Technology plays a role in improving security posture, but a well-informed and educated workforce is superior to keeping an organization protected. Security awareness training is crucial to ensuring your team is empowered, productive, and safe - and it doesn’t have to be boring!
On this episode of CyberSound, Jason and Steve welcome Joel Cahill to the podcast. Joel is the CEO and Co-Founder of Vancord’s partner company, Infima Cybersecurity, a modern-day security awareness training platform designed to provide seamless, brief, and innovative training for everyone. Tune in today as the team explores behaviors and the human element of security.
Technology plays a role in improving security posture, but a well-informed and educated workforce is superior to keeping an organization protected. Security awareness training is crucial to ensuring your team is empowered, productive, and safe - and it doesn’t have to be boring!
On this episode of CyberSound, Jason and Steve welcome Joel Cahill to the podcast. Joel is the CEO and Co-Founder of Vancord’s partner company, Infima Cybersecurity, a modern-day security awareness training platform designed to provide seamless, brief, and innovative training for everyone. Tune in today as the team explores behaviors and the human element of security.
Speaker 1 0:01
This is CyberSound, your simplified and fundamentals-focused source for all things cybersecurity, with your hosts, Jason Pufahl and Steven Maresca.
Jason Pufahl 0:12
Welcome to CyberSound. I'm your host, Jason Pufahl, joined today by Steve Maresca, and actually we have a special guest from Infima, Joel Cahill. Welcome, Joel.
Joel Cahill 0:23
Yeah, thanks, Jason. It's good to be here.
Jason Pufahl 0:24
So Joel is the CEO, Co-Founder of Infima, which is a information security awareness training platform, I think you do even a little bit more than that, I think you're doing some phishing work now. It's a product that we use heavily, we have started to embed it now with all of our managed clients to really give, I mean Steve and I come from, from a from a education background, I think we both feel strongly that security education is probably you know, 50% of the things that we think need to be implemented from a security program, rather than just purely technology. I mean, it's so incredibly important to arm your, your workforce, with an understanding of the risks that are out there, make them part of your security strategy. You can solve a lot with technology, you can solve a lot more by educating and training all the people that work for you. So I think, you know, Joel, if you can spend some time on, really, Infima's philosophy, and hopefully, hopefully, your philosophy dovetails exactly with what I just outlined, right, so let's make sure of that, but.
Joel Cahill 1:27
For sure. Yeah, yeah, thanks, Jason, you know, I want to pull up one of those things that you just said up front, you know, because security awareness training feels like a, it's a small part sometimes of the security landscape, but to your point there is, and it is one piece of a larger puzzle, but there is, like you said, you know, call it 50% is, is actually training your people to avoid some of these, the the most the most common mistakes that lead to breaches. So we have lots and lots of layers of security, you know, lots of things into ones and zeros, I say. But then there's just this little bit that we focus on on the on the human element. And so that's where, you know, that's exactly what what we do at Infima is we're focused on how do we, how do we, first of all, find and then change the unsafe behaviors that employees are unaware of, and that can lead to risks for an organization. And so, you know, security awareness training has now been called out by every regulator, you know, starting with with NIST and flowing down from from there, it is legitimately, is literally in every single regulation that you're gonna find in some capacity, you know, whether they touch on it in briefly or they go in with more detail. So that's become a huge driver of it, whether it's a regulatory need, or the other is cybersecurity insurance. And it's a requirement that it has to be in those, you know, that it's got to be implemented for most, really, every every cyber insurance carrier. And then a lot of it really comes up, it's discovered in these security audits, when you say, oh, yeah, hey, are we doing it? And how are we doing it and things like that? You know, and so, you know, as, as we get to work with with Vancord, you know, what we ultimately provide is, is that training for all of those end users to match what's required on the on the compliance side to make sure that you're hitting all of your regulatory needs, and satisfying your cyber insurer while working on also rooting out those unsafe behaviors, which to, you know, you alluded to, as you know, we do a lot of that also with a lot of phishing simulations, and heavily focus on the behavioral aspect of security.
Steven Maresca 1:34
You know, at the end of the day, compliance is helpful, you know, it helps to make attestations to third parties that you're acting with rigor and intention. But we also think of this as a proactive type of activity as well. Individuals, staff, they are, occasionally, more often than not these days anyway, the first indicators of something occurring in an environment or an attack that might be underway. Security awareness training is simply one of those indicators that help to get ahead of a problem before it becomes something really massively impactful. So it's really important to us, we have an extensive background in incident response, and frankly, there's always a human element.
