Introduction
Finn: Good morning or everyone. My name’s Finn. I head up marketing at Tekspace. What we do is we’re cybersecurity product experts. So a lot of the work we do is hands on research, testing and assessing different products in market. In fact, we recently sat down with both of the guests today and interviewed them and discussed everything within the security awareness training market.
So I know both of our guests feel very strongly about how to get security awareness training right, which is of course our topic for today.
So introducing the two experts who will be discussing everything you need within a security awareness training program to basically get it right to have those effective results across your team.
First of all, a man who may not need introduction for many of you on the call today, Matthew Jose, the CISO at Fujifilm CodeBlue. He leads the cyber strategy and helps Kiwi organizations really get on top of the risk at the moment.
With over fifteen years experience across all sorts of IT roles, he specializes in governance, risk and compliance, security operations and building out new products and services within the Code Blue environment. And we’ve also got Frank joining us from Tech Space today.
The driving force behind our direction within the cybersecurity product space, he’s had over twenty plus years as a career where he’s worked both in house, built two successful IT services of his own, and he’s advised businesses on cybersecurity all across the globe.
So very exciting to have both of our guests here today. As I mentioned before, they feel strongly about the domain that we’ll be discussing. Just a quick housekeeping before I hand over to Matt.
You’ll see we have the chat. Also, there’ll be a poll which Matt will be asking shortly. So please submit your answers to the right. And if you have any questions, you can submit them via Q and A and we’ll ask them at the end.
So without further ado, I’ll add Matt to the stage now and yeah, thanks everyone for being here.
Thank you, Fin.
Mathew: Kia ora everyone. Welcome to the webinar about getting security awareness training right.
So like Finn mentioned, we’ll start with a poll.
And the question is basically, when it comes to security awareness, what does the organisation measure today?
And a couple of options, and you will be able to kind of see what the options are on the pulse towards your right side. Is it the click rate? Is it the training completion rate?
Repeat offenders, time to report, finding who clicked, or you’re unsure.
So we’ll give it a twenty seconds so that everyone can actually cast their vote for the poll, and then we will get underway.
Almost half the room has voted, Matt.
Oh, cool.
So, it looks like, you know, the unsure and the completion rates are actually kind of leading. So none of these are actually wrong, but some of these drive better behaviours than others. And when it actually comes to understanding why most awareness programme fails, it is usually because of the lack of top executive buy in and socialization.
You really need champions at the executive level and they need to socialize the success of the security awareness program, often depend on how well there is the buy in.
So we’ll also go into a couple of myth busting kind of stuff as well. So often SAT is kind of considered as a compliance and a blame tool.
And when that actually happens, you usually would actually ask the question about who clicked the link, or, you know, who are the people that actually clicked so that you can actually talk to them.
What I want to say is when it actually comes to who clicked the link, you know, it is actually a reporting view, it is actually not a risk outcome that you’re actually looking for, for the organisation.
And the reality is that is basically like a behavioral changing platform. And it basically transforms your human workforce into human firewalls.
Click rate is a lens, it is actually not the outcome that you’re actually kind of looking for. The outcome that you’re looking for from any kind of good security awareness programs is behavioural change.
So now we will actually go into, take a step back and then look at, you know, what are some of the options available from a, what we call as a legacy set.
So I’ll quickly touch on two points, which is the annual training and the manual training. So annual training is if you have a static content and you are required, I mean, every employee is actually required to actually watch a video once every year, where it is actually a checkbox control. Or a manual training is where, you know, a trainer would actually come in, train people once a year or twice a year, and, you know, you call it, okay, we’ve actually done the training.
The next couple of things are when it comes to generic phishing simulations. So, if you’re actually kind of using one single email, I mean, a phishing simulation email and sending the same email to everyone in the organisation, then the issue with that, it is actually a false metric, because you’re gonna have a workforce with varying degrees of technical competencies. And when you have that, and you know, when you’re actually using that false metric to actually inform your risk position because of humans, it is a false metric to actually start with. Often with legacy sets, it is actually measured by completion and click rates.
One of the things that AI has actually accelerated is the attacks on humans or social engineering attempts as well. So, AI driven attacks have basically outpaced what legacy SAT was actually designed for, which is why you actually need a modern SAT solution. So what does a modern SAT solution look like, where you’re moving away from a checkbox to a control?
So modern SAT looks like there is continuous learning, because, you know, everything is evolving really fast, so you need continuous learning, followed by not a single email to the whole organisation, but personalised simulations, depending on the technical competency of the person, where you’re able to kind of measure the risk score of the person based on the behaviour of the person, and the organisation can actually measure the behavioural trends over time.
That is what a modern SAT solution would look like.
So what does it actually mean? So if your organisation is actually using manual training, or like an annual training exercise, or one off campaigns where someone from IT is actually sending an email to everyone in the organisation saying, Hey, you should be careful around these ones. It is actually not a security awareness training per se. So instead, what you should be looking forward to is going off from one off email campaigns, which is generic and content to continuous learning programmes.
