Cyber Matters: Building A Culture of Cyber Awareness in Your Business

Episode 16 August 17, 2023 00:30:19
Cyber Matters: Building A Culture of Cyber Awareness in Your Business
Kassouf Podcast Network
Cyber Matters: Building A Culture of Cyber Awareness in Your Business

Aug 17 2023 | 00:30:19

/

Hosted By

Tara Arrington

Show Notes

This is Cyber Matters, part of the Kassouf Podcast Network, with host Russ Dorsey, Principal and Chief Information Officer at Kassouf. Cyber Matters discusses issues that truly matter - to us, our clients, their families, and their businesses. 

In this episode, we chat with Joshua Crumbaugh, CEO of PhishFirewall, about his career in cyber security as a an ethical hacker, and how his study of human behavior and psychology made him very effective.

We talk about how lesson learned as an ethical hacker led him to found PhishFirewall. PhishFirewall is a phishing attack simulation platform that employs adaptive AI, as well as fundamental principles of psychology, such as positive reinforcement, varied repetition, and adaptive learning, to quickly build phishing awareness at a subconcious level.  Joshua refers to this as buidling "human virus definitions."

In our discussion, Joshua shares insightful tactics on how these foundational psychological principles, when applied correctly, can serve as powerful tools in creating comprehensive cybersecurity awareness for any company seeking to improve their cyber-security posture. He emphasizes that these methodologies are not exclusive to large corporations, but rather, they can be effectively employed by organizations of any size. By doing so, companies can fortify their defenses against an extensive array of cyber threats, ensuring the digital safety of their operations. Tune in to gain valuable knowledge and tips from one of the industry's leading experts.

To learn more about building an efffective cyber awareness program, or to suggest a topic or guests, please contact Russ Dorsey, [email protected].

