#418 How to approach Cybersecurity today - an interview with Craig Taylor from Cyberhoot - by Niels Brabandt
How to approach Cybersecurity today? Most approach aim for control and punishment. Craig Taylor from Cyberhoot focuses on a modern approach which includes learning and development. He shares his insights, experiences and expertise in this interview with Niels Brabandt.
---
More on this topic in this week's podcast: Videocast / Apple Podcasts / Spotify
For the videocast’s and podcast’s transcript, read below.
Is excellent leadership important to you?
Let's have a chat: NB@NB-Networks.com
Contact: Niels Brabandt on LinkedIn
Website: www.NB-Networks.biz
Niels Brabandt is an expert in sustainable leadership with more than 20 years of experience in practice and science.
Niels Brabandt: Professional Training, Speaking, Coaching, Consulting, Mentoring, Project & Interim Management. Event host, MC, moderator.
Podcast Transcript
Niels Brabandt
Cybersecurity. Many of you will know that we have quite a number of headlines just recently with cybersecurity, and let's say it didn't go too well for certain brands. Marks and Spencer was one of the affected ones. And today, I'm very happy that I'm gonna have an an expert on the topic right here. Hello and welcome, Craig Taylor.
Craig Taylor
Thanks for having me, Nils. It's very good to be here.
Niels Brabandt
Thank you very much for taking the time. So we see another big brand is affected. And quite often, people wonder I mean, this is not the first big brand being affected, and it's it's not a cheap brand. So it's a brand where you expect they that they have the budget, and they probably had the training. And maybe it's one of these traditional cybersecurity training methods. And what is your take on, let's say, traditional cybersecurity training? Does it work that way, or why do certain approaches maybe are not that successful?
What do you think is
Craig Taylor
the issue here? So that's a great question, Niels. And I I think we should start with a story, and then I can answer that question. Yeah.
Niels Brabandt
Go for it.
Craig Taylor
Marks and Spencer has been around forever. It's got a great brand name. It's a high end retailer in The UK, I believe. I'm in The US, but I too was touched by Marks and Spencer thirty years ago on a on a trip to, The UK for a rugby tour as a as a young man, 15 years old. My luggage was lost, and they gave me a $200 gift card to go to Marks and Spencer to outfit myself for the two weeks, we were touring around England playing rugby. And so when this breach occurred, I wondered, do they have my data from thirty years ago?
And was I exposed? You know, I'm sure a lot of people asking that question. At the end of the day, no PCI and financial data was exposed, I guess. So I'm not too too concerned about it. But it's what it's interesting how the world is so small. And in these breaches touch everyone. It's something of interest.
So back to your question. Cybersecurity is an emerging field, it has doesn't have one hundred year history, it's 2535 years old. And I believe that there are a number of growing pains it's experiencing, if you will. For example, there is this problem with employees clicking on links, leading to exposures, breaches at companies. You know, there was a multi year analysis in The US of all breach data across the globe. There's a company here called Verizon, and they do a data breach report where they pull in Interpol breaches, and breaches from Australia's security organizations, The US, Canada, everywhere in the world. They pull all the data together.
Niels Brabandt
They're the global approach pretty much. Yeah.
Craig Taylor
What's that?
Niels Brabandt
It's a pretty much go global approach, the data.
Craig Taylor
It's a global approach. Access. Yeah. And a year and a half ago, they did a multi, meta analysis of all the data for the last twenty years, and they came up with the following conclusions. In 2,003, 20 two years ago, twenty three years ago, phishing attacks, you know, these fake emails that are sent to our inboxes that ask us to click on things we shouldn't was the number one breach method. Fast forward twenty plus years, it's still the number one breach method, because it bypasses all the security mechanisms that we have in place, and people will be the weakest link. Human firewalls are the weakest link.
People are still clicking twenty three years later. Now they concluded that the number of attacks is higher than it was in two thousand and three. It's, you know, %, thousand % more. It's it's enormously great. The impact of the breach is is more significant. The cost to the businesses, the data was no longer just encrypted. It is it's exfiltrated.
It's published online. So there's double encrypt double extortion capabilities, but it's still the same attacks. AI is playing into it now where they're creating much more enticing emails that get people to click more on it.