The second thing is automated phishing stimulation, based on the technical competency of the person, so that it is fair for everyone in the organisation, and that the organisation wide behaviour is focused on, rather than individuals or people who clicked on the link.
So to sum it up, what does good look like, and what metrics should you look beyond click rates?
A couple of things, which is, the first one is reduced repeat clickers over time, and faster reporting of suspicious emails. The reason why you should actually measure these metrics is because this gives you an insight whether the organisation is, or the SAT awareness or security awareness programme is actually doing behavioural change, as opposed to measuring something that is actually generic. And the questions that you should be asking when you’re actually running a security awareness program is, are you reducing the risk in your high risk roles, and is there consistent improvement every half or every quarter or every three months?
So security awareness training, it’s not a compliance exercise that you should be looking for.
You know, if you implement it properly, it can actually kind of convert your people from the weakest link in your security chain to your most scalable defense.
And I’ll say this as well, for good security awareness programs, you have to measure behavioral change and not failure rates.
And Frank, I know that we’ve actually seen this across your research, across multiple customers. What are you seeing when organisations make this shift?
Frank: Hey, Mathew, thanks for the intro. Look, in terms of what we see, a little bit of an analogy. I’ve got two young kids that are going to school right now. As they go through the education cycle, which is ultimately part of what we’re doing here, we’re educating people, is I’m looking for them to be able to demonstrate changes in behaviour and fundamental understanding as opposed to memorise rote learning.
So my kids can get taught the ABCs and the basics of math terms of what does five plus five equal. But do they understand how five plus five actually equals ten? Or do they simply know it equals ten?
One is a memory based, rote based answer. And when you’re under attack, ultimately, that’s why we’re doing this. If an email makes it through, that is dangerous that you hope one of your staff correctly identifies and avoids and then reports, you want that person to be having the behaviors and the core fundamentals baked into their psyche, that translates to, massively reduced risk. That’s ultimately what we see.
And that comes out in lots of different ways. Might actually just observe outside of any platform, some of your staff having a joke about some of the training that they’ve just been done, right? And talking about making sure that whoever just followed them through the front door in the office, they turned around and checked, hey, I know who that person is, I’m not just going to let them come in the front door. These sorts of behavioural based live human behaviours, because ultimately, this is a category that touches human psychology, a key things that you start to, it becomes cultural, you can touch it, you can feel it as much as you can look at the empirical cold data behind it.
And that’s what we tend to see when solutions are deployed and have the right backing from the top down.
So, you know, stepping in, let’s talk a little bit about what tech space does, we get to do something in some ways that’s that’s fun, but also can be quite tiresome. And we road test actual cybersecurity products, right? And we get in the car, we really try and understand what they can and can’t do. This space, the security awareness training space is probably one of the most competitive.
It has seventy plus different vendors that all vie to try and get the wallet share of people out there and help them solve their problem. We, you know, when we looked at evaluating this space, we had to kind of call and shortlist down to down to just twenty. And kind of remove all the ones that just didn’t even come close to what they needed to do. So we shortlisted down to twenty.
And we started to evaluate them and break them down feature by feature. We split them across four core capabilities and four core functions, and aim to create a maturity benchmark around what that looks like. And that’s what I’m gonna share with you today. We’ll walk through that journey a little bit and show you how it works.
So when we do this, we speak with a lot of security professionals all the way from like everyday people that are running the desktop, IT managers, IT engineers, cybersecurity engineers, CISOs, CIOs, all the way up to non technical stakeholders. And we do that across the board globally to try and understand what they actually care about from an outcome perspective. And these four things have come up over and over. The first is efficacy, right? And efficacy is, you know, and when you think about it, and you pause for a moment, a lot of people are like a good portion of the companies out there sometimes look to put a security awareness training program in place from a compliance perspective only.
But then another portion of that audience want to both have compliance with whatever their insurance provider wants, and ideally they have uplift or efficacy. And so uplifting the efficacy or awareness of the risk across your staff is the number one.
Number two is operational efficiency, hey, if we’re going to deploy this solution, and if it’s going to impact and touch and engage with my end users, which it will, how can we make that as seamless as possible, minimal disruption, no frustrations, it’s a happy experience for the end users.
We move to reporting, in particular, we focus on reporting to technical and non technical stakeholders. So that’s really, really important. There’s two different audiences that we need to give useful information and insights to. And lastly, the end user experience.
Any solution that you deploy that an end user needs to engage with, whether it’s security awareness training or a different category needs to be incredibly intuitive. The interface, the way that they navigate, where they go, what they need to do, it almost needs to be requiring no education whatsoever.
And if you get that right, that will all lead to stronger engagement.
And so as you can see, when we look across the capability checklist, we’ve got four core areas that all underpin creating stronger engagement, which drives behavioral change. That is reporting AI capability simulations and the learning model. How do we go about teaching people? Now, as we walk through these, and I share with you some of the findings, you’re going to see a percentage rating for how much the market covers or delivers that capability. So keep an eye on that as I go through the slides, because that can be quite interesting to look at.
