How To Turn Your Weakest Links Into Your Strongest Defenses

TOM: Welcome, everybody. You’ll see what I’m talking about as we go through some of these things, but I’m going to share some of my experience over the past 30 years when it comes to getting your organization to do things.

The way it all started off is Kindsey said, “Let’s do one on how to turn your weakest links into your strongest defenses.” If you’ve listened to any of my webinars, you know that the weakest link in your organization are the humans, from a security standpoint. It actually could be the weakest link for anything. There’s people that work at companies that, for whatever reasons, they should no longer be working there, whether it’s a necessary evil or they’re indispensable, supposedly.

But my goal here is not to do the hiring and firing for you. My goal here is we’re going to talk about how you can make this better security a part of your culture. Like I said, the weakest links are the humans. How do we know that? Well, we can prove it. There’s a number of studies that have been done over the past decade or longer, and this one from Google discovered – and this is a real recent one; it was just last year – 26% of the users in Google’s study – and it was statistically valid. It was like 100,000, 800,000 people. Whatever. They ignored prompts to change their credentials even if they knew those credentials had been stolen or compromised.

The browsers have the ability to store your credentials for like Facebook, and there’s a million places on the internet where you can go and see if those credentials have been stolen. Some of them will even show you the password. So even though Google told them, they looked in the Chrome browser and they told them that these credentials have been stolen, they just ignored it. They clicked on “ignore, ignore, ignore.” 26% of the people in the study did that.

Another one that was kind of surprising – and actually, it’s only surprising because it’s too low – 61% of users reuse credentials even if they know they have been compromised. So even if you use the same credentials on Facebook as you do on Twitter as you do on your bank account, 61% of the users in this study continued to use those same credentials without making any changes, even though they knew they’d been compromised.

This one’s another one when I talk about ransomware and phishing attacks – in fact, this one does surprise me that it’s not any higher than this – but almost 38% of untrained users fail phishing tests. And we know what that looks like because we even see the data on that for some of our users that get our training.

94% of malware is delivered via email, or through phishing emails or spear phishing emails. And then it takes a human to fire it off.

And like I’ve said many, many times, over 90% of breaches are, if not directly caused by an insider, they have allowed it to occur. They’ve clicked on a link in a phishing email or opened an attachment from somebody they don’t know or even they may have known. They didn’t know what to look for. They’re untrained. So over 90% of the breaches that occur, of any type, had to have an insider to help them fire it off. Now, they’re non-malicious. 99.9% – or five 9s, I don’t know – but they’re non-malicious.

This is why we know that the humans are the weakest link. You guys have heard me talk about the NIST Cybersecurity Framework. Identify, protect, detect, respond, and recover. Of those 5 things, at least 4 of them, properly trained and properly led, everyone in your organization can help you identify. They can help protect the organization. They can help detect because they may see something weird happen. They might even respond just by simply reporting it, and you want to encourage that behavior, right?

And they might even be able to help recover by just unplugging their computer. That actually happens three or four times a year in our company. Somebody will call up and say, “Oh my gosh, I think I just let loose a virus.” First thing, pull the network cable out. Pull the power cord out. We’ll deal with any damaged files or anything like that secondary, but we know we only have a certain amount of time to stop the encryption of the ransomware. Sometimes it may be seconds, sometimes it might be minutes. Could even be days if you have a lot of files shared out on the network to everybody on the network. The sooner we stop that, the better.

Anyway, you’re helping follow the Cybersecurity Framework by doing better training and education of your staff – which leads me to the discussion of management versus leadership.

Over the past 30+ years, I guess – yeah, it’s over 30 years – I’ve dealt with small businesses of all types. Small- to medium-size businesses. A handful of Fortune 100 companies, but for the most part SMBs. They very often do the management stuff pretty good, sometimes excellent, things like that. They’re planning, they’re organizing, they’re controlling the company’s destiny, and they’re directing people to get and execute tasks. Let’s get the job done, right? Let’s work towards getting the job done.

But what management doesn’t do, or doesn’t do it as much as good leadership would – it doesn’t bake things into the culture. It’s very easy not to lead by example because a manager has managerial duties that are outside the scope of setting the types of examples that a good leader can.

So over this last 30 years or so, one of the key things I would always talk about when I’m consulting with the small businesses is, “Here’s how you budget for this vertical software application.” Whether it’s logistics or a point-of-sales system or whatever it is, I say, “Here’s what you do. You budget 70% for the software” – and this is point-of-sale; it varies depending on what the vertical is. 70% for the software, 30% for the hardware.

Now, that 70% budget, you divide that 70/30, and 70% should be the licensing of the software itself – and this was before everybody did monthly subscriptions, so just bear this with a little grain of salt. The other 30% you should invest in training. More often than not, they would buy more software options than invest in training. They thought, “Let’s go ahead and add on another $3,000 to $5,000,” or $10 grand, whatever the whole thing was, $100 grand, “and let’s get these other extras just in case we need them. If we get them all now, they’re cheaper. We’ll just cut the training budget.”

