Episode Transcript
[00:00:00] Speaker A: One, two, three.
[00:00:01] Speaker B: Come on.
[00:00:02] Speaker C: In the grand stadium of the digital landscape, where teams of innovators and hackers face off daily, there stands a commentary box like no other picture. The buz of a pregame show, the strategy analysis of the halftime break, and the deep dives of a postgame discussion all rolled into one.
Welcome to Off The Wire, a play by play on cyber issues. Your sports desk for the big league of cybersecurity. Just like in sports, in the cyber world, understanding the play is key to.
[00:00:36] Speaker B: Staying ahead of the game.
[00:00:37] Speaker C: And that's exactly what we offer a podcast that brings the strategy room to you, helping you to understand the moves, the players, and the landscape like a true analyst.
Off The Wire, a play by play on cyber issues.
[00:00:58] Speaker B: Hi. Welcome to our inaugural podcast. You're listening to off the Wire, a play by play of cyber issues with John Watkins and my co host, Anthony Kent. Every time we have an episode, we're going to be going and meeting some issues head on with a little bit of cyber.
Know there's always these issues out there, and I think it's good to kind of look at both sides of them, and that's what Anthony and I are here to do. With that, I want to give a little time and let Anthony introduce himself.
[00:01:27] Speaker A: All right. Hello, everyone. My name is Anthony Kent. I've got ten years of co op experience, whether that be being at a cooperative or supporting a cooperative. And I also have ten years of dedicated cybersecurity experience. I supported the Navy Marine Corps Intranet, and for those that don't know about it, it is the largest network in the world, and it's also one of the most secure networks in the world. And then for my education, I have my master's in technology with a focus in cybersecurity from ECU or if you went to NC State Easy Credit University, you'll call that?
That's me. John all right, cool.
[00:02:06] Speaker B: Awesome. Of course. I'm John Watkins. I've been doing cybersecurity for the last 14 years. I see. ISSP Holder had my SSCP early on, but I let that expire.
But I have participated in a number of different kind of cyber things, from Red Team to doing tabletop exercises to policy development, lots of other things. Was with a co op for about a decade and then, like I said, about 14 years of cybersecurity.
Hands on experience, if you want to call it that, and just kind of been around the cyber world for a long time and got a great passion for it. And especially for electric cooperatives, since we are protecting critical infrastructure.
So today, I guess this is episode one, right?
Season one, episode one. I guess that means we're going to have more seasons, more episodes. Anthony, is that right?
[00:02:57] Speaker A: That is correct.
[00:02:58] Speaker B: All right, so what's the name of this particular episode then?
[00:03:03] Speaker A: This one is fish or foe? Decoding the effectiveness of simulated exercises.
[00:03:08] Speaker B: Fish or foe. I like that. That's good.
All right. So fish or foe decoding the effectiveness of simulated exercises. And everybody, I think, knows what a simulated fishing exercise is. But if you don't, for those that may be first time listeners or something like that, I guess everybody's a first time listener on episode one, is that right?
[00:03:29] Speaker A: That is correct.
[00:03:31] Speaker B: Okay, I'll try to be better. Anyways, introducing the topic here above, simulated phishing exercises. This is where what happens is your company or your It folks or whomever try to get you to click on things that you shouldn't click on for the purposes of training. Right. So this is basically to simulate real world phishing from malicious actors. Right. And why is that such a big deal in the current business landscape, Anthony?
[00:04:01] Speaker A: Well, I'll start off with the MGM attack. I don't know if you read much on that, but that started by social engineering. I wouldn't say it was going in by phishing per se, but it doesn't eliminate it. I know they spoke with folks on the phone, but I would bet that that was part of the deal on how they got the information they did for the MGM to break into their network.
[00:04:26] Speaker B: Absolutely. So like you said, it's a way to phishing is another form of social engineering of some sort. There's a lot of different types. Social engineering, social engineering out there. I'll say it right here in a good way. This is why it's such a pertinent topic in this current business landscape, is because there's so many of these attacks that do start with social engineering. I think the Verizon Data Breach and Investigation report for 2022 mentioned the top three vectors being social engineering credentials of some sort, stolen or what have you. And then of course, vulnerability management. So this is right up there in the top three?