https://www.linkedin.com/in/joshuacrumbaugh/ 

https://www.phishfirewall.com/ 

View Full Transcript

Episode Transcript

Speaker 0 00:00:01 Hello, and welcome to another episode of Cyber Matters. I'm your host, Russ Dorsey, principal and c i o at Caso and Company. And Cyber Matters is part of the kaso Podcast network. Uh, cyber matters. We talk about the cyber that matters to, uh, us, our clients, their families, uh, businesses. This is a personal, uh, human look at cyber, the impact of technology and how we're deploying it to enrich business and to enrich our lives. But also, uh, how to stay safe, you know, how, how to protect those things that are important to you. Today, we are very excited to welcome, uh, our guest, Joshua Crumble. He's the, uh, c e o of Phish firewall. I guess full disclosure would be, uh, appropriate. First Fish Firewall is, uh, a company we use, but also we are u using them and, and working with them with some of our clients. Speaker 0 00:00:44 But Joshua, I wanna welcome you. Um, I appreciate you taking time outta your day. Just told Joshua I was, you know, in the pre pre-show, we're gonna skip over the, the bio 'cause it is very long. I'd be here for 20 minutes just reading, uh, everything you've done, but 17 jobs in 23 years, man. I mean, if I was interviewing you, I'd be like, uh, well, what's up? But now a lot of those are concurrent. Uh, why, why, so I guess my question for you is, do you buy your lin in bulk? I mean, how do you keep all these things up in the air that you've been doing <laugh> through your career? Speaker 1 00:01:11 No, I mean, I'm just always been a very driven person. And, uh, and in my career it was, uh, often, you know, stepping up, taking the, the next opportunity. Um, and, uh, and really just pro progressing my career and, and progressing often within, uh, within these organizations as well. Um, so yeah, it's, uh, it's been a, it's been a crazy, uh, crazy run of things. I, I got into ethical hacking because I was looking for a challenge mm-hmm. <affirmative>. Um, and when that challenge was, you know, wasn't hard enough, uh, I guess I, uh, I opened up a company because, uh, I was really looking for a challenge. Speaker 0 00:01:51 Yeah, you, you'll definitely find it there. Now, your background as far as, uh, your, your education was in marketing right? At, uh, is Oral Roberts University, is that correct? But I was just thinking about the marketing and the psychology behind that has gotta be an edge, because when you get into that side of things and understanding, uh, so I'm, I'm sure that's been something that's been, has, has given you an edge when it comes to the, the hacking, uh, and the ethical hacking that you're doing, right? Speaker 1 00:02:17 Yeah, it, it's funny, my, uh, my career took an unexpected turn when, uh, when I got to college, the marketing dean, uh, sort of took me under his, his wing and, uh, and by took me under his wing. I mean, uh, I, I should read, it might be more accurate if I said, recruited me, uh, to, uh, to marketing. Um, I spent, uh, a good decade there and, uh, and very much heavily into studying the psychology behind how do people make decisions and how do we influence, uh, those decision making. Uh, well, I guess those decision making processes. Um, and, and so that naturally led me to being very good at the social engineering part. Later in my career when I got into ethical hacking mm-hmm. <affirmative>, uh, because quite literally the day I learned that ethical hacking was a thing, I quit my job and said, this is, this is what I got, what I'm gonna do for a career. Speaker 0 00:03:11 I mean, you, you were a, uh, uh, I think a, a senior pen tester, uh, with, with, uh, the F D I C, is that correct? And then also with, uh, yes. Yeah, the, the, the s e C, the security and exchange. So I mean, you've, you've, you've definitely jumped in with both feet and, and went in that direction. So, to, to talk about Phish Firewall specifically, and again, you know, you, you came, I guess to this, uh, explain people's sec. Was that your first, uh, company? Uh, Speaker 1 00:03:37 So, uh, well, however, at first company, we could go a long ways back. I mean, do we count, uh, mowing lawns when I was 10? <laugh>? Uh, but, uh, but no, I, I guess, uh, peoples SEC was my first cybersecurity company, and I, I founded that with the idea of we're gonna do consulting to build this really cool technology. And so we got most of the way there, probably 80% of the way there on building that technology, uh, under peoples sec. And then at that point we said, okay, we really want to take this to market. We, we can't, you know, uh, we wanna take this to market and we wanna go at an accelerated rate. And so we decided to instead of continue bootstrapping, um, to spin out, uh, uh, p or I'm sorry, a Phish firewall as its own product, go out and get it investors and really shut down peoples sec. Um, we do still do a little bit of consulting, um, but it's very high end, very exclusive. Uh, we, you know, the, the primary core of our business is Phish Firewall product. Speaker 0 00:04:46 Okay. So, so, so what's, what you're doing with Phish Firewall came out of the, uh, experience in the products you were developing with peoples, say. Um, so then that brings us to Fish Firewall, which, um, a fish testing company. But you came into this market, uh, where