Joel Cahill 4:25
Absolutely, yeah. You know, you know, another way that that we do look at it is, you know, you can see, oh, yeah, we've got elevated hits on the firewall, you know, so we might, we might have attacks, you know, that are more pronounced coming at us, well, same thing. If we can see that there are a lot more of the users, you know, and clients who are clicking on phishing emails, and we're starting to see that that risk is increasing. And so, you know, then there are several things that we that we get to work on through there. Again, they're they're very behavioral bent, because at the end of the day, you don't want, you know, there's no no business owner who wants, you know, his or her employees to have to become cybersecurity professionals just so that they can open an email, like whether or not they should they should open a Dropbox, you know, attachment, it's, it's comes down to, how do we can, how can we find and improve on the unsafe behaviors, while giving them the knowledge? And, you know, just to your point on on compliance, that is a piece of it. And then how do you go deeper so that you actually change behaviors? How do you actually improve that, the security posture of your team?
Jason Pufahl 5:30
I think, you know, one of the things, and Steve and I often say this, when we're when we're doing in person training, because periodically, you know, companies want to actually do that way. I always position training, that it has a personal and a professional benefit. And I think it's really important that we that we sort of speak like that, because the reality is, you're using online banking at home, and you're getting the same phishing emails at home, that you would be at work, and all the things that we're training, because typically right, what Vancord is doing, what Infima is doing, is generally institutionally based, right? You're, you're training large groups of people, typically in a professional environment for that, for that regulatory purpose. But all the stuff that you're training on, translates into the personal side, and I think protects people as individuals. And I think, you know, there's, I don't I don't want to be I don't want to be too broad on this, but there's a nobleness to that, I think, because it really does arm people with information and information allows them to make better decisions and ultimately be better protected. So it's just, it's such a hugely important space, I think.
Joel Cahill 6:38
Yes, yes, I also don't want to elevate ourselves too far, just like you were saying, Jason, but but in reality, there is an awareness of a problem. In a broad sense, there's an awareness of a problem, but there's also a lack of understanding often on what do I do about it, and that's a bad, that's, that's an uncomfortable place to be, you know, that's, that's just not, that's not a place that people want to, like live in. So you either hide from it, you kind of look the other way, or you can, you can kind of do the work to educate yourself on on what that risk is and how do I how do I mitigate it. You know, and so, you know, in this case, it's fortunate that, you know, regulators and cybersecurity insurance providers are forcing this into those organizations, because training, let's be honest, has never a particularly fun thing, you know, it's not like people get geared up and get real excited. You know, that's the 1% of the organization who's real excited for new training. But what really happens when that light bulb goes off is when, you know, we're pairing the, you know, the words on a page of training or to share somebody with, share knowledge with them. We pair that with these, you know, sophisticated simulated phishing attacks, and somebody, whether it's you or somebody else who clicks on it, that generates the conversation of like, whoa, this is this is way more real than I thought, like, right, you know, I'm glad that wasn't, that wasn't a legitimate attack.
Jason Pufahl 7:57
So, so you did beat me to it a little bit, because I did want to say, training is kind of boring, right? I mean, your point is well made, nobody gets that excited for the annual training that you have to sit through that takes you 60 to 90 minutes, and then you've got your obligatory questions that you have to walk through and hope you get right. Like, the model just isn't that great. And I think you do do something different, and it would be great if you spend a minute on, how do you approach it, maybe to make it less boring, maybe to make it more sticky?
Joel Cahill 8:28
Yeah, so, you know, this is something that you and I got to connect over on, you know, when we first were discussing working together, you know, was was your background and in, actually, this exact space, in security awareness training, and teaching people how to become safer. And, you know, so how do you get people to engage, you know, a lot of it, you know, is driven by, you know, my co-founder and me, when we started this, we met with professors at University of Florida in both Psychology and Cybersecurity departments. And the key thing was, like, hey, we were going to, we think that this is a behavioral problem more than, you know, what I would call a ones and zeros. You know, it's a behavioral problem more than a knowledge problem. And so you can, you can pump all sorts of knowledge into people, but if they don't change their behavior, then it doesn't, doesn't really matter. And so that partnering up with the psychology and cybersecurity apartments allowed us to jump in and really understand a lot better on you know, timing of courses, when when should courses be delivered? Video versus text. You know, how much content should be in a course? We even looked at like colors and things to see what what drives things. You know, one of the biggest things that came out of it is, you know, from a phishing standpoint is, bright flashing red lights after somebody clicks on a phishing email actually just is very counterproductive, you know, so we take a little bit lighter touch there, but the when it comes to the training, there's a little bit of levity in there, there's something you know, it's a serious subject, but we want to give a little bit of levity so that it makes somebody like, okay, I'm not just like grinding through this next training, and I've just got to push through it. We also keep those trainings in the five to ten minute range. So anybody, it's bite sized, they can come in and take it. And you know, there isn't really much of an excuse that you don't, and, you know, it, the objective isn't to try to get a gotcha, the objective is just to have somebody who wants to engage with with that training, because it's, I mean, part of it is, is it it's not as bad as they feared in the first place. But the other is, it actually provides some content that helps to, you know, the problem we was talking about earlier, like people are aware that there's an issue, they don't know what to do about it. And we're helping to give him some peace of mind there to share with them, hey, this is what your organization is doing. These are the things that that are helpful for you to do in your office and at home, to keep you safer.