That’s a managerial decision. That’s not good leadership. And I see it even today, not only from the lack of interest in getting security training or implementing a password manager, but in various other aspects. A manager will say, “I’m going to buy this security, and I want to buy everybody a password manager and just tell them all to use it.” And that’s where it stops. They might even go and grumble about using a password manager – because it takes a while to get over the hump and get over the hassle.

Once you get into them and you really start using them, you love them. I can’t imagine living life without a password manager now. That’d be crazy, crazy. The average person has got – I don’t even know what it is. It’s somewhere around 50 to 100 sets of credentials, on average. I’ve got 1,200 in my password manager. Of course, that’s different. But anyway, everybody’s got at least 20. You think about all your investments and bank accounts and all these other things you’ve got to keep private, your email and things like that, you’ve got a lot of passwords to keep up with, and they all have to be unique.

But what a good leader will do is go ahead and buy the training, knowing that he may pay more for these other optional things, but he’s got to get the adoption of the software. He’s got to make sure they concentrate on the training and fully understand what the implications are to the organization as a whole. It will not make the company more efficient to buy the software that’s going to make your company more efficient if you don’t train your people. It’s that simple. So why would it be any different to make your company more secure? You can substitute that “productivity” or “efficiency” or whatever it may be. It’s bottom-line influence.

And we’re talking bottom-line influence with security, in some ways the bottom line. It could be the difference between staying in business or not by protecting your company, whereas with productivity software, you’ll only be showing 5-10% gains in productivity, or 2% gains in productivity. Security software is even more important than that. I’d rather see people use spreadsheets or, good grief, use the green ledger for your financials and hand-write it to make sure you’ve got good security and you’ve got passwords in there. I know I’m exaggerating a little bit.

But that’s where it comes down to the difference between management and leadership. A good leader is going to be positive about implementing these. They’re not going to say, “This is a real hassle, but we’ve got to do it” because you’re setting the wrong tone. You want to inspire them to get over that hump by using a password manager, and you want to inspire them to score better on their security training than their colleague, or you, even.

You’ve got to be a part of this. You’ve got to have the whole buy-in, and then your duties – whatever your management or leadership style may be, when you’re dropping in, checking on people, asking them about their family, doing these things that are non-managerial, it’s to say, “Hey, what do you think about the security training? What’s your score? Are you staying up to date?” That’s the manager’s job to make sure they’re staying up to date on it. A good leader reinforces that shared vision, and they want to inspire their people to do the training and understand that this is a part of the culture. It’s not an annoying task that has to be done. It is something that is positively reinforced that you’ve got to do this. It’s every bit as critical as it is to lock the office door when you leave, to lock the filing cabinets for sensitive information. Human resource records, things like that. That’s not in the manager’s wheelhouse.

Now, there’s some overlap, and I know many of you may be wearing both hats. That’s fine. If you’re wearing both hats, understand and really think about, “If I’m going to do something, is this a managerial thing or is this a leadership thing?” And I’m telling you that sparing no expense on training and sparing no expense on security is more leadership than it is management. I can’t promise you that if you buy security training from us or you buy our password managers from us – if you don’t do a good job leading your organization to use those tools, not only did you waste your money, but you might as well have not even bought it because all it takes is a breach.

If you have a breach and all you did is just buy the stuff and tell them to use it, and you have a breach, you’re going to look back and say, “If only we had done the training that takes a couple of hours total a year. If we’d only spent those 2 to 3 days to get over the hump of getting used to using a password manager, this would’ve never happened.” And that’s what a good leader will do when they buy these tools. They’ll do it from every other aspect, because everybody’s got to be vigilant on security.

And I’m not saying you’ve got to be as vigilant as we are. That’s not practical. You guys have got a job. You’ve got clients and customers and critical infrastructure. They’ve got to have their water. It’s got to be clean. There’s no two ways about it. You’ve got court cases that are non-negotiable and you’ve got to be there, and your client is counting on you to win the case or to get the judgment in their favor or to do their tax returns and save them as much money as legally possible on their taxes. Those are managerial task.

A leadership task is inspiring that client or that customer to believe in you and believe in your organization, and to believe in your people. And one of the ways they can believe in your people and your organization is proving to them that you take security seriously. You want to stay in business so you can support them and provide them services and protect their information and make sure their water is safe and not polluting the environment, if you’re in wastewater. That’s leadership communicating that to every stakeholder in the organization. Your board of directors, your mayor, or maybe you guys have a city administrator form of government, whoever. A good leader answers to everyone. A manager is usually just the head honcho.

If you’re truly a good leader, you work for each and every person, not only in the organization but all the clients. You want to work with vendors, not against them. You’ve got a vendor that’s got a really good product; you want to have a good relationship. If you’ve got a vendor whose product has got shortcomings, but you want to maintain the relationship – maybe there’s nothing better, maybe you’re stuck with them for financial reasons – there’s nothing wrong with trying to help them get better too.

We do that as a company. We’ll have a vendor that are like 90% there, but 10% is just annoying as hell. I will frequently have a discussion with vendors and say, “Look, guys, we want you to succeed. You guys have got to fix this. We’re not the only ones with this problem. If we are the only ones with the problem, then tell us. Then we know it’s environmental and we’ll fix our side of it.” But we want our vendors to succeed, we want our clients and our customers to succeed. And I know that every single person on this webinar feels the same way.

