Why Security Awareness Training Matters

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi. I am Justin Daniels, I am a shareholder and corporate M and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment of scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

This episode is brought to you by Hello. That’s where you ding or something. No silence. Silence, no ding. Boop. Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there is greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com, it is fall here.

Justin Daniels 1:40

It’s not quite cool yet.

Jodi Daniels 1:43

It’s cool this morning. Okay? And Fall means October, best month ever, just saying, and October is Cybersecurity Awareness Month.

Justin Daniels 1:56

Yes, October is birthday month too. Oh, that

Jodi Daniels 1:59

might be one of the many reasons why October is the best month ever. Is also Cybersecurity Awareness Month, which is why we brought today Dan Thornton, who is the co founder and CEO of Goldphish. And if you don’t who Goldphish is, don’t worry. You will. He is a former Royal Marine Commando who channeled his operational expertise into cybersecurity today. Dan can’t speak. I need more coffee today. Dan leads a security awareness training company helping organizations turn their people into their strongest defense with over 2.1 million learners trained worldwide. Dan, we are so excited that you are here with us today. And fun fact, red clover advisors is a customer and a happy customer of Goldphish. We are so excited that you are here with us today to share more about why companies need to understand Cybersecurity Awareness trait.

Dan Thornton 2:57

Thank you very much for having me great to be with you.

Justin Daniels 3:03

So Dan, why don’t you tell us a little bit about your career journey and what led you to focus on cybersecurity for the red clovers of the world and other small businesses.

Dan Thornton 3:15

Well, long story short, I started my career in the Royal Marine commandos over in the UK, served with them all over the world, and later transitioned into the glamorous world of security risk management, think on convoys, emergency evacuations, crisis planning for oil companies around the world, and discovered cybersecurity when one of the companies I was working for got smashed by the not patire attack back in 2017 had a bit of a light bulb moment. Realized cybersecurity is the way forward, and definitely the future of all things risk management and Goldphish. And the idea for it was born from that. I didn’t really know how I was going to get into the cybersecurity space, being a non tech guy, but, you know, realizing I had a whole history and career of training people and keeping people out of trouble and trying to advise the human side of things. You know, that’s, that’s what we went into and Goldphish was born.

Jodi Daniels 4:16

Well, I talked to a lot of companies, from small to big, and especially in the SMB market, they often say we’re too small to be a target who cares about what we have. And yet, cyber attacks continue to hit small and mid sized companies hard. Why do you think this is a dangerous mindset and kind of, how we, how we got here, in the reality of, of what happens today.

Dan Thornton 4:45

It’s, it’s a very, very common take, a lot of small businesses, whether they genuinely believe that, or whether they just want to put their head in the sand, and hopefully it doesn’t, doesn’t hit them. It’s, you know, it’s true. A lot of small businesses, a lot of individual, people outside. Of businesses as well in the in the same space. You know, I’m not famous, I’m not a celebrity. They’re not going to come after me. It’s exactly the same thing. But the reality is that attackers don’t discriminate. They automate and a lot of these attacks, a lot of these social engineering attacks, are huge, big campaigns that they send out to 10s of 1000s of potential victims and cast a huge net. And you know, as we’re seeing, AI being brought in to and leveraged for social engineering attacks nowadays, whether it’s going into your mailbox, whether it’s going into, you know, by by text message or SMS, or whether it’s voice calling, a lot of this is highly automated. It’s very, very customized and very convincing, and they’re sending out to a massive net of people so nobody’s really being individually targeted. It’s just a highly customizable, very efficient way of scamming people nowadays, and everyone’s being hit.

Jodi Daniels 6:01

A lot of times I talk to people, and they’ll say, without saying, Well, who cares? I’m so small. And then they say, well, well, what will happen if, if they are able to get into my system? So I’m curious as just sort of a follow up to that, maybe to help remind people, even on the individual side, when they are creating these campaigns, what is it that they’re after? What are the attackers trying to get? And so maybe that will help some of these small and medium

