Transcript
Thank you very much. Good afternoon, everyone. Thank you for coming back after lunch. Right. So today's presentation, and there will be some time for discussion later, hopefully, is about five mistakes I've noticed that commonly are made in security awareness campaigns. And I speak to a lot of CISOs and have done over the years, I've done a lot of research into this topic, and I find these things coming up again and again. And so there's hopefully things out here you'll see that go, yeah, I could make a change there. And if you come through it and find that you're good on all five of them, then well done. Gold stars will be handed out as you leave the room. But hopefully we'll be okay. For those of you that haven't met me before, my name's Andrew Rose, Chief Security Officer here at SoSafe. I've spent many, many years as a proper CISO in roles such as MasterCard, UK Air Traffic Control, global law firms, and also as a Forrester analyst covering the security awareness space for about five years, doing lots of research into behavioral science and how CISOs are trying to impact their awareness and culture. Maxime, would you like to introduce yourself? Thank you. So Maxime Lequeur, I'm a manager in Capgemini France. And I also have a background of international CISO. I have been CISO for big companies like Bonduelle, a food and beverage company, for 15 years. Super. So let us start with mistake number one. And this one is basically that knowledge and actions are not the same. So more awareness does not change behavior. And that is a problem I've seen many, many CISOs make, is the fact that they think that if they just stack their awareness higher and higher and make people do more and more awareness training, magically a culture will appear out of nowhere. And that just isn't how this happens. So smoking is an interesting example because there is 100% awareness that smoking is dangerous for you. And yet still, people smoke. Millions of people smoke. And so it's not effective. Awareness does not change behavior. And there's other analogies about, I think an example I might use later, about driving on big open highways where you see a speed limit. I'm here in Germany, what am I talking about speed limits for? You guys know what the speed limits are, and I haven't been in a car yet that's stuck to them. So awareness does not equal behavior. That's the key thing. So more and more awareness does not change the behavior of your people. So what can you do about this? Well, you have to think, what's really going to change behavior here? And actually, consequences helps. So actually, the smoking analogy is sort of an iffy one because actually changing all of those communications regarding smoking did actually reduce the people who smoke, but not entirely. One thing you can do is, like we see here from Health Canada, is actually move the reminder of the consequences closer to the event, closer to the action. And so they've got these cigarettes now with smoking causes cancer on the cigarettes, so you can no longer just put the package away in your pocket and forget about it. The reminder of the consequences, they're ever present. So think about how you can adopt aspects like that. Remove opportunities for people to do the wrong thing. So I constantly talk about BJ Fogg, who's a behavioral scientist whose work I really admire. And what he talks about any behavior is down to two aspects, motivation and ability. So if you can change their motivation, that's by talking about consequences, that will change their behavior. If you can change their ability, make what they want to do, make that difficult, make it awkward, make it not simple, that will also change their behavior. Have a look at BJ Fogg's very simple behavior model. It gives you a new perspective on how to really change behavior. And then finally, create peer pressure. So on the highway, if you were to join a road and you didn't know what the speed limit was and everyone else was driving 50, would you just drive 50 as well? I think most of us probably would. Again, Germany, not the best use case, but in most countries, they would probably just stick to their 50 limits until they saw what the speed limit was. Because there's an intrinsic peer pressure to comply with what people are doing around you. So can you create a perception of that peer pressure in your organizations to try and influence other people's behavior? And there's a whole other story behind that, but it's a really interesting thing to do and it can be really effective. So that's mistake number one. So mistake number two. Thank you. So for the mistake number two, excuse my accent, I'm French, staff don't understand their role. So statistics prove that the human layer is the first line of defense. And when it fails, usually it can raise an incident. We have a lot of statistics on that. We put two of the main statistics we can have. But the key message here is that everyone is a target, but not everyone understands why they are targeted. They don't understand the risk that the company faces and why they can be targeted. It's important to communicate them why your company brings value and why even the normal co-worker can put the company at risk. When I was on my road to come here, I was in the waiting room of the train station and a lady asked me to grab her computer and her smartphone. The hall was unlocked. Just put it with her backpack and all her stuff and she just leave. I wasn't knowing this person at all, but she just, maybe I have a good faith or I don't know. But she just bring everything, go to the bathroom, come back. I didn't do anything. Maybe I should have sent a mail to one of her friends or I don't know. What I want to say is that people don't know the value of what they have with them and so they don't take action for that. If it has been her own computer she had paid for, she knows the value. So she will never give me her computer. That's what we have to communicate to our co-workers, our colleagues