there's already some pretty big players. So I mean, what, what did you see as the opportunity here and, and what drove, uh, what you're developing as, as far as what is your, your differentiator? What's, what's separating you from this? Uh, Speaker 1 00:05:16 Yeah. Uh, well, yes, a lot there. Um, and so, uh, to start, the thing that sort of got me into this, or sparked me to, to start Phish Firewall, uh, was in my consulting career, I was breaking into all of the most secure locations in the world. It was almost like a gotcha game. And I didn't see a lot of, uh, a lot of anything get, actually get fixed as a result of my testing efforts. And so, the worst case of this ever was this major financial institution that I was able to tailgate in, uh, or into their corporate headquarters and into their executive offices four years in a row, off of the exact same person. The problem was, is that there was zero education, there was nothing that came with as a result. And so my test being, and, and my, no matter what I did, it really didn't provide any, uh, real value. Speaker 1 00:06:16 Now, on occasion, some customers would do, would want us to test for more than compliance, and those were my favorite customers because they would fix everything that we told them needed to be fixed. But the large majority weren't. And, and especially when it came to the human findings, because when I would talk to them about being vulnerable, they'd say, well, you can't patch stupid. And so, uh, that sort of became my, uh, the pet peeve. And, uh, and out of that pet peeve, I developed a passion. Um, I looked at the industry and all of the tools that were in it, like, you know, uh, uh, things like know before or Proofpoint or Conce, uh, to name a few. And, and I, I looked at those tools and what I, and it almost, uh, well, I guess it became my passion that, you know, we hand out these tools with no training, no guidance on how to build an effective or proper system. Speaker 1 00:07:12 And often the tools, the, the very features of the tools, um, are counter counterproductive if we're trying to keep a positive and, uh, and, and non-punitive approach and, and our methodology. And so, you know, I set out to create something better, something that was friendly to the users, something that the users would actually enjoy, something that would engage the users and, uh, and actually help them learn these, uh, these topics instead of just, you know, parroting something, uh, during a, a test that they take once a year to prove that they could remember it for 10 seconds. We don't need them to remember it for 10 seconds. We need them to remember it all year long. And so, uh, that's, uh, Phish firewall is, is sort of the culmination of that. And, uh, and at our, our core, it, it's, you know, there, there's two things that make us different. A, we're not a tool, uh, we are a completely AI driven solution, um, that has psychology at its core. And so those, those best practices are, uh, are built into everything that we do in the ai does all of it for you so that you don't have to do anything. Um, and that means we're able to get better results, results that no one else can think of. Speaker 0 00:08:32 Yeah. That, that, I think that's a, a you touched on several points now when you were talking about tailgating, and I don't wanna get back to that, but just to clarify for the listeners, you were actually doing physical penetration testing. So you would wind up physically in a space, take pictures that you were there and show them their vulnerabilities. Um, the same psychological principles though, apply, uh, no matter how you're breaking into a system, right? It's, it's, it's, yes, finding the, the bad habits, it's, it's, it's, uh, exploiting people's trust and this, uh, uh, the, this, this, uh, normalcy bias that people have to, well, this is the way stuff is. And, and so you do have to find ways to shake that up. And you're right. I think I like, one of the things that I liked about your approach, uh, is that it is a, uh, it is when, when, when we implemented, uh, phishing fish testing here in 2015, we were early, but it was very important to us that it be, uh, I didn't like the word gamified, but that was the, the approach. Speaker 0 00:09:32 It had to be non-threatening. It had to be something that the staff and everybody was excited about doing and participating in the process. And I, I think you're right, there was a lot of early bad implementations of fish testing, right? I mean, we've, you know, we heard, well, we do it once a quarter and it's this, we are, yeah, this standard, you know, and we check that box and we're done. And there's just, there's there, there's no, you know, there, there's no customization around behaviors, those things. So really, your, your system, um, and any good system that anybody would be looking for should really be adaptive, right? It should be something that, you know, the, the users respond back to in the system, then gives them a different set of training. Is that something that advocates Yeah, Speaker 1 00:10:11 Yeah. Yeah, absolutely. Uh, not only does it, it adapt to the individual and, uh, on the training, uh, but also the phishing simulations. Um, in addition to that, we have role-based training baked in. So it's not just your generic security awareness training that everyone in the company gets, that's