Dan Thornton 6:31

sized businesses. So they’re trying to mainly get two things, two main things, either three things, let’s, let’s cover three things. Either they’re trying to get you to click on something or open something that is a malicious attachment. When I say malicious, it’s a it’s a virus or it’s malicious software. And by getting you to open that attachment or click on that link that’s going to download that, they’ll then affect your system with that malware, and that malware will then be able to do depending on what it is. It could maybe lock up your system, hold your system to ransom, to ransom. It could spy on your system. Be able to send back information to the attackers on whatever you’re doing on your system, whether it’s logging into your banking details or emailing your clients, it’s going to be able to spy on all of that. So that’s the malware side of it. The other side of the attacks is they try and convince you to give them your password. And everyone protects their passwords, and it’s the way. It’s the gate into the kingdoms, whether it’s into your banking systems, into your email systems, into your social media, and they will convince you to hand it over. And you think that you’d never do that. You’re not stupid enough to do it, but they can be very convincing and redirect you to a login page for your bank, and it looks identical to your banking login page, and you will put in your password and your username and fire that off, and it’s actually going to them, and they’ll receive that, they’ll be able to immediately log into that account and lock you out of it, you know, get access to that. So that’s, that’s the second place that they’ll go into. And then finally, they can just try and convince you to send them money. And again, you know, most of us think it’ll, I’d never fall for that. But in businesses of all sizes, these days, we’re seeing stories every single day of this happening where an Accounts department, a finance team, is being emailed by a vendor, and, you know, letting them know our bank account details have changed. Please pay this latest invoice. And the next thing you know, small businesses has transferred 10s of 1000s of dollars over to some vendor, and it’s a complete fake account, and they never see that money again. And you know, for large organizations that we’re seeing in the news now, you know, Jaguar, Land Rover losing millions of of dollars every single week in lost revenue and shut down operations. And it’s making the big news, but it’s the smaller businesses that you know $10,000 could close their doors forever and and it’s these, these small attacks, and these small amounts, and these, these, these smaller words. We’re not seeing in the media so much, but it’s so impactful on the smaller businesses out there.

Justin Daniels 9:23

So Dan, I wanted to ask you a different question, particularly given your military background, is even if you’re a small business, people know enough to have voice maybe video authentication, and now you have the deep fake. And in my personal opinion, from a cyber perspective, it’s the number one thing that really worries me, because they look very authentic. And I’d love to get your perspective of, you know, does the deep fake kind of training make it in? To for small businesses, and if so, what does that look like from a training perspective?

Dan Thornton 10:10

We’re raising awareness about the threat of deep fakes and the fact that they’re out there, and whether it’s deep fake video, deep fake voice, people need to realize and become aware that this is really a thing. This is actually reality. It’s not something from some science fiction horror story. This is very real. And there’s there’s multiple stories and cases and case studies on this actually happening for real, and it’s changing, and it’s improving on a regular basis. The scams are getting way more convincing. People are being scammed by live video, being scammed by live voice. It’s a very, very real thing. How to Spot It is getting more and more difficult. But I would say your best advice really nowadays, and it’s, and it’s unfortunate we’re at a stage, but it’s, it’s zero trust. And this is a term we hear in the cyber security world, and they’re using zero trust in a bunch of different terms, on the technology side of things and data side of things, but from a human element. And when it comes to social engineering and and scams and avoiding them. It is really that do not trust what you see or hear anymore. We can’t they. The evidence is out there that there is a lot of fake there is a lot of scams going on that people cannot see anymore. And so it is just do not take anything at face value. If, if it sounds too good to be true. If you know something is off, if it is against normal procedures or protocols question, it go back. You know, find another way to to confirm.

Justin Daniels 11:55

Well, you bring up my next question when you say to confirm, which is a lot of companies in the banking industry, the insurance industry, have set up all kinds of identity, access management now tied to your voice. And so if I’m a company, and you know, let’s say I’m a small business, I’m a title company, but I wire money out a lot, what should you do nowadays when picking up the phone to do that second factor of authentication of the person that you’re going to send the money to in this era of deep fakes, what does that second level of authentication look like now? Is it like a passcode or some kind of token or something, I don’t know what to tell clients.

Dan Thornton 12:45

Yeah, it’s it’s definitely a tough one, and I think it’s a space, the authentication space, is evolving massively right now, and with these deep fakes, it is an issue that I think companies are trying to solve. I think the banks are under a lot of pressure right now to try and solve this very thing, because they are now being held accountable for this going wrong in the UK, some really interesting legislation was actually passed this year, earlier this year, where if somebody is defrauded from their money. Now with the UK bank, the bank sending that money and the bank receiving that money are both liable to pay that individual back, and that hasn’t happened anywhere else in the world. So what the UK Government is basically doing is putting the liability on the banks to sort this type of problem out, because they haven’t done so in the past. And this is a technical This is a technical issue right now that you know, the voice verification stuff is falling apart. I mean, a lot of your your top banks now it’s all multi factor authentication, or it’s past keys, and that’s fine for the individual doing it. But when you’re trying to transfer between companies and getting like you say that verification that this invoice was sent correctly from this company, and I want to check that you know, you guys have sent this, I think it all really comes down to having that key point of contact in the vendor organization that you can confirm, that you can you can find them. You can contact them away from the email chain that’s been happening, whether it’s an individual that you need to transfer money to, it’s being able to contact them on a separate number that’s not on the invoice, that’s not on the email that you know you’ve confirmed. And you can do that when you’re setting up these accounts or you’re setting up these deals. So there has to be another way to confirm legitimacy of the recipient.