We’ll start with the reporting side. Reporting can be a black hole, you know, it can be a never ending string. What we’re focused on when we analyze capabilities, not the downstream technical aspects, because lots and lots of the solutions that we looked into can tell you what the click rates are, they can show you people who have or haven’t done training. Let’s assume, or I’ll let you know factually that almost all of the players can do those sorts of things.
So we looked at upstream reporting at the executive level, and how can we get useful metrics very quickly to non technical stakeholders?
Now, ninety percent of the market has some form of a behavior risk score, right? Whatever they might call it, they have some form. But the nuance is what is behind that number? How do they come to that determination?
Because if we say, hey, your behaviour risk score for the organisation is fifty percent. You also need to understand quite quickly what makes up that fifty percent and how the solution has reached that conclusion. Otherwise, you’ll never trust it. So that’s where there’s some nuance in execution.
The next, we looked at how do we understand risk types very, very quickly? Who am I repeat offenders? Who are my first time clickers? Who are the people under my employee that might fall for a fake email and actually enter their data credentials, their username and their password?
I really want to know about those people because they are extremely high risk. Ideally, we might have a manual intervention for those people on top of the solution.
And lastly, we look at multi level reporting. So for some organisations, typically bigger ones, you’ll have departments, finance, sales, marketing, etc. And you can create kind of a competitive culture if you want to where departments are competing to have the best behaviour risk score. Right? And that’s another clever way I found organisations leveraging the product and products that exist out there to, get engagement and buy in from the audience.
So we shift from reporting at an exec level and we move to AI capability. I mean, AI is just talked about over and over and over again. So when we looked at this, we’re really looking for some manner in which these programs use AI in a meaningfully different way that delivers a better outcome. Right?
That’s kind of what we’re interrogating here. And typically, we focus on the journey for how fake emails, which you would call a simulation are sent, right? And how AI is weaved into that capability. So the best players and you can see fifteen percent coverage will start by sending out a group of simulations randomly selected.
And what they’re doing is they are creating a baseline for the capability and risk profile for each person. So they send out these simulations, the artificial intelligence is then analysing how did each user engage each individual user? Did they click a link? Did they enter some data credentials?
What’s their role, their title, their department, their location? What browser or email client are they using? It’s grabbing a lot of different data points to learn about that individual user. And based on the experience of each person, ideally, the solution then creates a dynamic risk profile, not a static risk profile, but one that will change over time.
And it’s learning about the susceptibility traits, like the weak points of each person. Is someone more likely to fall for social media attacks? Do they read the emails in the morning or late at night? Are they on the emails over the weekend?
And what is their current skill level? Are they masterclass cybersecurity experts that know everything about cyber, they’re going to be very difficult to fool, and therefore quite skillful? Or are they at the other end of the spectrum? Cybersecurity is not their day job.
It’s something else. And they’re more likely to fall for something quite quickly.
And then ideally, what these solutions do with AI, and you can see only fifteen percent of the market does this well, is they use that ongoing change in risk profile and the behavioral inputs and match a simulation to each individual user specifically. So if you have one hundred people in your org, or one hundred people could receive a different simulation specifically for them based at where they’re at in their learning journey. Okay, and all of those things will accumulate in better user engagement, right? Which makes a big difference.
So following on from there, naturally, looked at, well, how do people actually execute on simulations? What are the different capabilities? How can we try and see if they are emulating what real world attackers actually look like? Because ultimately, that’s what we’re trying to test people for and train them around. And almost everyone in the market, everyone does name based targeting, meaning we can send an email to someone with their name in it. So it looks like it’s directly targeted for them. So that’s part of the course.
But then we have these other capabilities like application aware simulation. So you just imagine in your business, what is the software that you use on a daily basis? Do you use Microsoft Teams? Do use Xero for your accounting?
Do use Microsoft three sixty five or LinkedIn, etcetera? There’s lots of different Adobe Acrobat. If you know what you use, and you can tell the program, hey, yes, we use these specific applications, then ideally, the algorithm can now and the program can now change the probability of targeting your end users with fake emails relating to the business applications that they use. So that increases relevancy materially.
And that will dramatically change the efficacy of the solution and the value of the behaviour risk score that you get out the other end.
We also have location aware targeting. So some of you, most of your staff are ideally going to be based in New Zealand, you might have people in the Philippines or in Australia or in the UK or America or wherever it may be. And if you can target your staff with simulations using brands that are relevant to the country that they’re in, that again, increases relevancy. So that’s kind of another critical must have that we look for in the best place in market.
And ideally, we are targeting people with different types of simulations or attacks that marry the different ways in which attackers might get to them. So sometimes it might be a QR code. Sometimes it might be a supply chain attack where someone’s trying to impersonate a someone in your supply chain, or it’s an email from the CEO saying get me gift cards, etc, etc. So you need you need to keep that buried and dynamic.