to understand the value not only of the material because the material is pretty cheap, but for the value of the data and the value of an incident. What is the cost of an incident in our company and how many we face every year, every day. They have to know that they really can be targeted. It's so true that so many users just don't even see their own value. They get so used to the data that they're accessing all the time and they just don't see it as special or as secrets because I see this 24-7. So they don't realize that other people might value it more than they do. They don't also see the value in themselves. As a trusted member of the organization, if I could hack into your account, I could then send emails to all the people you're associated with and they would receive an email from you and would trust it and would probably click on the link that you sent. So you can move laterally just by using them. A lot of people just don't see that. They'll say, I'm a receptionist, who would attack me? I don't have access to anything. But you do, you have this trust, you have this ability, you can be a foothold. So yeah, everyone is a target and I think many people don't make sure that people understand that. Trick number three, again, another thing I see a lot of CISOs done is that they see that their users are clicking on links or engaging with malicious content, whatever. And so what they do is they decide to, okay, well, if they click on three links, we'll punish them, we'll discipline them, we'll take away their bonus, we'll do something like that. We'll speak to their manager and they'll get shouting at. And what's scary is the fact that's actually quite effective. It does work. And people do change their behavior because of the peril of having disciplinary on you. The problem is it's not sustainable. People will change their behavior in the short term because of the peril of a good shouting at. But actually what it does is it undermines the trust that they will have in your security organization. And that's really important. I'm on here later on, I think about 4.30, where we're talking about the maturity journey organizations go through. One of the key things to discuss there is trust. If they don't trust you and your team, they're never going to come to you with incidents, they're never going to come to you with problems. They're going to find a way to not talk to you and to talk to other people. I used to work in one large organization early in my career, and they very much had that concept of no is the right answer, and we'll work from there. And so I remember one incidence where a guy came to our department and said, I want to connect to this third party. And my team said no. So he went away, and then he connected to the third party anyway, but he did it without going through all the due process and all the controls that we could have implemented. So it's completely counterproductive to break that trust. So we always have to make sure that we maintain it. Doing this criticism, doing this punishment is never going to help. It's going to damage our relationship and damage the whole awareness program. So don't punish people immediately. Undermines the trust, makes security the bad cop, and it destroys the partnership that we want to build. Now one thing that I talk about that many people haven't heard about is a concept called just culture. Has anybody in the room heard about just culture? Not a single person? Good. Okay. So just culture is a concept often used in safety-critical organizations, and it's a way of considering how you manage that relationship with users to encourage them to talk to you. So the example I commonly use is I used to work in aviation. So if you're an aviation engineer and you're working on a jet engine, if you drop a bolt into that jet engine, then it makes a lovely tinkling sound as it goes through, apparently. But at that point, you have two choices. You can go to your manager and say, yeah, I've just ruined a multi-million pound jet engine. It's going to have to be taken off the plane. The plane's going to have to be taken out of service. All the people have to be taken off the plane. All the bags taken out. It's going to ruin the schedule for today, probably for the next couple of weeks. It's probably cost us several million pounds and ruined our reputation with loads of users. Sorry about that. So that's option one. That's a pretty hard conversation to have with your boss. Option two, I don't say anything. They just don't say anything. They go, it'll probably be fine. The bolt probably fell out. It'll be all right. And you can imagine the risk that comes with that. Mid-air explosion, hundreds of people dead. So the choice is absolutely obvious. You want them to choose option one and have that really tough conversation. And so just culture comes in about that topic. It's about saying that if you make a mistake, it's my fault. If you've made a mistake, I haven't given you the right tools. I haven't given you the right processes. Perhaps I should have invested in magnetic spanners. Perhaps we should have had some sort of fiber that goes around the bolt so you could pull it back out. Perhaps the processes mean that we shouldn't have the engine on the plane at the time. We should take it. There's loads of different processes you can learn from that actually mean that it's not their fault. It's my fault. I didn't have the right processes, controls, or procedures in place to stop you making this mistake. And if that's the attitude you take, people are going to be much more likely to come and talk to you. So just culture talks through the different phases of this. So have they found a new way to fail? Celebrate that. Have they made a human error? In which case, okay, we need to put more controls around this. Have they deviated from process but done it for the right reasons and tried to do it mindfully and do it in a way that other people would do it? In which case, then, okay, I need to think about my