Steven Maresca 10:47
So I want to spend a moment on that Joel, if you don't mind, because confusion, uncertainty breeds inaction. There are many phishing events that go unreported because people don't know what to do. Or worse, they know they've done something that they perhaps should not have, and they're embarrassed. In my opinion, modification of behavior and a reaction is really crucial. So your comments specifically about avoiding blinking red lights, avoiding a feeling of punitive and, you know, punitive reaction, causing them to feel like they've done something incorrect? That that's a hugely beneficial shift of the thought pattern, in my opinion. So please spend a moment on that, because I think that's really central to everything we're talking about.
Joel Cahill 11:31
Yeah, yeah, thanks Steve. And you're right, you know, you've been through enough incident response so you've kind of gotten to see how people how people do react post, post, making one of these mistakes, post falling for a phish email, post you know, kind of opening the door for a breach. And, you know, different organizations handle it differently. But the objective, you know, that we want to, that we want to portray is, hey, there's, there's a real, there's a real attacker, there's a real enemy out there. And the our best bet is to first you know, prepare and then second, to be open to communicating internally, if there is something that is either a concern or an anomaly or, or something along those lines. So if in the training, you are punished and penalized or ostracized, for making a mistake, when the real thing happens, you're certainly hiding under your desk at that point. So we take a little bit lighter touch, somebody clicks on one of these simulated phishing attacks, there's an immediate, hey this could have been bad. Well, we also do measure that. Most people just X out of that window, we know that they're going to X out of that window right away, because oh, I had nothing happen, right? It's gone. You know, kind of look around. My computer's not flashing, there's no sounds coming out of my speakers. So then the next morning, you know, we have we have this email that just says, hey, Steve yesterday, at, you know, 12:25pm, you did click on this email with this, this subject line, here's what we're going to do in the future. It's not, again, it's not like a name and shame, this is your third strike, you're, you know, you're in trouble. It's, it's saying like, this is what happened. Now, because you did click on that email, you are going to be retargeted for additional phishing, and it will snowball because ultimately, you know, well, it's not name and shame, it needs to be highlighted internally to be like, hey, like, maybe, you know, sorry, Steve, I'm just using your name. But maybe Steve needs a little bit, a little bit more attention here. You know, so we're highlighting where that where that potential risk is. But without doing it in a way that makes you one, angry at your employer, or two, embarrassed for you know, either your own ego or stability or something makes somebody like quickly hide because, as you know, when you click on a real phishing email, you can't just X out of it, and it's gonna suddenly stop the encryption.
Jason Pufahl 13:46
And I think it's really what you just said though is important, because there are egos at play, and, and frankly, you're often training really educated people. So it's not like you know, they don't take kindly to being made to feel foolish, to be made to feel stupid. So you really do need to be subtle, and you really do need to sort of describe what the institutional goal and objective is, and you know, try to describe what that outcome will be, but. One of the things that I think we've done historically when we talk about, how did your organization fare in the phishing test, we always sort of flip it on the on the other side and say, well, you know, 90% of you did not click on this phishing email. You know, trying to use more positive language, even, frankly the numbers are the same, right, you know, 10% of the people still did in some portion probably provided their credentials. But you know, hey, last year, or last year, last year, last month, 85% of you, did not click on this link, this month, eight 90% of you did not, like you can show positivity still and use better language. I think we really try to focus on that.
Steven Maresca 14:52
And that applies to interpersonal too because, reemphasizing the same, if you can benefit interpersonal reactions so that people are more inclined to talk to each other instead of shy away, that that's what you want to get out of it.