Niels Brabandt
All this is think that there are really good emails out there where even trained people would say, looks legitimate to me, and they and they click on it? Do you think that there are such good emails, or or is it still a lack of good trade? Because just to give you my point of view here, in my opinion, we have lots of trading out there where someone on c level says, yeah. Let's buy the $49 online training, and anyone clicks through that. So we can tick the box legally, and the the insurance company is fine with us. And I think this will do the trick. And in my opinion, it does not.
Craig Taylor
Agree hundred percent. It does not work. So just to step back for a moment, I have a psychology degree before I entered cybersecurity.
Niels Brabandt
Yeah. So all that.
Craig Taylor
Yeah. I studied operant conditioning, the effects of punishment versus negative reinforcement versus positive reinforcement. And for eighty years, psychology has concluded, if you want to change behaviors, in other words, you have a desired outcome of people behaving in a certain way, don't punish them to get them to do these things. You must reward the good behaviors you want to see them continue and internalize. Punishment is external locus of control. If you remove the punishment, people go back to their habits. No different than if you train a dog with a shock collar, and the dog goes outside without the collar on.
Niels Brabandt
Yeah.
Craig Taylor
They're gonna do whatever they want.
Niels Brabandt
Yeah. Of course.
Craig Taylor
Train the dog with treats, reward them for the good behaviors, and then if there's a potential for a treat or a reward, you say come, the dog will come. You want a certain behavior, it it it changes behaviors. And I don't know why, but psychology, I'm sorry, cybersecurity has focused too much on punishing bad behaviors, clicking on links via phishing emails. So this is the area where I think the whole industry needs to course correct a little bit towards positive reinforcement. To your point about training, you can train people not to click and threaten them with punishment, and it only works to a certain extent.
Niels Brabandt
I can this is this is really interesting because I can name you an example which just happened last week where an IT a CIO person told me they now have this new program in place where they send out fake test emails. And when someone clicks on a forbidden link, they are reported to IT. They have to show up there. They have to talk with HR, and they will be sent to a training as a consequence of that. So that is the punishment wrong approach.
Craig Taylor
It is absolutely the wrong approach. Wow. But it is what the entire industry has practiced and developed and tried to make better and better and more automated, and it does not work. Right now in The US, I have four universities studying the, you know, our own approach at CyberHoot where we reward good behaviors with gamification, certificates of completion, continuing education credits, avatars that grow in ferocity and defensive lookingness as users complete and build their cyber awareness. Their cyber literacy is what I call it.
Niels Brabandt
Yes. And
Craig Taylor
all of those are benefits and rewards for doing the right things such as looking at an email. We have an exercise and you look at the sender and you say, is this typo squatted or not? What does that mean? Well, if you get an email from Netflix, a universal across the world, and it's missing the I in netflix.com, guess what?
It's not Netflix.
Niels Brabandt
Yes.
Craig Taylor
That is a hacker approaching you to get you to click on something, to give your credentials, or provide something you shouldn't. And if you don't teach the good behaviors of inspection, of understanding why hackers create urgent and emotional email appeals to get you to react without thinking, because when you react instead of respond with a pause, you make more mistakes. These are the good behaviors that we need to reinforce across the industry as educational events for individuals, not this report you to HR have a meeting with, you know, your manager and HR and three strikes and you're terminated. That just creates fear, uncertainty and anxiety in your employees and it crushes morale. Morale suffers, you actually will lose clients if you do this to your if you're a managed service provider and you're doing it to your clients. You will lose employees if you're an IT department and you're forcing your employees through this stuff. It's no way to live.
But if you can create a positive educational, here's the good things and we reward these good things, and as you get better and better at it, you get more rewards, you're going to have a happier, higher morale, and more effective behavior change over time. It's a proven, going back to my psychology, a proven psychological effect. Positive reinforcement changes behaviors. It's initially external, then it's an internal locus of control over time.
Niels Brabandt
That sounds like cybersecurity moves a bit from being basically an IT issue because that's what most leaders do. They say, look. IT has to sort this out. I I'm an economics person with an MBA, so I just do my stuff and you do your stuff. So it it moves to being more of a leadership thing to take care of cybersecurity.