processes, my policy, and other controls. It's only when they repeatedly make these mistakes and go against process that you start to consider punishment. And this builds you a culture where people will be happy to come and talk to you because they feel they're not imperiled. If they're not doing anything deliberately wrong, they'll come and say, I found a new way to fail. Excellent. Let's celebrate that. So just culture is something that's really interesting. If you're in safety-critical organizations, it might already be in place. But if not, see how it can work for your security team because this can really help. Okay. I knew a CISO that when someone bring her a problem, she offers cookies. So every time she had a cookie box on her desk, and when you bring her a problem, she gives you a cookie. And it was clearly a very positive approach, and team one was happy to go to see her because they knew they had a cookie. Even if they were raising big problems, they had a cookie. It's a good way to do it, definitely. Thank you. Mistake number four, bulk learning. We know that when you learn something, you also quickly forget. There are many statistics and many studies on that, that if you want people to have something in mind every time, to really learn, not just learn once, you have to remind it regularly. That's why when you want to build a security culture, you have to think on the long term, not specifically if you have an onboarding process, for example. You can put things, you have to put things on the first week of the newcomer, explaining how cybersecurity is important, and so on. But the newcomer has also, for his first week, he also has training for physical security, for all his tools, and all his specific functions. So he will forget very, very quickly. So you have to think on the long term and make regular, I don't know the term in English, piqure. Do you know it in German? I don't. I can't help you there. So you have to come back regularly with the same information and repeat and repeat if you want to ensure people maintain their knowledge, specifically when in a new technology, risk are changing, you have to refresh and update very, very regularly. And you have also to adapt to the people you are talking about. If you have a common set of knowledge as a starter, it's a very good point. And it also allows you to target a compliance program. But if you want to look further and have people that clearly develop a strong knowledge in cybersecurity, you have to develop it by the different profiles. You will not speak the same way to a developer than to an HR people than to a financial person because their reality is not the same, even if everyone work even in the same open space. Everyone is dealing with personal data, there's their financial data, there's other sensitive data, maybe interconnection. So you have to explain them why cybersecurity matters for them. And the last point, keep a formal communication plan. It's view on the long term, but also adapt your communication to the level of communication of your colleagues. I think one of the key things that strikes me on that one really is about the compliance piece. So many organizations just define compliance as you've completed all of your security awareness training, but that then drives the wrong behavior. That drives the bulk learning, everyone does it in the first week and then they forget about it, as you say. So you tick the compliance box, but then you haven't achieved your actual goal. So the trick is to redefine compliance. We've got a new starter pack of essential awareness, so they take that and then they're up to date with the drip feeding of information. And then people start to keep aware, they keep on getting the information and building their knowledge, maintaining their knowledge, but you can still report a compliance status as they've done the base and they're six months into a six month training plan or they're six months into a 12 months training plan, they're up to date, compliant. So it makes it a little more complicated to report compliance, but actually the effectiveness is way, way better. So it's definitely something to look at. Okay, last mistake and we'll have time for questions. Mistake number five, not collecting feedback. So people react so much better if they have feedback. If you tell them they're doing a good job, if you thank them for the things they've done, they perform better, they engage. And there's statistics on this one, this one from WorkHuman saying 77 of employees would work harder if they knew they were being appreciated and recognized. I'm sure we've all seen this, you know, if you run a security operations center or you're on the, and if people are reporting incidents or phishing emails or something along the lines and they receive no feedback, pretty rapidly they'll stop telling you about them because they think they're just shouting into a void and no one's listening. So they will stop doing it unless they receive feedback. So feedback is really important to make sure people feel heard and feel that they're being taken seriously. Within SoSafe, we have a solution that's going to help with that in terms of the phishing report button, which can start to give them the ability to report and receive feedback on the good thing when they've reported, you know, a bad phish. So that can really help. But definitely you need to start thinking about the wider aspects. Ask staff for communications, ask staff for feedback on communications and content. Now I have another presentation in here tomorrow about 10 o'clock, which is about board level reporting and within that I have some new metrics and cool metrics which I don't see people using which are really handy and there's one in there just about this, which is really cool. So I'm not going to give that secret away now, I'm afraid. It's really good. But catch me later, I might tell you out of the room. So make sure that if anyone reports anything to you, even if it's nonsense, that