[00:05:04] Speaker A: Yeah. In the past, I've read it's typically around 70%. That where it's using social engineering as a tactic.
[00:05:10] Speaker B: Yes, that's why it's relevant. It makes sense. So real quickly, we're going to take a quick break now and introduce the sponsor of this show.
[00:05:18] Speaker C: Today's episode is sponsored by John Watkins Consulting, the Cybersecurity expert electric cooperatives trust. Are you an electric co op? Struggling with limited resources and the daunting task of safeguarding critical infrastructure. John Watkins Consulting specializes in easing that struggle. With over 14 years of experience, john offers tailored solutions to fight your unique cybersecurity challenges.
Don't let the difficulty of board engagement and cultural challenges hold you back. John Watkins Consulting will guide you through these challenges, turning your pain into progress. Yes. Ready to fortify your coop's digital defenses? Call 937622 Eightyn or visit johnwatkinsconsultant.com. John Watkins Consulting. Turning your cybersecurity struggles into strengths.
[00:06:19] Speaker B: Okay, so, yeah, thanks for that sponsor. That's a pretty good company. John Watkins Consulting. I've heard of those guys.
Have you heard? Word on the street says so, yeah, pretty good. All right. So we're going to go ahead and get right into it. So we're going to kind of get going here. I guess we kind of defined it a little bit about what a simulated phishing exercise is. But can you go into a little bit more detail about that?
[00:06:41] Speaker A: Anthony really it's just where It departments, they try to mimic attacks on their employees and I will say this, sometimes they do a little too good of a job at mimicking attacks. I do recall one time a user got a simulated phishing attack against him with the bank name that he uses and I know he spent some time on the phone trying to figure out what it was. But he did do the right thing and he did not click on any links or open any attachments. But it did cause a little grief because he thought it was for real.
[00:07:15] Speaker B: Yeah.
What's the purpose behind these?
[00:07:19] Speaker A: Well yeah, for the purpose you can use it for awareness and education. You can also do it to assess your company's risk and then also you can use it to modify behavior. I think that in the end is what we want most out of simulated phishing attack.
[00:07:35] Speaker B: Right. Is there any kind of way to track this? I mean how does that work from the tracking standpoint like number of clicks and failures and all that or what? Yeah.
[00:07:44] Speaker A: So what we use internally at the cooperative I'm currently at is we track the number of clicks. That's the obvious one. But something I think that's more important to focus on is not you want to make this kind of a reward, not make it punitive in nature. And what we do is we also monitor the people that properly report it. Matter of fact it was actually today the quarterly, we give away a gift card for $250 so every person that properly reports it gets entered in that raffle. And today we had a winner with a $250 Visa gift card. So at least one person is happy about it.
[00:08:22] Speaker B: Yeah. Am I able to jump in and report some emails, maybe get part of that love there?
[00:08:28] Speaker A: We got some people reporting everything but that's something we got to work on.
[00:08:32] Speaker B: All right, so let's get into the pros and cons of this. Now we're going to flip a coin and I guess the kind of way this works on the show is that every time we have a show we pick this topic and then we flip a coin to decide who's going to be for this topic and who's going to be against it. So we're going to kind of look at both sides of this and I guess I'm going to flip a coin. Call it in the air. Anthony heads or tails?
[00:08:52] Speaker A: All right tails.
[00:08:56] Speaker B: Oh, tails it is.
[00:08:58] Speaker A: All right.
[00:08:59] Speaker B: So would you like to be before it or would you like to go against mean I'm going to be for.
[00:09:03] Speaker A: It on this one, John.
[00:09:04] Speaker B: Okay. All right, well, be that way.
[00:09:07] Speaker A: I guess I got to show you're not right all the time.
[00:09:10] Speaker B: That's a good hey, come on now. Easy now. All right. Okay. All right. You want to get the gloves off early? That's good. All right. That's good. All right. So let's go ahead. Tell me a little bit about what is so good about these wonderful phishing exercises. Come on. This is stupid.
[00:09:26] Speaker A: Well, I mean, the main thing is to get people to stop clicking on stuff that they shouldn't click on.
[00:09:30] Speaker B: I mean, does it even work?