We’ll then look to have simulation capability where it’s role and time based. And this is where the platform smart enough to understand what your role is. Are you the CISO? Are you the marketing director? Are you a sales delivery? Are you in finance or procurement?
And what times of day might it try and target you? And so some of the solutions are very clever. They don’t just do this, they know about different events in the calendar of the country that you’re in. So for example, if we have Anzac Day in Australia, then you might get a simulation that is oriented around that event when it actually happens or leading up to it, which increases the probability of that user potentially falling for it unless they’re adequately trained. And that’s exactly how real world attackers work.
So we layer on from role and time based to insider threat spear phishing. And ultimately, this is where sixty percent of all breaches that happen are based on emails that are just like this, where they’ve done research on your organization. They know all the good about who the different people are. They probably know who’s in your supply chain and they impersonate your CEO or your procurement manager, or perhaps even just a low level new employee that’s just joined the organisation.
It will have your actual email signature. They’ll have your phone numbers, your titles. It’ll be very hard for you to discern by default unless you know what to look for that this was a malicious email. And unfortunately, these emails do make it through and they are incredibly successful.
So having a solution that can have that as part of its journey is really important.
And the last part of the simulation capability, we talk about the idea of giving end users, know, giving them agency to report an email that they think is suspicious. And if they successfully report that email, then giving them kind of live reinforcement, patting them on the back and saying, Hey, well done, you’ve successfully identified that that was a fake email, congratulations. And that drives a positive reinforcement behavior loop that works exceptionally well.
The other nuance here, you know, because a lot of the solutions in market that do do this, they execute it in different ways. What we were looking for is if somebody does report something, how quickly did they report it? Did they identify that that was a fake email in less than twenty seconds?
What kind of email attack was it? Was it financial? Was it supply chain? Was it social media? Was it QR code? And we’re looking, does the algorithm or the AI feed that information back into the risk profile of that individual?
So is the solution smart enough to learn and then adapt to that user the next time it sends out an email. And that again, makes for a dramatic difference in the efficacy and success of learning and teaching to staff.
Now, when we talk about teaching, we move to the learning model. And we talk a little bit about how do people learn and how do we engage. Just let’s take a pause for a moment and think, if I was to deploy a solution like this into your staff, to your end user base, right? And let’s say you’ve got thirty or forty people.
How often are they going to be willing to do this training?
First of all, do you think that they’re going to find it acceptable to do it once per month, You know, once per quarter?
So maybe you’ll do it once per month or once per fortnight. And if you do it once per month, you’ve only got twelve times per year where you can connect with this person. And typically you’re only gonna keep them for five to six minutes at most. And then you’re going to lose them. So that teaching moment, that learning moment needs to be very, very successful. It needs to touch on the right notes and it needs to match where the user is at in their overall journey. And, you know, it can be really helpful to stop and pull back and think about the fact that it’s not that much time, and that there’s not that many moments per year where you engage.
So in the market, we find there are three ways in which the players try and solve this approach. The first is what we call the librarian or the Netflix approach, right? That’s where you’ve got a huge body of content, thousands and thousands of pieces of training. And remember, if you’re only doing it once per month across all those thousands, you have to just pick twelve, right?
If you’re doing it that often. And so you can see that that has some limitations because people will be at different points in their journey. You have to try and select the right combination. And your chances of you getting that right, you know, hit and miss.
The next one we see is Q and A, right? This is where we ask questions and we learn about what they get right and what they get wrong. And based on that, we adapt accordingly. And so that has some strengths that you can see there’s some intelligence to that pathway and why that can work, but it also has weaknesses.
And so ideally, can be combined with pathway number three, which is a curriculum. It’s kind of just the way that we learn as adults and the way that we learn as kids when we really want to know about something because we’re going to ideally look for an education system. So it could be a school. And you know, if it’s a school, for example, I want to teach my kids math, I want a great school, I want really good teachers, because how you execute the teaching matters just as much as the school itself.
And I want a curriculum that’s around teaching the fundamentals. Again, if I’ve only got twelve opportunities per year, across five minutes per opportunity, to try and get across a certain set of fundamentals, that will help me know how to avoid a threat, then having that in a purpose built curriculum really can make a dramatic difference. And, you know, it’s the difference between my kid having to memorise the answer to something and me being able to say to my kids, what is two plus two? Or what is four times four?
Or what is sixteen divided by two? And any kind of method I try and trip them up, you know, and attack them. They’ve got sufficient foundational knowledge to deal with that. Right?
So pairing a strong learning curriculum that’s executed well with intelligent simulations and testing will make a dramatic difference to the engagement of your staff and their ability to avoid these threats.
All of that you ideally want delivered in some kind of very friendly interface. I mean, we call it a portal here, you know, lots of different providers will call it something different. But you want that interface to be engaging, to be friendly, to be highly intuitive. And we don’t need to dig too deep into this except to say that the friendlier it is, the more interesting it is, then the more likely you’re going to get engagement and have users run through that journey and actually do the training that you want them to do.