you go back to them and you say, thank you for telling us this, it wasn't anything, we've investigated it. Otherwise they won't bother reporting to you next time. Can you use automation? Because the speed of that feedback really helps. If they have to wait six weeks before they get an email back going, oh, thanks for reporting that thing, they'll go, what thing, what did I report, I don't remember. There's no value in that. If you can use automation so that you're there immediately. So we have Sophie, a chat bot, which gives level zero support. So when somebody engages with your team, it's right there, immediate response to any questions and any engagements. That makes people feel heard and valued, which helps. Use your champions network, absolutely. And then if you do make changes based on this feedback or you do save an incident or stop a breach, let them know. Let them know that their value had real impact in the organization. They'll feel so much better for that, they'll engage with you more and more. So think about feedback. Feedback loops are important. They keep the whole momentum going if you're an awareness program. Do you have any in place? Because if you don't, you should do. So that's our five. I've got a bonus mistake for you, a really quick, easy bonus mistake that people make. Bonus mistake six. The name of your security awareness program. Everyone calls it a security awareness program, which is fine, but that's not what you're trying to achieve. You don't want to build awareness. That's not what you're trying to do. You're trying to change behavior, trying to change culture. So by calling it an awareness program, every time you're focusing yourself on the wrong thing, every time you talk about security awareness, what are you going to do? You're going to create security awareness, but that's not what you want. So really simple thing to do is just change the name of the program. Then every time you talk about your security culture change or your security behavior change program, it refocuses you onto what you're really trying to achieve. It's just a simple, tiny thing, but it helps just reinforce you every time to focus you on what really matters. It's not awareness. It's bigger than that. So really simple change, and that might be helpful to you. That are my five plus one mistakes. We now have about eight or nine minutes for questions, comments, or thoughts. Oh, hello. You're back on stage. I'm back on stage. First of all, thank you very much, both of you. You're welcome. Second of all, does anyone in the audience have questions for either one of these? I see a raised hand right here, and the microphone is coming from that direction. Thank you so much for an insightful presentation. I'd like to share a short story regarding a successful transformation of human behavior. It was about our policy for every employee to lock the screens. Of course, that's easy to put in policy. It's easy to put a checkbox, but how do you make people do it? What we did was that whenever somebody did not lock their screen, everybody had the mandate to pretty much go on to their computer, on the internal network, and say, Hey, I will bring fika tomorrow. Yes, isko marsveden. So there are other ways, like the browser extension Heronscreen, which literally puts a screen every time you're in your browser, or Geek Pranks, and you go put the full screen Windows update. That will surpass 100% to infinity. It's interesting. It's fun. I've seen things like that happen before. You've always got to be careful with them in case they have negative consequences, but one bank I saw did a job where they started putting parking tickets on screens. So they found a screen that was unlocked. They put a yellow parking ticket. And it worked, but it does feel a little like the punishment piece. It feels like the shame of getting to your desk and going, Oh, God, the shame. It sort of worked. There's a whole, when they talk about consequences, I know that is a consequence, getting a parking ticket. I think there's a whole sequence you need to go through. Don't just jump straight to the punishment that we mentioned earlier. Talk about consequences. I always talk about it in four different stages. First, you've got to tell people about, if you get hacked, if you're breached, then this is what could happen to our organization. That's the first stage. And then you say, if we get hacked, this is what could happen to you individually. You could lose your wedding photos, your baby photos, your music collection. It might affect your project you're on and your bonus. So make it personal. And then the third phase is to actually start to reward people for doing the right thing. So handing out cookies for finding issues. Or going around and handing out sweets to everyone who has locked their screen. That's a positive way to do it. And then finally you get into that just culture and punishment piece. But it's a careful thing you have to negotiate. Because sometimes those issues can be seen in different cultures around the world as well. Cool. Thank you for sharing the story. Is there anyone else who would like to... I see a raised hand up there. Microphone is coming your way. Thank you. I would like to add another mistake from my perspective. It's the language. Because if you do awareness campaign as a global company, you do it only in English. You will have very bad results in the US and maybe in UK. Really, really good results in France. Because the France don't click on an English mail. And if you send the same mail in French language, the results are really worse. My impression is, yes, it's effort. But you have to do it in the language of the country where you operate. That's one lesson learned we did. Thanks. Yes, clearly. I experienced in a big retailer. And one of our major problems was the translation of everything. Because not every tool can propose a good program translated. And you have to have a good validation process to be sure everything is well perceived. And