[00:09:33] Speaker A: Yeah, for us, when the first campaign that we ran, we had I think it was over a 17% click rate, and I was honestly ashamed, but it wasn't what it was. And honestly, just being the I'm currently the VP of it, and ultimately I took that upon myself as that being my fault. And anyways, we did our annual training and then did another phishing campaign, and after that we got it dropped down to I think it was around 2%, which the tool we use, it shows that the average utilities click rate is 3.8%. So right under the norm for a utility.
[00:10:17] Speaker B: Yeah, that sounds fine and everything, but how many employees did you completely just alienate and make mad when you started this thing? What's the percentage on that? You track that?
[00:10:30] Speaker A: Well, I do not track that, but I'm not going to lie and say that there's not one, so I'll go with one. We have one very happy person that won a gift card, and we have one very dissatisfied person that definitely doesn't want to take any training. So they do have a tendency to overreport stuff, whether it's spam or even legit email, but we're working through that.
[00:10:56] Speaker B: I guess what I'm trying to drive at here is doesn't this kind of like foster distrust that you're trying to trick your employees? I mean, come on.
[00:11:04] Speaker A: No, I think if you have a focus on the positivity on it with the gift card and that and everyone everywhere is hearing about cybersecurity these days.
We've had two different vendors that we work with have some type of breach or incident, however they want to call it. So I think it's really cybersecurity is at the tip of everyone's tongue.
[00:11:28] Speaker B: I don't disagree with that. I guess I'm just thinking about there's so many things that employees got to deal with on a regular basis, and now you're going to throw another layer at them and go, okay, hey, we're going to trick you. I hope you pass. Doesn't that kind of make them feel like how does that make your employees feel? You know what I mean?
[00:11:46] Speaker A: And I'm sure it can, but I think a lot of that is how you implement your program, and each company has got to kind of craft that around their organization. But I think the key is to not overdo it.
[00:11:59] Speaker B: Okay. All right. So what's another pro then of doing this other than trying to get some awareness or education and training? What's another good pro that you think is good for this?
[00:12:13] Speaker A: I think just our board of directors, they're wanting to know how we're doing on Cybersecurity and I think that is a big part of it. We're able to relay to them the metrics and the reporting counts. Tell them how many clickers we have.
[00:12:28] Speaker B: Yeah, but I mean, you tell them you got 2%. Right. It sounds really good. Yeah. We started out with 17, but now we're down to two. But is that making what?
[00:12:37] Speaker A: But what, John? That's pretty good numbers.
[00:12:39] Speaker B: No, I'm not saying it's good. No, obviously it is great numbers.
[00:12:42] Speaker C: Sure.
[00:12:42] Speaker B: Right. 2% versus 17%. I mean, depending whatever you're looking at. But what I'm trying to say is it only takes one.
[00:12:48] Speaker A: That is true. That is a very true statement. Right.
[00:12:51] Speaker B: So, I mean, does it give you a false sense of security?
[00:12:55] Speaker A: I don't know that it does that. I still think folks know we're definitely susceptible at this point, but I believe that we're less susceptible and I think a lot of the employees would think that as well.
They're on the lookout and you can hear sometimes they're talking about it in the hallways.
It comes up where this was never a conversation except for the one time a year I would stand up and give them the Cybersecurity training. So it's nice to hear it not just one time a year.
[00:13:26] Speaker B: Yeah, I guess I hear what you're saying. You want to raise the awareness. I guess my point is just like, hey, yeah, we're 17 now, we're at two. It's fantastic. Everything's happy. Golden rainbows and unicorns. And then all of a sudden you guys have an incident. And then what happens? A guy comes along and says, I thought we were at 2%. I thought that was good.
[00:13:44] Speaker A: Yeah. And I think we portray that when we speak with folks. We don't tell them that we're definitely not going to have an incident. But I do think it helps. And I'll say this, nothing makes me happier than I've had a couple of linemen say, hey, you almost got me with that one, and talk about it. So I think just having that conversation, I think that plays a big part in it changing the way people act and how they react with emails and just click on anything like they would have beforehand.
[00:14:16] Speaker B: What's another advantage of doing a simulated phishing exercise?