And so that’s kind of becoming table stakes in our view that that needs to be a core capability.
Ideally, what you also want, and this is interesting, very few players in the market have this, but we see over the next few years that hopefully this will grow.
When we are trying to teach our users about threats, well, just remember that often they can access work environments from their personal computers. They can go home and log into M365 email and SharePoint and access that information. And so if we can build their awareness around threats that live outside of the workforce, so how can they use their Facebook, Instagram, LinkedIn, TikTok, Spotify? How can they be aware of the threats in those platforms and lock them down and make them more secure?
That can help build a more holistic awareness of cybersecurity threats more generally, and basically just build stronger personal habits, which feeds into a better position for your staff and your organisation as a whole. So that’s something that we look for in the players in the market as well.
And lastly, look, when you think about learning, we just want change over time. So if there is a learning programme, you want that learning programme to adapt. You know, we built a curriculum for this year. But if I have new people join the organisation in my company next year, if there’s something that has changed in the risk environment out there, I want that same curriculum that some of my users have already done to apply to my new staff, but to have adapted, iterated and improved based on what’s happening in the threat landscape out there.
So we kind of look for that. And we look for what people get right and wrong as they learn to, we want the AI to grab that information and feed that back into the risk profile of the individual user, and into the overarching organisational behaviour risk score to get a truer sense of where the organisation sits. So that’s how these all come together. And if we kind of summarise them in terms of capability, and we look at it kind of from a thirty thousand foot view, you can see that the market mostly does have reporting capability, right?
It’s just a question of how well they execute that AI capabilities evolving, there’s a lot of what I would call marketing fluff. There’s everybody that says they do everything with AI, but we can start to see meaningful application of AI and algorithms used in a way that that makes a difference to the journey for your users.
The simulation capabilities, yeah, there’s a big difference between those that are at the top of the market and everybody else. And the learning model is still an ongoing, almost like a philosophical religious war in some ways that I see. So that’s hopefully been some useful insights for you to look at the market.
I’ll hand back to Mathew, and thanks for your time.
Finn: Thanks so much, Frank.
Really interesting to get that breakdown. And also, Matt, well, the poll that you asked at the start, there was some really interesting percentages there.
And thanks everyone for also submitting questions so far. Remember if you have any questions about anything that Matt and Frank have said or haven’t said, please feel free to submit them.
Just to move on before question time, as part of this presentation, we also have a possibility to demo the features that Frank spoke about and Matt shared.
So if you’d like to demo the features, feel free to speak to Vaidik at CodeBlue.
I’ll just put a link up on stage, which you can all use as well.
Apologies. You’ll see the email there. That will work well.
But, yeah, best to send him a email or connect with him on LinkedIn and mention the security awareness training demo. Thanks very much.
Moving on, you’ll also see in the chat a link to a feedback form, which we would love to get your feedback and your take on the topic today. But also there’s a question there at the end which actually asks for Thanks, Cass. You’ll see both Vaidik’s email and the link to the feedback form in the chat.
So make sure to select that. But there’s a question at the end of the feedback form we’d love your take on, which is what you’d like us to cover next. So balls in your court, we’d love to hear what you would like us to speak about in our next session.
So moving on to the q and a, and one second while I get my controls right.
Great. We’ve got a few questions here.
This one’s a question here around I’ll add it to the stage so then you both can speak to it.
So organizations that already have sat in place. So what are the first signs that a program isn’t driving the behavioral change?
Either of you, maybe I can ask Matt first, then, Frank, you feed in.
Oh, thank you, Finn. I think I actually kind of covered it, you know, a little bit loosely on my slides earlier. But, you know, fundamentally, you know, if there is an overreliance on activity metrics, and these could be things like, you know, click rates, you’re actually trying to find out who actually clicked on the link, then that is actually not a behavioral change metrics.
You know, if for example, you’re not packing repeat clickers over time, or you don’t even have that metric to actually start with, then that is actually not behavioral change. Because at the heart of it, what you’re essentially looking for, when a person actually receives an email and there is two options, which is, you you either have a link on an email or you have an attachment, what is the person going to do? Are they gonna report it or are they gonna click on the link? And that is behavioral change, right?
And changing behavior doesn’t actually happen in an instant. It is very hard. It is deeply seized into our psyche. So these are the things that you need to kinda, you know, factor in when you’re actually looking at that behavioral change aspect. Anything to add, Frank?
No, look, I would agree. You wanna be able to touch and feel almost the change that’s happening as much as you can see the column metrics on the screen. So there’s usually a strong correlation between people who are participating and doing their training with a reduction in phishing rates over time. The other element is if the execution or if the type of simulations that are being sent that do the testing aren’t very intelligent, then ultimately the data you’re getting out the other side won’t really tell you much.