sort of this one size fits all. Uh, this is adaptive. So your IT team gets training about common mistakes. They make that lead to a compromise. Your developers get training on the, what's called OAS top 10, but it's just secure development practices. Your, uh, we have training for the C-suite on cyber risk management, and just understanding basic cybersecurity topics in general. Uh, we've got training for your defenders on, uh, what's called the Mitre Attack framework. And this is just a, basically an inventory of all of the different tactics that we've seen the bad guys use, and how they're exploited. Speaker 1 00:11:08 Um, and it's important that defenders know that, so that they can look for them within the network. Um, and we've got training for your finance teams, your marketing departments, uh, your sales teams, and so much more. And so all of this is, uh, is because different people have different vulnerabilities that they present to the organization. And, uh, and it's very important that, uh, people understand how their job and their role could impact cybersecurity. And I think a, a great example of this is hr. Uh, they tend to be very susceptible to phishing attacks. Um, not on purpose. No, it's, it's never or rarely on purpose. Uh, but nevertheless, they're very susceptible, yet they have, have access to all of our most sensitive information. Uh, when, when you start telling HR these things and connecting the dots in a very simple way, it clicks and they're like, oh, wow. I do have access to this. I do have to be more careful. Um, and it may seem like a, you know, duh type of thing, um, but you'd be amazed at how just connecting the dots and creating that human connection can help change people's behavior and getting them to start thinking in a different way. I don't mean to pick on hr. I actually like hr. They're one of our biggest allies. Speaker 0 00:12:24 Yeah, no, it's, it is the guys in sales you have to watch for. Uh, but, but your point, uh, is, is is very good that, that people, um, I, I always say that, you know, e everybody aspires to be part of, of something bigger. Everybody wants to be on a winning team. And you're right, that sense of ownership when you do take the time, and even in a small organization, um, which is where I think this gets overlooked a lot, is it seems like, well, we got to implement this program. It's going to be such a, a huge undertaking. Um, but it really just starts with talking to the employees and, and getting them, uh, ownership that they're going to help the company survive a cyber attack. That, as we say, on the IT side, we have a lot of, I won't say derogatory things to say about users, but we have a lot of little, you know, idioms and things we used to describe user behavior, but it's, but we're all human, right? Speaker 0 00:13:15 And so everybody has to understand that, hey, and I, I'm, I'm here. And the fact that I'm the person sitting in this chair makes me the target. Uh, it's not because it's me or because I'm gonna do something stupid. And I hate it when a, a user feels bad about, you know, having done something that was really beyond their control. 'cause the guys that are doing this are spending a lot of time, you know, if there was an r d department somewhere in Eastern Europe or Asia or wherever, where they're doing all the psychological profiling, they're spending a lot of time figuring out what we're going to click on. And so you've got to get that ownership, right? Um, Speaker 1 00:13:49 Absolutely. And it, and it's not just that there, there's other elements at play here. It it's security because is very prevalent in our workplaces nowadays. And what that means is that for a lay user that knows nothing about cybersecurity, really nothing about computers, um, n you know, enough to go to work and, and use office to get their job done and, and, you know, whatever it happens to be, but past that, they don't know computers. And so, um, the average person often believes that it's so secure at their work that they couldn't possibly get hacked. And, uh, and there was this study that found that there's this group of people, uh, I want to say it's like 6% out of a hundred, um, that will, uh, we're somewhere around 6% total, but, uh, six out of a hundred that will forward a suspicious email from their, their personal account to their work account so that they can click on it at work because it's too shady to click on on their personal computer <laugh>. But their work computer is so secure it couldn't get hacked. So it's not too shady to click over here. Um, that is, you know, it's one of those things that just simply educating users about the fact that there is no such thing as too secure to be hacked, um, makes a big difference and eliminates that group of people from your workforce. Speaker 0 00:15:22 Yeah. And I, I, I, I think to that point, uh, the, you know, the cloud platforms, uh, G Suite and Office 365, I think also give that false sense of security. Um, and a lot of businesses are, I mean, clearly for years have fallen and prey to that. Well, if we go to Microsoft's cloud, then, uh, you know, we'll be fine. And they don't realize we gotta go to Microsoft's cloud and you've got to implement all the security that's off by default. Yeah. M f a being one of the big ones. I mean, it took Microsoft years to enforce, uh, m F A to any degree