[00:14:21] Speaker A: Well, for us, I would say, I don't know if you want to look at the advantage or not, but this is relatively a cheap product for us. I'm sure you're aware both Nic and Meridian, they offer a product and it's discounted heavily.
As far as my folks time with using this, I think there's just a lot of bang for your buck because it doesn't take much time to set up. I mean, maybe more so the first time, but once you have that, really what we're doing is every quarter. So we do this every quarter, but we'll pick out training and I might spend 1520 minutes every quarter and pick out a different training exercise for those that do not pass.
[00:15:07] Speaker B: Okay. Yeah. I just was curious, how much time does it take you to do something like this? To put it together and conduct this exercise and go back and look at the metrics? It doesn't sound like the licensing is super expensive.
[00:15:21] Speaker A: No, I'll say this the initial set up, we probably spent more time than we needed to, but we just wanted this to be the best program we could have. And so we probably spent two weeks off and on, probably about three of us. And now though, it's pretty much set it and forget it. They just put the schedule out. And like I said, the longest part is just me picking out the training. And that's just because I'm a little stickler on what we're doing for training with our employees.
[00:15:50] Speaker B: Yeah. So what about any legal or ethical concerns with doing this?
[00:15:56] Speaker A: Know, everything with the Cooperatives PCI is the big one, but there's other industries and regulatory bodies and almost all of them, they require a security awareness training program. And for PCI, there's requirement twelve six that it requires that you implement a formal security awareness program. So doing these security phishing training exercises, that helps. And then also almost all of them are coupled with training.
So when you put those together, you're helping meet that PCI requirement. And then another thing I'll add on is the Nraca's Pen Cyber goals.
Goal six is leadership training. And then goal seven is employee training. So some people are just using this tool for their training. Me personally, I'm a little stickler for the training. Annually, I like to give my own specific training, so I'll tailor it to what I want the employees to hear. But after the fact, for any of those folks that click on an attachment or open a link that they shouldn't, they'll go through the training that we've got assigned through our system.
[00:17:06] Speaker B: Yeah.
[00:17:07] Speaker A: Okay, got you.
[00:17:08] Speaker B: Yeah. The thing I'm asking here is just trying to I know I was looking out on LinkedIn at some other there's some people out here that are just really against phishing altogether. There's one account that I found and he's pretty much dedicated like his whole LinkedIn feed to all of these, just one after the other, after the other, after the other of these posts that talk about all these bad experiences with phishing. Like this one here says, I love how when our It department sends out an email phishing test, all the employees go crazy on the internet social network, warning people not to click it. So I mean, doesn't that just take away from the if everybody's getting on teams or something and say, hey, don't click on things. XYZ email. Right? Yeah.
[00:17:57] Speaker A: And that can definitely happen. I think that's one of the reasons why we do our campaign quarterly and all of our employees, it's spread out through the whole quarter. So you're talking like four or five employees, maybe six or seven at max, are sent out over a week's time, receive a test email. So if you were to comb that down to like two weeks and send it to all your employees, that's what you're going to get. So there are some nuances that you want to think about when you're setting up these campaigns. And I do think spreading them apart will help against stuff like this.
[00:18:39] Speaker B: Yeah, I think I heard about one on here that this guy was complaining about where because of economic reasons or whatever, the company had kind of taken away the employee bonus program or whatever. And so the It department heard about it and then they sent out a phishing email that was saying, hey, click here to get your bonus. And I'm just like, oh, that is cringey. I just don't think that's a good way to go about doing it. Right.
[00:19:04] Speaker A: All right, John, I'm not going to lie. There is no defending that. I would be upset myself.
[00:19:10] Speaker B: Yeah. No, I totally know. You got to be able to like I guess what I'm trying to say with your fishing program, fishing simulation program. I don't really disagree that it's a good thing. I think it's a good thing. I think you should do it right. I think there's some drawbacks just to kind of put a punctuation on this. I think there's some ways to craft these emails in a way that it makes sense and it actually does what it's supposed to do, rather than just you're not trying to just trick somebody. You don't want to be evil, right? Like be the bad guy. And here you've heard Anthony and I kind of go back and forth here in this episode, but honestly, we're both for fishing exercise, we both feel like it's a good thing.