You get a false idea of what really works. So I think it’s a combination of making sure you’ve got intelligence in the way that simulations are sent, how they’re selected, how they match with the risk profile, combined with people doing their training. And you can visually, you can hear it, you can see it, it comes out in the culture live within the organisation. So it’s probably a combination of those things from our experience.
Interestingly enough, a question that echoes this is kind of more specific around the most reliable indicator. And it’s a good question because if we think about Matt’s poll at the start in terms of what is the most important metric to to look for, Yeah. What metric or indicator would you guys suggest as the kind of key indicator of behavioural change?
Well, we may have different ideas. The answer is subjective depending on the solution that you’re using.
Right? And the reason why is when we looked at the reporting part of the market, and we looked at how they measure and where they’re getting their data from, we also then looked at the AI capability and how it’s pulling metadata from all the different engagements throughout a platform. And so if, to kind of put it bluntly, if platforms were a little bit dumb, and if they were very black and white around how they did that metric, then that wouldn’t be a reliable metric. And the best I might have otherwise is not something that’s in the platform, but it’s actually something outside the platform, which is what I can listen for when I’m speaking with staff.
If I do a quick three sixty survey and anonymous survey of people in the org, how are they finding the learning, etc. But if you’ve got a very intelligent platform that understands and records every interaction throughout the entire learning journey, people participating in the training, people doing their simulations, what they get right, what they get wrong, then ultimately, that risk score that I talked about upfront, there’s a couple of different platforms that do that well, becomes probably the most reliable measurable indicator you know, outside of what we might measure as human beings in my experience.
Cool. I think, you know, from my perspective, you know, if I want to be direct, it is going to be like an increase in the user reporting behavior, and especially when you actually combine that with how fast they report an email is usually, a reliable indicator. And if I put my CSO hat on, what it actually kinda shows is it actually shows action that, you know, people are actually knowing what to do, and it directly reduces the risk to the organization. Right? So, you know, these are some of the things that would be, like, a reliable indicator.
Really like those those answers, guys. Very sound advice, practical. I’ve got a two part question coming up next, which two guests have asked, but they kind of relate to the same thing. So first one, I’ll add to stage, which is about implementing the right balance of security awareness training in a smaller company. And then the second question that relates to this is around a smaller organization without a dedicated IT function. How would you break up the ownership and delivery of of a security awareness training program? So we’ve got both of those kind of within a smaller company and then around ownership and delivery.
I I could go first. So when it actually comes to ownership and security awareness or the program itself, it is the the executive level that actually needs sponsor this, first and foremost. If you have lost it, then, you know, if you’ve kind of lost that program. So you need your executives to actually buy into the program.
You need your executives to actually socialize it and, you know, do whatever it actually takes to make it actually a grand success irrespective of the size of the company. Because one of the things and I often, you know, have this question as well. I’m I’m a smaller company with ten to fifteen people. What’s actually the risk?
Well, the attackers don’t actually look into how many people you’ve actually got in the company. They actually are after the data that is actually sitting behind your company. You might actually be a company that actually provides services to the big firms, etcetera, etcetera.
So regardless of big or small, what security awareness training actually essentially does is it actually converts your human workforce into a firewall, where they are actually aware, where they’re able to able to know what the right action is and takes that action.
Yeah, it’s kind of two interrelated questions there, Finn. I really appreciate what Matthew said. I think when we asked the question who should take ownership, you could interpret that two ways, or at least I do. One is who’s got to operate and manage the tool that might sit behind it in the program.
And the other one might be who’s responsible to sponsor it internally and make sure that this is something that people actually will do. And Matthew’s spot on, like no matter what size the company is, it needs to come right from the top. Now the top might delegate down and make sure that the person that they’re asking to go and orchestrate that in smaller businesses, it tends to go from the owner MD to a financial person. For some reason, it tends to sell under finance quite commonly.
But if you’ve got top down executive engagement, it’s sponsored if you actively pause and socialize what you’re doing, and explain to end users what they’re about to experience, that you let them know it’s okay to get things wrong, right? And you go through that journey in that process, then you’re going to get much stronger engagement. And in that sense, I guess that is the reason why a lot of smaller businesses will engage a managed IT services provider, because this is what they’re good at. Like it’s very common for tech space to identify and learn about cyber solutions and platforms that were incorrectly configured or that are unused because an internal IT person who is exceptionally competent, is pulled in nine different directions, the business asks a lot of them, you know, they need help in multiple different areas.
So I think that’s obviously, if you’re in a smaller business, that’s where an MSP can be exceptionally valuable to you, can do most of that heavy lifting, they can build the socialization process for you. And ultimately, what you would do if you’re inside that business is make sure that you’ve got executive buy in from the top.
Thanks. Just a really interesting also question here from Tim, who’s been using the SAT solution from Code Blue, working well overall.
But then this is an advice on skeptical users, know, the people who think it won’t happen to me. And this is really the the tension with a lot of SAT discussions. So it’s a great one to get into.
What do you wanna go first?