where they really, uh, you know, push it now. But for years, you know, you were able to run without that. But the, um, uh, the, the training side doesn't go away with that. I mean, you've got to train people. No matter where your email's coming from, you've still gotta have that training, because if you click the malicious email while you're checking your email at home, or even on your, I, you know, your, your mobile device, you can still get that malware. And then if you're then using that device as we all were from covid to then come back into the organization, you can bring it, uh, you know, you, you can bring the malware with you that way after getting infected at home. Um, Speaker 1 00:16:29 Absolutely. It's, it's all interconnected. And, uh, and, and to that regard, that's the reason. It, it has to become a, a subconscious reaction. I always talk about what I like to call human virus definitions. Uh, but all it means is that when we run a phishing simulation and we provide that just in time education to help them understand, you know, where the red flags were, and we do it in a healthy way so that they don't feel abused, but they feel empowered, uh, what happens is it creates, um, well, what I like to call a human virus definition. So that user now becomes 70% less likely to fall for any similar attacks in the wild. And, uh, and they begin after just a short period of time and getting, you know, uh, just a handful of these simulations under their belt moving on without even realizing it. So sort of, uh, uh, an autopilot, if you will. And so you'll, you'll go back to the user and you'll say, well, you deleted that. Why didn't you report it? And I say, oh, I didn't even see it. I, I don't know, I guess I just, uh, clicked delete. I don't have any recollection of that was so, but it sits in their deleted inbox. And that's because this, you know, when we're, we're doing this, right, it's happening at a subconscious level even more than it's ever happening at a conscious level. Speaker 0 00:17:49 Yeah. And that's, uh, getting the users, there again, was, uh, uh, like I said, we, we started in 2015, so we've been at this now, uh, eight years. Um, and we'll, we'll talk a little bit about why we changed products, but what we did see was it, it didn't take long. I mean, we got our click rates down, and if, you know, if you're doing fish testing, it's all about that. Uh, or well, it shouldn't be all about that, but that's really the metric that you follow, the, the, the trailing indicator to say, Hey, yeah, it's working. Um, but what we did see was just this higher and higher suspicion of things. Uh, even things that, uh, I mean the, the, the types of, uh, you know, things we get sent to our help desk now 'cause we set up a phishing mailbox was of this, this, you know, is this attachment safe to open? Speaker 0 00:18:35 Which is a legitimate question, but they're doing that on the tail end of a thread with somebody where they're expecting the attachment. It's coming through Proofpoint security. It is by all stretches of the imagination, a good email to click. Um, and so I talk to my team sometimes and go, well, have we driven it too far? And the answer's no <laugh>, because everything will change. And all of a sudden that proof point will look a little different or something be a little weird about it. So that's, that's really where we found it too, with the users. Like you said, this virus definition concept, they get that normalcy bias I refer to early. They get used to seeing the things that are right and the things that are wrong. And so when there's something just a little off, now they catch it, which is just amazing, um, that, that you can get a workforce there. Um, Speaker 1 00:19:20 Absolutely. Yep. And that's part of the reason that we, we make sure to start training your users right outta the gate about how, uh, about those little details. Um, 'cause you don't wanna get people so scared that they won't click on anything. So now it, it has to be this, this happy middle ground, this balancing act, if you will, all of security is, it's, it's balancing business operations with, uh, with security. And so we start training people to look for that external sender notification banner right outta the gate to look at the email address that's sending it, to look at the context of the email, to look at how they greet you. Those little details that, uh, that like you said, are, are the things that, it's the tiny little things that are off, um, that's gonna make the difference between catching it and not catching it on those ones that have already gotten through what 10 layers of security to get to their inbox in the first place Speaker 0 00:20:13 Was the other thing that you see when you hit a user base. And again, I I want to stress, for anybody listening, we're talking about five employees or 500. Um, you're right, you have to find that, that sweet spot in there, uh, as far as what is safe to open and not, and not, you know, pairing this with a smart, uh, filtering process on the back end. Um, because the things that we saw coming through, uh, that our users started catching were the things that the, uh, our, uh, malware protection was, was not able to catch, like business email compromise when the, uh, when the attackers would inject themselves in the middle of a thread through somebody else's breached mailbox, and all of a sudden we're getting requests to move money. And if we hadn't had that training, they wouldn't have spot spotted the odd, you know, things that were happening like this email address changing and whatnot. Speaker 0 00:21:02 Um, so we've, we've had years and years of, uh, really good success, but then you look at, well, we're hiring people. 