There's a lot of things out there that could do wrong on these. And you hear about some of these, everybody's going through these bad things and they're complaining about it or whatever, but even like some of the brands using certain brands can get you in some kind of hot water sometime. But I think a good, well crafted program can actually get people just like you're talking about with some of the success stories. You went from a 17% down to 2.2% click rate. You've been able to sustain that. You had a lineman talking about, hey, you almost got me on that one. I think that's obviously it's good stuff, right?
[00:20:25] Speaker A: Yeah. And one thing that I'm very proud of, recently we started testing it with our board of directors. So they are now on our phishing campaigns that's awesome. And I am proud to say that we had zero clicks last quarter, so very stoked about that.
[00:20:42] Speaker B: Awesome. So yeah, I mean another one I wanted to kind of bring up is what about this whole concept of discipline wrapped around failing of phishing.
[00:20:52] Speaker A: So with that, I think the previous quarter we had a phishing game that they played, but it would still give you some of the information.
I had one user or one employee, they actually came back and said, I learned more from that game than I have off of anything.
So 100% did not expect to get a compliment on the training, especially after someone being assigned it. I thought it was just going to be like that was stupid, or I did not expect anyone to be really happy about having to take training. But I think as long as for that, I think it's important for that to be somewhat entertaining and light hearted to some degree, but still get something out of it. And like I said, the annual one that I do for all employees, that one. Of course I try to liven things up because it'll stick more in their mind, but I think you can have fun with this and it also be effective at the same time if you're careful on what you're using.
[00:21:55] Speaker B: Have you heard of anybody letting anybody go because they failed too many fishing tests?
[00:22:00] Speaker A: I have not, and that's something we have not discussed.
But I could understand if you had a repeat offender over time, over time, I don't know what you would do.
Of course, obviously you start with a verbal warning and then moving on, but it's hard for me to imagine it getting that far. But it could happen.
[00:22:21] Speaker B: Yeah. I know of one that the person was in the It department and apparently from what I understand, they had been warned multiple times and they walked them through the process and the whole thing. And it sounds like this person probably would have got fired for other things anyways. But at the end of the day they kept clicking on stuff and so they had to let them go.
[00:22:45] Speaker A: I just want to make sure this was clear. This was someone in the It department.
[00:22:48] Speaker B: Yeah, that's the other thing. So that's a very good point because if it would have been alignment, for example. Right, that's one thing.
But if alignment can't climb, why are they being alignment? Right, so if an It person can't differentiate phishing emails, should they be an It?
[00:23:06] Speaker A: That's a good point. That's a very good point.
[00:23:09] Speaker B: I know for a fact that that person had been trained multiple times and I knew a little bit about that one, but yeah, I don't know. All right, so I think that's pretty much everything that we're going to talk about in this particular episode. One more thing I guess I did want to remind you of. What about the training? Do you assign training did you say that already? You assign training to anybody that clicks or opens or fails?
[00:23:32] Speaker A: Yeah, any of the folks that either open an attachment or click on a link, they are assigned training. And like I said, we try to keep it short and brief.
I think the last thing we sent out, most of our employees, they are able to finish it within ten minutes. And also just the tool we use is real easy. So they're able to pull it up on their iPad or computer and knock it out. We have some linemen that had to take it and then they knocked it on their iPad out in the field.
[00:24:00] Speaker B: Yeah. Okay. So kind of like to recap what we talked about here, we kind of went back and forth a little bit. Hopefully it was a little bit.
Some tension, some friction. That's what we're trying to do here. But we talked about defining simulated phishing exercises and what they are and how they mimic attacks in a controlled environment. We kind of talked about some of the pros education awareness, those kind of thing, identifying vulnerabilities in the system or actually within the network of folks. We kind of talked about how these exercises can help identify those and keep you compliant. We talked about how cost effective it was, especially with a lot of the tools being subsidized or heavily discounted through some of the partner folks. We talked about some of the cons, we talked about some of the drawbacks. We talked about some of the maybe if you don't do it right, you can really alienate some of your employees. Right? We talked about how it can be resource intensive if you don't kind of go through the right training. And I think a lot of these groups, by the way, just as a side on this, is a lot of these vendors will work with you to make sure it's set up in a good way and help you with that part of it. But again, I think it can have that false sense of security if you don't have that right conversation with folks. Yeah, 2% is great, but just remember it only takes one person to fail for us to have a real problem and then all the legal and ethical concerns we kind of went over there and all the compliance pieces that this helps with. Talked about some real life examples, people getting fired. Also people just clicking on everything, right? Like everybody just either clicking on everything or know just one person, you said, right? Anthony just reports everything now, right?
