publicly that way - and Javvad says that's horrible. I agree 100%. That's horrible implementation of this. 

Dave Bittner: Yeah. 

Joe Carrigan: And three - don't bore people. And this is kind of a challenge in our industry, I think. You know, we like to stand up there - this is the stuff we live and breathe every day, right? We love it, and that's why we do it. But everybody else doesn't do it that way. They have - everybody else sees it differently. They have their jobs to do. They're focused on their tasking. 

Dave Bittner: Right. 

Joe Carrigan: I say there are three things you can do to help implement this. No. 1 - be inclusive. Like I say, make everybody think that they're part of your security organization, or actually, make them be part of your security organization. 

Dave Bittner: Yeah. 

Joe Carrigan: That's important. Not make them think it; make it so that is the case. No. 2 - rather than a one-hour video every year or training session every year, break it up into five to 10 minutes every month. This does two things. The higher frequency keeps it top of mind, and the shorter duration prevents it from - prevents people from losing attention. 

Dave Bittner: Right. 

Joe Carrigan: Additionally, five minutes a month is the same training as one hour a year. 

Dave Bittner: Yeah. 

Joe Carrigan: Right? 

Dave Bittner: Yeah. 

Joe Carrigan: It's the same training time. So I say, try to make it more continuous rather than something you do once a year that has to be done. And three - have relatable stories. Have relatable stories about this because that's how we work with - Perry Carpenters' big on this. He talks about storytelling. 

Dave Bittner: Yeah, yeah. 

Joe Carrigan: And that's really important because that's how we evolve. We evolved with oral tradition and things like that. And storytelling is remarkably powerful. 

Dave Bittner: Yeah. 

Joe Carrigan: So if you can develop relatable stories you can deliver once a month in five to 10 minutes and make everybody feel inclusive - included, I think that goes a long way towards building a better security posture. 

Dave Bittner: Yeah. And I'll also add, make sure that you tell the whole story as to why this is necessary for the organization. You know, it's - and what I mean by that is not only is it important for the organization in terms of everybody knowing this information and having it top of mind and being part of the security team, but it's also important for organizations to be able to say that they're training everyone, that all of our employees have done this. 

Joe Carrigan: Right. 

Dave Bittner: This is a sort of a take-one-for-the-team kind of thing, and I think lots of people overlook that. They may think to themselves, I know this stuff. Why do I - you know, I know this stuff. 

Joe Carrigan: Right. 

Dave Bittner: Yeah, you may know this stuff, but if we can check you off the box and we can do it and it only takes five or 10 minutes of your time... 

Joe Carrigan: Right. 

Dave Bittner: ...That you're contributing to the bigger picture of the whole company being able to say honestly that every employee does this, and so, you know, here's how we can demonstrate it's important to us. 

Joe Carrigan: Right. 

Dave Bittner: Yeah. All right, well, our thanks to Carole Theriault for bringing us that interview with Javvad Malik from KnowBe4. We do appreciate it. 

Dave Bittner: That is our show. We want to thank all of you for listening. And of course, we want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. 

Dave Bittner: The "Hacking Humans" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Joe Carrigan: And I'm Joe Carrigan. 

Dave Bittner: Thanks for listening.