Craig Taylor
Yes. Yes. As you look at this and, you know, this is the leadership podcast overall. It's been a challenge for me as the head of CyberHoot to say industry as a whole, we have competitors in our space that are worth $6,000,000,000 that are doing it better and better in the punishment way. And, you know, we look at them as the Goliath, and we say, this is not the right way, but it's hard to be heard when you have the entire industry focused on one thing. Yeah. But slowly and surely, we're seeing some companies are building in reward mechanisms to train and teach and reward the good behaviors we all want to see.
And that's where we're seeing the most, promising benefits. Right? From an economics perspective, if you said invest a thousand dollars and you could invest it in a punishment system or reward system, and you could measure the outcome, your outcome of the financial benefits, the return on investment will be up here for rewards, and it'll be down here for punishment. And by the way, rewards are long lasting. The behavior changes. So if you remove the reward system, the people still understand what they're supposed to do, and they will do it because it's now intrinsic. Punishment, you remove the punishment.
Let's say, oh, we we're getting too many, terminations and too many, you know, departures. Let's remove the punishment system. Well, your clicks will go way up. Your, enforcement mechanisms are gone, so people will do whatever they choose, and they don't have the skills to identify when they're under attack, and it will be a real mess.
Niels Brabandt
Mhmm. So let's think you have someone listening to this podcast right now or watching the video here on YouTube, and then they say, okay. I know this is a good approach. However, how do I convince my senior management, my executives about that when especially their, let's say, IT literacy is, let's just say, not top level. And also, they are used to the punishment system and they think it works well. So how do I convince them, especially when they are not really into the topic and they say that's an IT issue, talk to our IT guy, please?
Craig Taylor
Well, until the study we're in the middle of is actually published with empirical research proving this point, right? We have four universities in The US studying the affect and the effect of positive reinforcement on phishing and cyber literacy skills until that comes out and we can hand you the evidence that says it's a proven fact, because anecdotally we have the evidence, but we need empirical data. Until then
Niels Brabandt
Science leads the way. Fully agree. Right.
Craig Taylor
Exactly. Until then, there's nothing that stops you from a trying a, you know, a free trial of our product or something similar that basically rewards these skills alongside whatever
Niels Brabandt
you want. Words. I heard the magic word free. So people can wait. People can use CyberHoot for free?
Craig Taylor
Yes. Absolutely. Individuals can sign up at cyberhoot.com/individuals and have free access to our tool. All of the, awareness videos and the phishing simulation, the positive reinforcement phishing, to teach them how to fish, feeding them for a lifetime of confident, efficient, and secure email processing. Once you see it and try it, there's a lot of dots that get connected in your mind saying, well, first of all, I understand this for the very first time. That is a wonderful feeling to understand why hackers use emergency and emotionality to target me. Now I'm immune to that approach.
To understand the specifics of typosquat and domain names and know what to look for and why, oh my goodness, I love that. And then the feeling also comes over you that I'm not anxious and fearful and and and worried, I'm confident, efficient, secure. It proves itself in just a matter of exercises. And at that point, you can sign anyone you want up individually. And if they decide, then they could move forward with a free trial.
Niels Brabandt
Nice one. So when an IT person now is looking at this and they think, okay.
I get it. At the moment, we have a different approach. And maybe people say, I have a feeling of I might risk my career or my next promotion or my next Accelerator is when I say, hey. Look. We've done something wrong in the past. So how do we overcome the barrier of not doing finger pointing, blaming someone, or simply say, hey. For the last ten years, we've not done it very well, so we need to change directions.
How do I do that professionally and courteously
Craig Taylor
in any way? Well, you can look at the facts of the of the matter. There are five or six really critical flaws in fake email phish testing. I don't need to get into them here, but there is a problem with the domain you can email from. It has to be nothing remotely related to the vendor you're impersonating which dumbs down your employees. You cannot use netflix.com or any version of that in a test email, exactly how hackers will hack you. But you can't because Netflix will send their lawyers after you
Niels Brabandt
to
Craig Taylor
prevent this. There's a metrics problem. Anyone that does not open the fake email inside their inbox, there's no metric for them. You don't know what they did. They didn't see it or they did. They didn't open it or the you know, there's just no metric. So you only ever see 50% of your users with the traditional method.