that's also why you need security champions network. To disclose them in the first line. To have their mind on the quality of what you will propose to your colleagues. Because sometimes it's just idioms that you think it's okay. But it's not okay. So the better way to do it is to have a native that validates all the communication. But you have to figure it out. I think the language piece is really important. It's a whole context piece, isn't it? It's not just about language. It's about making it so it relates to their role as well. If you send your standard information worker awareness training out to people who work in a factory. They're going to look at it and go, I don't use email that much. And I don't have access to data. What are they talking about? Privacy? I just operate a machine. It doesn't make contextual sense to them. They're just going to ignore it. It can be more effort, definitely. But we have to start to attune our awareness campaigns to the people in HR. The people in finance. The people in operations. The OT engineers. If you can make it so it reflects their life and their reality. It will have so much more traction with them. But the language bit is a really good bit as well. I completely agree. Any other questions? Anybody got another? We have two of them. One there, one here. We'll do the one at the front and then we'll come back to that one over there. At our organization, we currently face the problem that our employees report the phishing simulation mails. But they also started to report nearly all of our internal communication mails. You cannot send any information that is not reported by at least 10 people. Partly we try to give a positive feedback and not saying that you're stupid. You get this newsletter every day for five years. Why do you start to report it? The other part is that they are a bit annoyed due to the training and the simulation mail. So I also have the feeling that you wanted this. Then I report everything where I'm insecure. And if you have any insights or solution for it? Interesting. The one about them reporting legitimate internal emails, I've come across that one before. HR would send out a please fill in the survey and absolutely everyone would just report it. No one would click and HR would come to me and go, what have you done? So we have to basically go through with HR and say, well, this is how to create an email. It doesn't look like a phish then because that's what it looks like. You're basically making an email that links to an external database and asking them to click on it. That's not helpful. So actually having them refer back to internal communications. So can they actually say, right, we want you to click on a questionnaire. Here's an intranet link. And so this is an internal link that links to a page on the intranet. And that page on the intranet then links to the external questionnaire. That then takes away the fear of people clicking on an external link. They can see it's internal and they can have that level of trust. And they see an intranet page and, again, have a level of trust. So then they tend to engage more. But it's about working with the comms team and working with those. As for people just reporting it just to get on your nerves, just to get back at you, I don't know the answer to that one really. I think it's just about more relationship building and more building and making them aware of the potential of why this is important. Once they can see that this is the reality of it, that deepfakes are real and that BEC and fraud is real and that this is a real threat, perhaps they'll start to take it a bit more seriously. But I completely agree it's not an easy thing. But if it was easy, we wouldn't be here, would we? It would just be too easy. None of us would have a job. So, yeah. I think we've got one more minute left and we've got one person at the back, haven't we? Thank you. Can you hear me? Yeah. Okay. We are using two likes so safe, not so safe. Sorry for that. And if you report a phishing mail and it isn't from the training, you have to choose is it phishing or is it spam or something like that. And I think it could take people to be less aware. If it is not a training, okay, then I can click on the link. What do you think about that? So, I'm not sure I understand the whole context of the issue. So, basically, they want to report an email that they're suspicious about. They're being forced to classify it as spam or malware. Yes. It isn't directly put to the human firewall team. You have to choose what could it be. Yeah. It would be better if it could just be I'm suspicious of this. So, again, sorry to use the last ten seconds to talk about so safe content. But Sophie, as a solution that we have, which you may have seen, Sophie is that AI chatbot which you can just go and refer to on the side and say, actually, I don't know what this email is. It looks weird and suspicious. And Sophie will do a real-time analysis and say, you're right. You're right. It does look weird. Do you want me to raise a ticket for you? Or it will say, you know what? It looks fine. It looks okay. You're a bit suspicious. I don't think it is. It doesn't look too bad. So having the AI can really help there. I guess all I could suggest for that one is perhaps you just take away those options. You take away the two options, just put down to one option, which says, I'm suspicious of this. I don't know what it is, and I'm worried. I think that could be the simplest way, and then everything would go through to SOC, which might increase their workload. But at least then everything would come through, and you can sort it out at that level. I'm not sure that's helpful, but hopefully it is. Maybe it could. Cool. Perfect. Thank you so much, everyone, for joining and for these two gentlemen to join us on stage today. Andrew, I think we'll see you a few more times before Hooficon is over. Maxime, thank you very much for taking the time to speak with us today. Thank you all. Thank you.