Jodi Daniels 12:45

Well, we talked about deep fakes, certainly an area that small businesses need to be paying attention to. What would you say? Are some of the other blind spots for small businesses

Dan Thornton 13:37

Trusting tech too much. Tech is great. Tech is absolutely necessary. And there is, you know, there’s a base level of great security tech every business should, should have in place, but just because you bought antivirus doesn’t mean you’re just safe. It’s it’s a lot more than that. It’s not blindly trusting the technology. It’s needing all of the other elements of a good security plan around that. Secondly, I’d say forgetting the humans you know, always, always promoting employee training, but most breaches will start with somebody clicking the wrong link or giving away a password. If your people aren’t trained in even just the basic awareness levels, your tools don’t matter. I’d say fourth, no plan, no incident response plan, no backups, no clue what to do when something breaks. If people are not planning for the worst, they’re going to get a hell of a shock when it inevitably does happen, and unfortunately, you know 80% 90% of organizations, especially small businesses, will experience some type of attack during their time. So they need a plan for when it does, who to call, what to do. You know, have you got backup? Super, super important, and just planning, planning for the worst. And then finally, one of the biggest blind spots, issues that that we see is a culture of silence. Now again, comes down to the humans, comes down to to culture within organizations. But a lot of times, people are too scared to admit mistakes. Everybody makes mistakes, whether you know it’s it’s I’ve given away my password, or I clicked on something in email, or I gave over information over the phone, or I lost my my my cell phone, you know, in letter, in an Uber people don’t want to admit these mistakes. They feel like they’re going to get in trouble. There’s, you know, dramas ahead of it, and when people are silent, then breaches get a hell of a lot worse. And I think that’s a really big problem as well,

Jodi Daniels 17:19

a really good point.

Justin Daniels 17:22

Don’t you think, at the end of the day, though, Dan, a lot of the excuses around lack of preparedness in cybersecurity is small businesses just don’t want to spend the money on it, and use whatever justification to avoid that, because they don’t feel it generates revenue, and don’t see the value as to mitigating that risk. And I think the stat is what, 60 to 70% of small businesses who have some type of significant cyber event, they simply go out of business

Dan Thornton 17:52

Exactly, exactly your, your, your big losses, your, your huge stories that are making the news, you know, the multinationals and the big hacks and the million dollar ransoms and all of that, we hear about that, and we don’t, and they can recover from it, and they’re big drama stories, and they make good news, but they can recover. They’ve got the money to recover. They’ve got the cash to recover. These small businesses one attack, and they’re done. They close their doors, they won’t recover from that and and it is, it is sad that a lot of a lot of small businesses don’t see the importance in this, and they don’t realize that, yes, it, this does cost. It. You have to budget for this. It. You’re not going to be able to do this for free, all of your your elements of a security plan not going to cost, but they don’t have to break the bank. You really can get the basics in place. You can get your policies and procedures in place. You can get your your basic technical system set up in place. You can do your backups. You can do some basic employee training. You can get some cyber insurance to then cover the rest. All of this can be done, really, on on minimal budgets, but a lot of companies believe that it, it’s it’s going to cost them millions, and it’s some black art, some Jedi, you know, art out there that they’re not, they don’t understand, and it’s way too much, going to be way too expensive, and it really isn’t,

Jodi Daniels 19:21

that’s your turn.

Justin Daniels 19:25

Oh, it’s my turn.

Jodi Daniels 19:26

It’s your turn.

Justin Daniels 19:27

So Dan, to kind of bolster the point you just made, is, let’s say I am a small business, and I’m starting out, and I do want to do something, if I’m just getting started, what are the top two or three steps you’d recommend to immediately reduce risk without breaking the bank, in addition to getting the services of Goldphish?