Joel Cahill 15:06
And, you know, on that, and you know, every organization that Vancord services is a little bit different, and there's always different personalities and stuff. But one of the things that has been most, most critical with getting internal, you know, participation and engagement, is when somebody high up, you know, is willing to say, hey, I did stumble for one of those phishing emails, these things are legit, you know, and what we do at Infima, and what we provide for Vancord is we're taking the best of the wild, and we're circulating that through with all of with all the clients, so we're mimicking those real attacks, we do it on a continuous basis, so that it's not these discrete one off things because attackers don't just say, okay, it's been six months, and now it's six months later, we're gonna go attack, you know, Acme Construction, you know, they're firing these things off every bad moment, every second of the day. But when you have that person, you know, gonna call it call it a partner, managing partner at a law firm, who is willing to come out and say, like, hey, I did, I did click on one of these things, this is this, we need to pay attention, that suddenly just like, you know, lets everybody breathe in the room, like, okay, you know, it's this can, we are aware that this is a real risk that these things can happen now, let's all, you know, kind of band together to go to protect ourselves from this attacker versus kind of like, I better not be the one who clicks because if I'm the one who clicks and I'm being held out, you know, in reality, it's such a behavioral thing, you know, we've gone into longer discussions on this, you know, but, you know, the time of day something hits the, the mindset that you're in, the stress level that you're in, if you've just gotten, you know, you got to your kid just shot out your kids tickets at school, and you're having to cancel a meeting and try to run a run, and then you just happen to get, you know, the, you know, a Dropbox email or LinkedIn email, or a voicemail attachment or something that you're like, oh, this could be relevant, I need to pop in and go see that, you know, it's, the attacker didn't know any of those things. But they just happened to send it and it got through the fire or got through the email filters at the right, the right wrong time. But when they're able to send millions and billions literally, of these emails at any time, you know, their hit rate has doesn't have to be very large. And these things we we all know, they just can get through. They happen to get through at the wrong time, you know, it, it makes all the difference in the world. And so the atmosphere in which somebody receives it, you know, there's a lot of context to it. That can make all the difference. You know, if somebody just was told that they were gonna get something, they just had lunch with somebody, they're like, hey, I'm gonna send you money via Cash App, or Venmo or something. You'd be amazed the number of times somebody clicks on one of those, those that we circulate, they're like, so and so was just telling me, they're gonna send me money. We're like, well, you said Jane was going to send it and it's Brenda, on the on the Venmo, it clearly wasn't that same person. But we're not we're thinking we're triggering, like somebody who's supposed to send me something, I'm clicking on that thing. And so, you know, they get you at the perfect wrong time. And we see it over and over.
Jason Pufahl 18:09
Yeah, I mean, I think we all, we all agree how important it is. We were largely, I mean, really, we come from technology backgrounds, in many ways. And I think it's just, it's been, for me, I think interesting to see my own shift in this space over the years to just recognize that technology plays a role, but a well informed and educated workforce is, I mean, honestly, in my opinion, at least as important as the technology investments that you're going to make. And I think it frankly, it's why we've chosen to work with you, because you, I think you do this in sort of bite sized pieces that most people can actually absorb and hopefully take something from. It's done in a way that's, you know, not obtrusive, which, in my opinion, in this awareness space is really important. And it gets the message out, you know, broadly and regularly. So I mean, all things that I think hopefully end up resulting in a sort of a higher, a higher outcome of success right of reduced likelihood for clicking on some of these email messages. And frankly, just a better understanding of some of the risks are that are out there.
Joel Cahill 19:21
Yeah, we want to dispel some of the either the misunderstandings or myths, while also just providing, you know, end users with a real clarity on what those risks are so that, so that, you know, they're not acting out of fear, and then they can actually act with more confidence. And, you know, at the end of the day, like you said, unobtrusive, you know, you just don't have time for every person to become an expert on every email and they got 100 emails when they wake up and get into their inbox and they don't need to go and have to, to do all the research to see every single one of those things is legitimate. You know, it's like how do we how do we implement those safe behaviors so that so that the people are empowered and not in fear and can continue to be productive.
Jason Pufahl 20:03
So yeah, we're pretty much up against time here so I do want to wrap up. I think I'll wrap up by saying a couple things. First, you know, anybody who's listening, if they're interested in effective and fairly straightforward training to implement for their organization's, you know, reach out to me or Joel, we're happy to talk to you. If you want to take it a step further, and I think we joked about this at the beginning, right, if you want to just nerd out on training and applications, and you know, how do you actually get a message to a receiver and sort of, how does all of that look? Probably Steve, me, Joel, great people to talk to you. So we're happy to happy to have a, hey, what did, how does training work psychologically, and go down that road with you as well. Joel, I appreciate you joining today. It's been a pleasure. It's been a pleasure getting to know you, of course and a pleasure to work with you as we've gotten both of our companies more closely together.
Joel Cahill 21:01
Yeah, absolutely. Yeah. Thanks, Jason. And Steve, it's great to be with you guys. Appreciate this.
Steven Maresca 21:05
Likewise.
Jason Pufahl 21:05
For sure. Thanks, everybody for listening. We, as always, hope you got some value out of this. It took one nugget, right, this is our training platform, so took one nugget from this, and walk away better informed than you were when you started. Thank you.
Speaker 1 21:19
We'd love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.
Transcribed by https://otter.ai