It creates, and we know this to be a fact, fear and anxiety, and the I team is flooded with questions. Is this email a fish? Is that email a fish? So the scenario and the situation we're all faced with is dismal to begin with. If we say, try something different to address these failure points that we know about, because every assignment from a cyberhoot or a Hootfish exact, you get a metric on every person, you know that they did it. And if they didn't, you can follow-up with them until they do. You get a maturity rating based on how they scored.
You have, realistic examples of how hackers hack us to teach you the typosquatting and the nuances of phishing. All of those things are clearly, articulately address the shortcomings of traditional fake email, so try it alongside it if you can't replace it initially. Just try it for free and give it a shot and see how your users react to it. We know in our anecdotal evidence, we had an MSP with 50 clients, 40 were in it in ten, three years of time, Not one of the 40 clients in this 50 customer base were breached. 10 two of the 10 were that refused the positive reinforcement training. Also, the, employee affect, you know, the the self reporting of how how are you doing in cybersecurity was much, much higher in the 40 companies that were using it. And so there there's just an it's almost overwhelming evidence from anecdotal.
Again, until that study, empirical study comes out, you know, and your gut instincts, here's the best part, imagine training a dog with a shock collar or treats. Who's happier? The treat based dog or the shock collar dog?
Niels Brabandt
The treat based dog, obviously. The other the other option, I think, is very close to animal torture. If if it is not straightforward, animal torture, I think.
Craig Taylor
Right. And and why are we doing that for our employees? How is a shock or punishment basis of employee treatment where HR meeting, manager meeting, three strikes, you're terminated versus positive reinforcement treat base. Hey. You did a great job at this. If you're ever a coach in any sport, you know that there's a hamburger sandwich. You could have done this a little better.
This, you did very, very well, and let's apply this to that so that you have this, positive reinforcement of the good things and an awareness of the bad things. And you combine it, and you have better outcomes.
Niels Brabandt
Excellent. So just to wrap this up, when we now make this decision, we all know that any decision regarding cybersecurity is a higher risk decision. And, when when you talk about your experience, you were the risk manager for VistaPrint, I think, and for Chase as well, Chase backing. So you have intense experience of high risk the decision making. Could you could you give people a hint on any framework, how they make these decisions, or how they can present these decisions in a way that actually convinces people and that they actually go down the right way?
Craig Taylor
Yeah. You need to measure outcomes. I think the mat the the ultimate guide is what can you provide from a metrics perspective on the success or failure of your company. It's not to say that a fake email test of employees is never to be done again. But if you educate, just as in you go into a university class and you learn the material over the over the course of a semester, and then you have a final exam. Mhmm. So too should you do that approach within your businesses.
You should teach the raw material, the knowledge that's necessary to understand phishing, password hygiene, all these cybersecurity topics, and then trust but verify with a test, a fake email phishing test after the knowledge has been transferred in. That's the ultimate goal and, you know, the metrics that you can bring to leadership saying, you know, before we started this, we had a failure rate of this, and we, you know, we know that the news in the industry and the Marks and Spencer's of the world, it whatever we're doing is not working, not enough. And so as we've gone through this program, now we have x percentage of compliant employees. They are all doing their assignments. We know for a fact every last person all the way up the chain because let's not forget, CEOs c suite are the least likely to complete their training assignments. And if you can't measure that, you're in a big you have a big problem.
Niels Brabandt
Yeah. Absolutely. So wrapping this up, when people now say, hey. I think this is a good idea. How how can people get in touch with you? Where where can people find you? And could you maybe again mention the free aspect?
Because I'm sure this is this is a message to many.
Craig Taylor
Of course. So anyone can inquire via sales@cyberhoot.com, about a free thirty day trial of our platform. Or if you're an individual and you just wanna get kick the tires and give it a go, register for free for life. We don't cut it off after one or two, you know, trainings.
It's it's good forever. Cyberhoot.com/individuals, and you can sign up and continue your cyber literacy education there for free, giving yourself, quite frankly, a leg up on anybody else in your industry, any competitor to a job you're in. If you have cyber literacy skills, they will take you far in this world.
Niels Brabandt
Yeah. Excellent. I think these are the perfect final words. Cybersecurity, more for leadership issue than an IT issue. Craig, thank you very much for your time.
Craig Taylor
Been my pleasure, Niels. Thank you.