'cause during Covid <laugh>, we've, we've had more people, more turnover, uh, in the last two years in the firm, probably it had in the previous five. And how do you get those people ramped up to that same level? 'cause I'm fine with the people that started in 2014 with me, right? But I'm scared to death of the guy that started this month. Uh, so that again, is an interesting approach you guys take in the way you scaled through that. And that was a truly unique thing. You want to describe that or talk about that for a minute? Speaker 1 00:21:33 Okay, so our new workforce, we've got the, the big workforce trained, they're conditioned, they do a good job. What do we do about the new workforce? Um, so what we do is it's adaptive. That's the reason that we brought an AI to this, because it, it, the one size fits all just doesn't work, and it's not efficient. So we want to be able to increase the frequency of the amount of phishing or, uh, simulations that we're running against each individual, and not just increase the frequency, but find out what you are most likely to click on and then begin targeting you with that type of attack until you're no longer susceptible. And so we do that rapid triage just by simply, the more you click on, the more of they of that type of phishing simulation you are going to get. Um, and so it helps to train you on, on that type of attack in a very quick and safe environment. Speaker 0 00:22:30 So mm-hmm. <affirmative>. So, so just to recoup, you know, recap this for, you know, anybody, for our listeners, you know, it doesn't matter the size of your organization, it doesn't matter if you're cloud-based or not. Um, as far as phishing and I, I think the other thing is, you know, the, the things that, uh, people learn from this, hopefully they're taking home and they're teaching their family to be safer about things. I mean, we can get into a whole another conversation about the email phishing that goes on with, with individuals and specifically the elderly, which is just insidious, but they're the largest victims of, of, of this by far. Um, the other thing though is, is the fatigue factor. Uh, again, it has to be fun. I've, I've, I've told the story before that, and, and for reason I won't get into, I finally bet our, our staff of, you know, if, if they could ever, ever have a month with zero clicks, we'd have a pizza party. Speaker 0 00:23:23 And that, that was the thing. So that, that was the incentive. It took us five years to get there, but we finally bought pizza for the firm. And it was a fun thing, but it was always, it was always that kind of positive reinforcement. You guys never, you know, shame, you know, put up the old, you just clicked. Here's the, here's the ugly email and here's the, uh, here's the three days of, uh, adaptive training you're gonna have to be subjected to, right? I mean, that's, that's not the way to do this. It's got to be positive. But where I was headed with the fatigue factor is, and you know, at some point it may happen with your product, it may not, and so far it's been adaptive, but your users do get used to how they're being tested. And I think that's something to look at. If you're using a system now and you're happy with it, great. And if you've got the results you want, great. But how much of that is the users going, oh yeah, that's, uh, uh, you know, I'm, I'm not gonna name names. So, oh yeah, that's, that's, uh, that, that, that, that's our, our monthly phish test from x, y, and Z company. You can ignore that. How much of that goes on? Speaker 1 00:24:20 Well, hopefully not much. We, uh, we make them very realistic. Uh, well, I, I didn't Speaker 0 00:24:25 Mean, I didn't mean with you specifically. I just mean in the industry, I think that's a problem because Oh, Speaker 1 00:24:29 A lot <laugh>. Yeah. Speaker 0 00:24:30 I mean, some of the other products I've seen, I guess I should have been more specific, just seem to collect a pull of, of, of current event emails, and then they push 'em to you on a schedule and it's, you know, it's, it's the, the users do get used to that. They're, they're, they're gonna recognize those patterns, right? So you want to, they'll, yeah, you wanna highly randomize it. And, um, I'm, I'm sorry. Uh, Speaker 1 00:24:54 Oh, go for it. No, I, I, I agree. Uh, it absolutely needs to be heavily randomized and, uh, and, and adaptive, because otherwise they, they will get that fatigue. You can't just keep running the same sim simulations over and over and over again. Um, we battle that by, by really everything's in buckets, so we just make sure that we're constantly adding to our buckets and keeping them full, uh, so that our AI has plenty of content to, uh, work with you. Uh, the other thing we do to battle that though is advanced spear phishing. So, uh, our clients can set up a few things like giving us a logo, uh, giving us email signatures, giving us even the names of people within their organization. We can fish as, um, and so it can really take the, the