I’ll let you go first, Matthew, because it’s it’s obviously one of your I’m I’m happy to give an opinion outside of outside of yours.
Yeah. I mean, it is actually kinda a quite a difficult one if if I’m actually being honest, you know, skeptical users and winning over them. But personally, like, for example, we’ve we’ve had the same challenge at CodeBlue. Like, there are IT people. We’re actually IT nerds, and, you know, we can actually spot a phishing email a mile away.
And what actually happened when we operated our security awareness program is everyone who actually talked to me and said, I will not click on a phishing simulation email has clicked on a phishing simulation email. Right?
So I I haven’t written it down, but I just remember.
But the the way to kind of articulate it is by, you know, telling them war stories of what would actually kind of happen, You know, make it personable to them. What is the impact if something were to actually happen and why it actually kind of exists?
So that’s my take on it, and that’s what I’ve actually seen it being a success.
Over to you, Frank.
Yeah, look, this is an interesting one, because I’ve had a very similar experience. I had it with my own staff as well. And I had it with myself personally.
And it was frustrating because I fell for a simulation that I got really, really annoyed at in one of the ones that I was testing where I didn’t realize it was a sim. And that very, very rarely happens to me. But, I mean, pragmatically, a couple of there’s a little bit of nuance here. Firstly, if you have people that have been doing a doing the program for a while, and they are reaching a point where they don’t fall for anything, that is a validation that that solution is working, it should be retained, not a Hey, let’s dump it and we don’t need it anymore.
Right? That’s kind of the first kind of, perhaps the opposite idea of how people might think about it. The second thing is that you’re going to have people join the business that weren’t there to, that people join people leave. So you want to keep that capability there.
The third thing is that you’ll probably have data in the solution that will be able to either validate that those skeptical users are actually competent. Because if you’re using code blue solution, I’m pretty sure you can dig into an individual user and look at every single question that they’ve got right or wrong and the simulation capability if you really want to. Therefore, you should actually have the data, as opposed to the feeling or emotion that you can point to where they’ve not quite got something right. And the third thing is when you think about these people, I’m okay at the start with them seeing it as an annoyance because they’ve got their own day jobs, right?
Like cybersecurity is not, they really shouldn’t, an ideal hypothetical beautiful world where we don’t have any bad people in the world, nobody should have to worry about this, they should be able to go to their day job and do what they need to do. But pragmatically, what will happen over time is that different types of attacks will come in and get more and more sophisticated. And you want these people to engage and embrace that perspective.
The solution will, if it’s Code Blue solution, it will over time start to make the test that sends those people more and more complex.
Right? So maybe I would suggest also checking in with Code Blue, because they’ll probably have to point out some some nuanced data around those individuals. The other thing is sometimes you need to change up the basic settings you’ve got in place. Are you sending simulations too often or too little? Right? Do you need to dynamically change it for a certain group of users?
These are some of the things, but this goes back to the question, I think Kashini asked before, which is around who should own it. If you have executive engagement and executive ownership, you overcome a lot of these challenges. And if you socialize properly what you’re doing, means, like, I’ve got this thing, Matt, I don’t know if you’ve ever experienced this where companies have an idea that they’re going to do a program like this, but they’re not going to tell their staff about it upfront. And they want to catch people.
It’s like a but that’s the opposite experience of what you want. It creates disengagement. So if you socialize why you do it consistently regularly, if you offer maybe a very small incentive, like a text based, what we do is we reward people financially very, very small incentive, we give them small gift cards, That was just our choice of what to do to say, well done, congratulations and make that reward a organization wide thing that’s visible. So lots of different ways to try and deal with that.
But you will always have, it’s like asking people which political party do you go for, you’re never going to get one hundred percent of people that are going to be on this side or this side, you will always have a spectrum. So maybe part of that’s doing your absolute best, but also embracing it, that there’s going be some outliers.
Yeah, that socialization thing is actually really important. And this is one of the things that we always kind of say as well is, you know, make sure that everyone in your organisation knows that this is actually kind of coming in so that it, you know, it doesn’t catch them by surprise. They know what to do and other things like that. One of the other things that you could kind of look into is if you have, like, a company wide meeting, again, not putting in click rates, but, you know, you can actually just put in some simple stats to actually convert those skeptical people as well.
So for example, when you do, like, it for, like, say, two to three months, you can actually say, well, in in in our company, you had twenty or thirty people actually click on it. And suddenly, you know, the people who’s actually kind of skeptical would actually say, oh, I mean, that is probably ten, twenty, thirty percent of my workforce. So it is actually a a threat. That is actually real as well.
You know, there there are multiple ways that you can actually kinda yeah.
This is a a a two part question, and it would be remiss not to ask this. So thanks for the question, Donna.
Just asking to have a quick look at the demo. So really liked what they saw. Would basically watch it now. But I’m wondering also a rough idea of the cost per head.
And it relates also to another question from the audience, is around just how do you justify SAT as an investment, especially when budgets might already be tight?