[00:25:42] Speaker A: Yeah, reported everything. I think they have stopped. But anyways, it did get old, I'm not going to lie.
[00:25:49] Speaker B: And the buy in, we talked about the buy in with a gift card. You talked about today, somebody won $250 and that's great. So you got a raffle for those that actually have been training, doing the training correctly. We talked about assigning training, and we talked about reporting all this out to senior staff and to the board.
So I think that's pretty much else. What else did you want to hit any of the other high points there? Did I miss it?
[00:26:12] Speaker A: Any one thing? I will just say, just because people get competitive in nature, the winner, I spoke with her briefly and she's like, well, there must not have been that many people that reported it. And I reviewed the metrics and I was like, it was rate above 32%. And she said, well, hopefully it won't be that much next time. I'm like, I really hope it is more than that. Next.
You know, people like winning money and they like improving their ODS.
[00:26:41] Speaker B: Absolutely. So I want to thank John Watkins Consulting for sponsoring this episode. If you want to reach out to them, it's John Watkinsconsultant.com.
His email my email, actually. J-O-N-J-O-N-I spell it right J-O-N at J-O-N. Watkinsconsultant.com you can also reach out to me by my phone number, which is 937622. Eightyn.
I want to thank everybody for checking out this inaugural episode, episode one, season one. Thank you. Anthony Kent.
[00:27:15] Speaker A: Thank you, John.
[00:27:17] Speaker B: I think we'd like everybody to share this, to like it. We'd love to hear comments on it. Tell everybody about it if you like what you hear. Also, I think, Anthony, we want to make sure people send us ideas, right?
[00:27:29] Speaker A: That is correct.
[00:27:31] Speaker B: So we've got a few ideas from our LinkedIn posts. Also follow Anthony on LinkedIn. Anthony Kent. He's out there on LinkedIn. You can find him. Find myself out there on LinkedIn. John Watkins and then again, our website. What, you can find everything on the website, too. All these will be posted there.
As far as that goes, I think that's everything that I had to cover. Is this the end of the episode already?
[00:27:54] Speaker A: Well, I just wanted to do one more thing, John, before we get off here. What are some of the topics that we have lined up for the future? Can you name a few of those?
[00:28:03] Speaker B: Yeah. So we're going to talk about passwords. We're going to talk about to report or not report a breach.
We're going to talk about geotagging traffic. Those are just a few. We're going to talk about multifactor authentication and VPNs and how to do those. So we're going to kind of take again, the whole point of the podcast is that we kind of take both sides of an issue. We try to argue about it. We're friends, but we want to act like we're not on the show. Right?
[00:28:28] Speaker A: Well, you were in the army and I wasn't the Marines.
[00:28:31] Speaker B: I can't help that. You bless your heart.
All right, well, thank you, everybody, for listening. And we're going to sign off now. John Watkins have a great night, everybody. Or day or whatever. The time that you're. Listening. Maybe you're in the way to work, but hope you've enjoyed Off The Wire at Play by Play on cyber issues.
[00:28:49] Speaker A: All right, thank you all. One, two, three.
[00:28:52] Speaker B: Come on.
[00:28:53] Speaker C: Thanks for listening to off the Wire, a play by play on cyber issues featuring Anthony Kent and John Watkins. Make sure to like, subscribe, follow and hey, share this podcast. If you liked it, we appreciate it. Appreciate your time.
[00:29:10] Speaker B: See you next time.
[00:29:13] Speaker C: The views and opinions expressed in this.
[00:29:15] Speaker B: Podcast do not necessarily reflect those of John Watkins Consulting or its affiliates.
[00:29:19] Speaker C: Always consult with a qualified cybersecurity professional for tailored advice.