Dan Thornton 19:56

Yeah, I would say number one thing is. Is turn on multi factor authentication, or MFA. We’ve spoken about authentication, we’ve spoken about identification. Getting into accounts is the number one and most important thing, and protecting the keys to those accounts. Multi factor authentication is the number one thing, really, to do that, and every single company can do that on every account that they’re using, every business account, email account, social media account, banking, whatever it is, if it’s if it’s even half important and you don’t want a random person to get into that account. Turn on multi factor authentication. It’s extremely easy. Most businesses make it absolutely effortless, really these days, a couple clicks of a button and you’re in Google, it, YouTube, it, you’ll find, in two seconds of searching, you’ll find how to turn MFA on any single account. I’d say that’s the most important thing. Secondly, security awareness training. Employees need to know this stuff. If you’re trying to make security a thing and you want to take security seriously as an organization, one of the best places you can start is making all of your people aware of the threats. It’s not expensive, it’s not going to break the bank. It’s really good for your organization to reduce that, that human risk element, and it’s great for your people as well. Businesses are getting scammed every single day. They’re making losses, but individuals, on an individual basis, are getting scammed every single day of the year, and we hear horror stories about individual scams, and if we can educate people to take that message home, create secure cultures in their families, with their kids and their friends. It’s a great thing to be able to do as well. So that’s really important. And then I’d say finally, and maybe it’s a double up cheat, I’d say regular updates and backups. If you know all of the apps that a company is using, whether it’s security apps, whether it’s SAS apps, anything that you’ve got on your device, it needs to be updated. Set regular updates. Automate updates. Make sure when you know your operating system says that it’s got an update ready. Don’t delay it. Don’t keep putting it off. Just update that thing every single time software is updated. A lot of the time with that patching, it’s got new security protocols, new security features it’s keeping it’s keeping your device, it’s keeping that app a lot more secure to keep bad actors out. So updates are super important, whether it’s your laptop, your desktop or your phone updates everything, and then finally, backups, backups, backups, backups. If you’re a small business, your data is so important, doesn’t matter what you do. If you’ve got a list of customers, if you’ve got super important business information, whatever you need to run your business on the day to day, that information needs to be backed up, because when the day comes and the bad guys get in and they either encrypt all of your data, take it offline, steal it from you, threaten, you know, not to give it back unless you pay them a million dollars, you can just, you know, load your backups and be back up and running in no time. So it’s super important to have those, those backups and to test them.

Jodi Daniels 23:27

Dan, I’m curious if you can share phishing is obviously one of the the biggest threats that is out there. Are there? What’s the latest trick that people are are using these days with phishing? Yeah, thing.

Dan Thornton 23:44

It’s a type of social engineering. And, yeah, you could, you could say it really comes under the phishing banner, but it’s been around for a while, but it’s, it’s probably having the most success still. Is business email compromise or BC, and it’s a type of scam where the scammers will and it’s super convincing. Everybody looks out for phishing. They look for a link, I don’t click on the link. They look for an attachment. Don’t click on the attachment. These emails are coming in. There’s nothing malicious looking about them. There’s no attachments. There’s no funny links in them. They’re coming in, they are looking extremely convincing, either similar to the business that you’re in and the company that you’re in, and maybe it’s got the CEO signature. And they’ll come in, send an email to the finance department from the company CEO and say, I need this money transferred immediately. And you know, they’ll give details of the account that it needs to be transferred to. Or they’ll need, you know, gift vouchers transferred for this amount. Or they’ll need crypto transferred for this amount, whatever it is, so that that’s one element of business email compromise, where it’ll come from the CEO to. Finance department. The other way that we see is from fake vendors coming in, and they will be emailing your company’s finance department and accounts department, saying, here’s our outstanding invoice. You know, please get this paid as soon as possible we need. And they’ll chase and make it super urgent, and they’ll change banking details in there. So these scammers will do a ton of research on the business. They’ll know who your CEO is. They’ll know what his signature looks like. They’ll have customized language in there so it’ll sound like him. And they’ll do the same research on the vendor company. They know that you work with this company, and they’ll then customize an email to look like it’s coming from that vendor. It’ll have their logos, it’ll have their invoice style, it’ll have that type of language, and that’s all coming in, and there’s nothing malicious looking about these emails. It’s just they’re completely fake, and in the and departments and companies are blindly firing off those those wire transfers and making those payments, and once they sent, the banks are turning around and go, Well, you legitimately authorized the payment of this. The fact that it was sent to a fake account is not our problem. You know, it is a clear scam, and a lot of companies never see that money again, unfortunately, so that that’s business email compromised.