So, yeah, just around the idea of cost and SAT as an investment. And then the second part might be around the demo, which, Donna, I can really say if you go into the feedback form, you’ll be able to request a demo and someone will be in touch with you if you prefer not to reach out directly. That might be a better way. But over to you guys around SAT as an investment and the rough cost per head.
Cool.
With with the demo, yeah, Donna, we can definitely organize where they can where they can actually kinda come and talk to you about the pricing as well. All I can actually say is, you know, it cost as much as a coffee, you know, for your person or per head, but, you know, just to give, like, a rough idea.
When it actually comes to justifying status and investment, well, if you kind of consider your workforce, they are your, you know, best investment that actually takes the business over, right? And essentially what you need to equate this to, like, you know, it shouldn’t be considered as a cost centre, but if you can actually kind of think about SAT, what it actually contributes to the business is direct risk reduction. So, because most of the incident actually starts with a human, either interacting with an email or a website that they shouldn’t actually be going to, and if they’re actually aware of the actions that they should be doing, or they shouldn’t be doing, then it is actually a direct risk reduction. And if you kind of consider the, you know, the worst case, which is, well, what if I take that away, and then someone actually clicks on it, there is an incident, what is actually the cost to the business?
So the cost factor is kind of immaterial, this has actually become like almost like a baseline thing that everyone expects, that people need to be aware of the sub security risks, they need to know what to do and what not to do. So think about it as an extension of your acceptable use policy, you know, how do you kind of communicate that to the audience? Because that policy exists for a reason, there are things that you can do, things that you can’t do, but you know, don’t look at it as a cost centre. Think about it as a insurance that you’re actually building up and that you are investing in your people.
That’s an excellent answer, Matthew. Look, sixty seven percent of all breaches happen via email.
The text base would make the argument that there are probably at least five different cybersecurity layers. So security awareness training is just one. That’s really important to frame up. It’s not the be all end all.
It’s one of four or five layers at a minimum that you probably should have in place as a small business. In fact, any business of any size, and together, they create a robust position for ensuring the uptime and continuity of your business. We have the unfortunate displeasure at Techspace and probably at CodeBlue some of the time of having to deal with someone who’s had a breach, and who’s coming to us for advice and guidance around that breach. Now, we will have to point them somewhere.
And typically, we have to bring in expert pen testers or cyber experts that are willing to get hands on inside that client. And from the smallest business that’s just doing one million revenue, right, to businesses that are doing ten, fifty, one hundred, the percentage impact is always just huge.
You almost feel silly that you didn’t put some base measures in place. Their costs relative to the impact is kind of how the equation works.
So that’s kind of what it looks like. Unfortunately, sometimes a breach has to happen before people reach perspective.
Tell this to MSPs because there’s lots of MSPs that are out there like Code Blue that do an amazing job at taking care of their clients. But if you imagine that someone was approaching your house, right, a literal robber, and they came up and they tried to break in the front door, and you can see it on video camera. So this has just happened to you. You’ve watched it.
You can see it on video camera. They’re trying to break into the front door. You watch them. What do you do?
And when you ask people this question, it’s completely legitimate. And some people unfortunately have had this experience where someone’s actually broken to their home. Almost immediately the next day, a whole bunch of things have popped up. They’ve added a guard dog, they’ve put some alarm on, they’ve put music in, they’ve tried to do whatever they can because they want to feel safe, right?
That’s a very human experience. And that’s only happened once. Now, MSPs have something called a firewall, let’s not get too technical, but just think of it as this thing that is trying to reject a whole bunch of attackers. And if they if they ever showed you how many times a minute and an hour, someone is trying to break down the front door of your business through that firewall, you’d be shocked.
You know, so that’s an experience if you want. Hopefully, Matthew, I’m not throwing you into a boat where you have to do a bunch of engagement. But literally, you can do a live screen share and show someone their own firewall. And you can just see it getting hit from country after country.
It’s hundreds of times in a minute.
So that’s the reality because the attacks are autonomous, they’re automated, and they’re just trying to find an open entry point. And they try via multiple different avenues and emails, one of the most successful for them, right? Because we’re humans.
Very good.
Wow. Really interesting. Great questions as well, everyone. Thanks. Thanks for asking our experts such, yeah, on the topic questions.
Thanks everyone for joining us as well. It’s been a real pleasure to speak with everyone today.
And please let us know what topic you’d like us to cover next. We’ll be having both Matt and Frank in the expert chairs again.
But, yeah, thanks, everyone. I might hand over to Matt and Frank just to say goodbye, but thanks again. We’ll see you next time.
Yeah. Thank you everyone for joining our webinar. Hopefully, you found some value in it, you know, regardless of what platforms you use, whether it is animal training, manual training, all those kind of stuff, you know, you could you could hopefully take some of these things away, the learnings away, and make it more personable to to your staff.
Yeah. Likewise. Thank you. Have a great day.
Yes. Bye bye.