But just understand that if you’re doing nothing more than buying the tools and telling everybody to use them, that’s not good leadership, and it’s going to fail. We do everything we can to help you get off the road, get over the humps and make sure that you understand how to – give you the tools to be not only a good manager, but a good leader.

Some of you may have said, “I got all that stuff licked, Tom.” Then buy the stuff and let’s get going, okay? Let’s get moving on it because you need it. If you don’t already have it, you need it. You’ve got to have it if you want to stay in business. You don’t want to lose the trust of your customers. You don’t want to have heavy-duty fines by whatever agency you have to report to. You don’t want the embarrassment of the 6 o’clock news showing up on your doorstep. You’ve got to get this stuff going, and you’ve got to do it the leadership way. The manager can write the check for it, approve the purchase order, or whatever your buying process it, your procurement process is. The leadership is what’s going to make it successful. And we want you guys to be successful, not just buy the product. We’ve got people in place to help that go along.

So, what do you need? This is the most important part of leadership for all of the security stack we have. Of the, jeez, 30-40 things in our security stack – you guys have probably seen the slide; it’s got a whole slew of things. VPNs and all these other different things, EDR and SIM tools and all these security products. We can do that without a whole lot of leadership. Actually, without a whole lot of management. But we can’t do these two things. That’s up to you to buy and make it a part of your culture and don’t talk bad about it. The stuff we use, as you well know, is best of breed. You won’t be sorry you did it. That’s what you need. Managers will buy; leaders will implement it and bake it into your culture. Can I get an “amen”?

KINDSEY: Amen! [laughs]

TOM: [laughs] Okay. I feel very passionate about this, and I think we’re going to expand on that a little bit more. It’s a subject that I’ve been thinking a lot about the last few years, and I think it’s reflected in our company. We’re bringing our leaders up – everybody in your organization can be a leader. This isn’t title-based. It’s not even responsibility-based. If you do your security training right, each and every person in there will be good leaders because they’ll understand what the common objective, the common goal is.

At any rate, sometime this month – we were hoping to be a little farther along, but we are going to have an IronTech Foundation Bundle that will consist of password management, security awareness training, and an EDR, which we’re going to rip out your antivirus because, as you know, I’ve said 100 times, it’s useless. Or practically useless, I think is my exact phrase. One notch above useless, I’ve said a few times.

We don’t know what the price is going to be. We’re still negotiating with our partner vendors – and they are truly partners. If we buy into them, we’re partners with them and they’re partners with us. Mainly because of the orchestration side of it. But hopefully by the end of the month we’ll have that nailed down. If you want to wait – actually, I think we’ve got all of this ready to go except for one thing. If you want to go ahead and do that, that’s fine. We can go ahead and do it. I don’t think it’ll cause a problem.

But anyway, we’ll know a lot more this week, actually. The end of this week, we’ll know a lot more where we are. So maybe on the next Deeper Dive we’ll have the pricing and the exact products we’re going to use here. We’re still evaluating some stuff. We might even have a couple of different offerings on a couple of those. But anyway, just stay tuned on that.

Security assessment, only $495. It’s really easy to do. Get on the calendar. If you attend some of our other webinars, we commonly give out codes, so if you want to get it for free – I don’t think we’ve ever done that on Deeper Dive, have we, Kindsey?

KINDSEY: I think we have with a code once on the Deeper Dive.

TOM: Well, we don’t today. But anyway, some of you may be receiving a letter in the mail that will have a code on it. Typically we do them with whatever state association you belong to; you’ll see us on those. That’s where we’ll put the codes in there to get it done for free. It’s worth every bit of $500. Maybe more. And it’s no obligation or anything. You can take that. If you do pay the $500, it does go towards any products and services you buy from IronTech, though. Don’t forget that. Kindsey.haynes@irontechsecurity.com if you want to get signed up for a 30-day trial on the security training.

We have any questions? Comments?

KINDSEY: I’m not seeing anything in chat.

TOM: Was this useful for everyone?

KINDSEY: I hope it was.

TOM: Type in the chat if you found this useful. Or if you didn’t find it. I’m a big boy. I can handle it. Bring it on. Or even if you’ve got any suggestions for some topics you’d like to talk about on a Deeper Dive. We’re battling the bad guys, so – thank you, Jan – so sometimes we can’t see the most obvious things in front of our face. We depend on you guys to help guide us on giving you better information. Think of us as your partner, even though you’re not a client, or may not be a client.

If you want to hear more stuff, and even if you haven’t bought from us, feel free to drop an email to Kindsey or fill out the contact form on the website, whatever you want to do. We’re here for you. Even these deeper dives till make your company safer, and you’ll learn a lot of stuff in them.

I can’t believe Mary doesn’t have a question.

All right, guys, that’s it. Thanks for joining us. We’ll see you next week. Every Tuesday at 2 p.m. Central. Bye.

KINDSEY: Bye.