Jodi Daniels 26:26

I appreciate you sharing always, always helpful to know what’s the latest and greatest threat.

Justin Daniels 26:31

Well, the phishing emails are so much better now, because AI can write them for this threat actors,

Dan Thornton 26:36

for sure. And I mean, we, we’re seeing that now a lot, I mean, there’s, there’s marketing platforms out there now that are leveraging AI where, if you want to do outbound email, cold email marketing, you can scrape a list of 10,000 potential customer targets from the Internet, from LinkedIn, it’ll have all of the details of your marketing targets, and including their name details, company they work at, role that they’re in, their email address, sometimes their phone number, and put all of that together into a target pack, and then you’ll have an email marketing platform that will customize an email perfectly targeted for that individual based on their company, their role, based on their most recent LinkedIn post that you’ll comment on and then fire off A marketing sort of cold sales call or cold email to that individual. Now, if, if marketing teams are legitimately doing this for marketing purposes and sales purposes using this type of technology, that’s exactly what the bad actors are using and and where phishing used to be a very, very obvious means, you know, it was, it was always very generic. You would receive that phishing email, and it was like, you know their customer, or to whom it may concern, and you could spot them a mile away. And they were super generic. Nowadays, the emails landing in your mailbox are highly customized, and they are addressing you by name. They are talking about a recent post, maybe on Instagram that you posted, or some comments you made on LinkedIn, and they’ll reference that, or they’ll reference your recent promotion that you’ve had, and it’ll be super it’ll be the most convincing sort of scam email that you’ve received, and the bad actors are able to do this now on mass, at scale to 10s of 1000s of potential victims at the same time. And so the results and the success that they’re having is unprecedented.

Jodi Daniels 28:57

We’ve talked a lot about protecting companies. We always ask our guests, what is your best personal privacy or security tip? And I would love if you could share it. What would you offer to your friends when you’re hanging out at a party?

Dan Thornton 29:12

I think my number one personal tip and something that I’ve actually changed in the past, maybe 18 months, is using single sign on for as many different accounts as I can. So when you get to a login page, and again, we’re back to authentication, yeah, again, all of the different scams and all the different ways to get hacked. Again, it all comes down to protecting your accounts and getting in an authentication but my my number one tip that I would use, and that I do use personally myself, is when you get into a login page for any account and it asks you to log in and use your username or password or create a new account. I always will create my account using my Google account. Account, or my Gmail account, and that way I have one very, very strong, complex, unique password for my Google account, and I can remember that, and I never have to then create more complex passwords for all my other accounts, because I can just create a new account or log it into those accounts using my Google authentication. And with my Google account, I’m able to have strong password, and I’m also able to set up Google pass key on that as well. So pass key is a new type of multi factor authentication, but it’s even stronger, and it’s, it’s, it’s, it can’t be phished. It can’t be social engineered, because it’s based on my device. So I can use my face ID, I can use my fingerprint to get through the pass key, and then I’m into any account. And whatever account that is, it basically just asks Google if I’m legit and whether it must let me in, and it and it does, and it’s it’s a lot cleaner, it’s a lot easier, it’s a lot safer. I don’t have to worry about 400 different passwords, and this company doesn’t have MFA, and this company doesn’t do pass keys. I just rely on Google to do my authentication for me, and that’s something I’ve really been using a lot, and it’s a very, very easy way to do most 90% of companies nowadays, will allow you to do single sign on using Google.

Jodi Daniels 31:34

That is a good tip. We haven’t had that one indeed.

Justin Daniels 31:38

So Dan, when you’re not helping protect companies with great employee training. What do you like to do for a fun

Dan Thornton 31:46

I live in South Africa, and I spend all of my time when I’m not on the laptop. I surf, I hunt, I spear fish, and I love to run long distances out in the mountain. So anything that involves the ocean or the mountains and keeps me away from my laptop, keeps me happy.

Jodi Daniels 32:08

Well, Dan, we are so glad that you were able to join us. If people would like to connect and learn more, where should they go?

Dan Thornton 32:15

They can go to goldphish.com, Goldphish with a pH, and we’re on LinkedIn as well, so hit me up on LinkedIn. Dan Thornton, I’m at Goldphish. I don’t think anyone else is using that name right now, so yeah, easy to find on LinkedIn and on our website,

Jodi Daniels 32:32

amazing. And we’ll also have a link to the training in the show notes. So thank you so much for sharing all these really helpful tips to be able to prevent cybersecurity attacks for small businesses and individuals.

Outro 32:50

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.