spearfishing up a notch when your HR fish comes from a legitimate looking domain and a legitimate person inside the company with a legitimate signature. Speaker 1 00:25:52 Um, so, you know, while we, we make it very non-punitive, very friendly, and we even gamify it, especially for the ones that, uh, that would cause somebody to be upset if, uh, if, if they weren't. So that we tell people we're gonna fish ahead of time, and then when we're sending a sensitive phishing simulation, we, our AI lo reaches out ahead of time and says, Hey, this is the specific type of attack, now be on the lookout for it. I'm gonna fish you. And, uh, and it will come either six minutes or six weeks later. Um, and so they will now be on the lookout and it creates a sort of hypervigilance. Um, but regardless of, uh, of any of that, uh, you, you definitely want to avoid that, you know, that same sort of cyclical, um, overly used content because it's this, people need variety. Speaker 1 00:26:44 Um, and that variety is, is what helps to keep them engaged. Um, an example of that is that, uh, you know, we, there's this thing called space learning theory, and it, it says that, you know, people digest content better and bite-sized chunks of information. Um, but there's these sub, uh, things, uh, a site or I guess sub laws with it. One of them is that if you say the same thing in three different ways, you're gonna get higher retention. And so, uh, we have a, you know, especially for the really critical things like e s b thumb drive of, uh, being dropped, or, uh, phishing, you know, phish email clicks, um, we, we take those topics and that's exactly how our content works. You may see, uh, very similar content multiple times, but it changes and it's that slightly different, and it takes a slightly different approach, and there's a little bit different story in there, um, all to keep it fresh, keep it relevant, and, uh, and also help your, your, you know, each person, uh, uh, hear it from multiple perspectives and, and hopefully gain a better insight on it. Yeah, Speaker 0 00:27:52 And I, I think to, uh, to get back to what, what a business owner does with this, I mean, again, if I'm running a, a small 10 person service organization with Outlook, uh, you know, o Office 365, um, and I know I need this, you know, I'm, I'm going to look for a product that's, that's pretty zero config. And, and so, and so if, you know, if, if you're selecting, I'm speaking to our audience now, if you're selecting, you know, one of these products, you look for something that's going to be an easy ramp up, easy setup. Um, but then the, uh, again, the, the, the trailing indicators, what is your measure of success? And, and as I mentioned earlier, it's usually click rates. Um, and so you wanna see, uh, you know, the, the industry standard, anytime I get into any of these is 30% click rates. Speaker 0 00:28:35 The first time you run one of these, or even higher, uh, we look to see, we were happy when we got down to one or two or 3%. Um, and, but, but you're, you're looking through this adaptive approach to get down into the sub ones right, into point. And, and then, and then, you know, so again, for the business owner, you're looking for something that's got a, a good dashboard on it that you can look and see, uh, and then also see maybe who your problem users are. Um, and you know, at some point you do have to take that, you know, into consideration. If you've got somebody, I always pick on the salesman, but you have, you've got somebody that just will not stop clicking on the bad email. Uh, at, at some point Laura's got to step aside and hrs gonna come in and impose some kind of, uh, uh, harder training and maybe even sanctions before that person gets you in trouble. Speaker 0 00:29:25 Um, we we're, uh, kind of up against a, a break point here, so I'm going to, uh, just take a quick pause and, uh, thank everybody for, for joining this first segment. We're gonna break this into two, 'cause it's running an hour. Um, so, and then we're gonna come back and talk. I wanna get deep into the current threats and the things that are going on, I think, uh, to focus on that. So I've, I've been speaking with Joshua Crumba, uh, C e o of Phish firewall, uh, www fish firewall.com. Um, and we're gonna come back in just a moment, uh, and talk about, uh, current threats. So that'll be in the next episode. But I wanna thank you for your time today, and thank you for listening to Cyber Matters, uh, with your host, Russ Dorsey. That's me, um, and part of the Kaif Podcast network. And we'll be, we'll be back soon.

Other Episodes

Episode 18

October 19, 2023 00:30:25
Episode Cover

Cyber Matters: When the Bad Guys are Targeting Your Family

This is Cyber Matters, part of the Kassouf Podcast Network, with host Russ Dorsey, Principal and Chief Information Officer at Kassouf. Cyber Matters discusses...

Listen

Episode 12

June 01, 2023 00:29:26
Episode Cover

ENCORE - Revenue Radio: Biologics

Kassouf Healthcare Solutions' Revenue Radio gives practice managers the tools you need to run a successful and profitable medical practice. Your host, Kassouf Healthcare...

Listen

Episode 9

January 19, 2023 00:18:56
Episode Cover

ENCORE: Adulting 101

*This episode was originally released July 28, 2022. As you look toward the new year, we wanted to share this episode again as you...

Listen