ALPS In Brief – Episode 38: Empower Your Employees to Make Smart Security Decisions

As an organization or law firm of any size looking to build a cybersecurity plan, your first step should be training your staff — making everyone aware of cybersecurity threats and how to spot them. Mark Bassingthwaighte sits down with Erich Kron of KnowBe4: Security Awareness Training to talk cyber risks threatening your firm and approachable steps to combat them.

Transcript:

MARK BASSINGTHWAIGHTE:

We’re going to break here for a second. Hello, and good morning, podcast listeners. This is Mark Bassingthwaighte, the Risk Manager with ALPS, and welcome to another episode of ALPS In Brief, the podcast that comes to you from the historic Florence building in beautiful Missoula, Montana, and what a gorgeous day it is. I am so pleased to have as my guest today, Erich Kron, and he is a security awareness advocate with a company called KnowBe4 and I have been a fan of KnowBe4 for many years and really am just excited to have the opportunity to talk with Erich.

Let me share just a little bit of information about Erich. Erich is a veteran information security professional with over 20 years experience in the medical, aerospace manufacturing, and defense fields. He is a former security manager for the US Army’s second regional cyber center, Western hemisphere and holds … I’m just telling you, folks. There’s a long list of certifications here that, I got to tell you, Erich. That’s pretty impressive. Eric has worked with information security professionals around the world to provide the tools, training, and educational opportunities to succeed in information security. So Erich, it is such a pleasure. Welcome to the podcast.

ERICH KRON:

I’m thrilled to be here. Always happy to be on things like this where we can share a little bit of information. It’s funny, you mentioned the certifications but what’s more important is just all of that experience and being around the different areas. It’s something that I love to share with other people.

MARK:

Well before we jump into the topic at hand, I think it would be helpful if you could share with our audience a little bit about just sort of who and what KnowBe4 is about.

ERICH:

Right, okay.

MARK:

Can you fill us in sort of on the mission?

ERICH:

Yeah. So KnowBe4, what we really are, we provide a security awareness training and simulated phishing platform, right? So what that means is we really focus on the user problem in security these days. And we do that by helping to train the employees or give organizations an easy way to train their employees on cybersecurity issues and things like password hygiene, all of that kind of stuff that’s important to do these days that oftentimes gets neglected in normal training. But then we also give the organization a chance to follow up on that training with some simulated phishing exercises. And what that really, that’s kind of the idea is, if you’ve ever taken a course where you’ve gone in, watched an instructor teach or seen something online, you’ve learned a little bit from that, right?

MARK:

Right.

ERICH:

But when you do some lab sort of things afterwards like you actually do some hands-on work, it really sticks more and that’s part of the simulated phishing. You get a chance to actually learn to spot these.

MARK:

Right.

ERICH:

Simulated emails.

MARK:

Right.

ERICH:

That’s the idea there.

MARK:

Okay, I love it. As you’re aware, we’re an insurance company and exclusively in the legal malpractice space, although we in addition to writing legal malpractice insurance policies we do write cyber insurance, again exclusively for law firms. Our space is primarily, we are nationwide, but primarily the solo small firm market. We branch out of that a little bit, but that’s sort of the core business for us. And when I visit with lawyers all over the country, one of the things that I often hear is, “You know, Mark. We’re just a small law firm here on Poughkeepsie or Ames, Iowa,” or whatever it might be. “We’re not going to be on anybody’s radar, and we really just don’t need to worried about becoming a victim. Who’s going to be interested in us?” Is there anything to that?

ERICH:

Yeah, you know it’s interesting. It’s not just from your industry. I hear that a bit in other industries as well, but here’s the thing. We got to understand that they may not necessarily always be after you specifically when it comes to trying to breach information, but there’s a couple things to consider. Number one, who are your customers?

MARK:

Yes.

ERICH:

Many times they’ve attacked organizations to get to their customers. Look at Target and the HVAC vendor-

MARK:

Right.

ERICH:

That got them in trouble there. Hancock Health was, they got hit with ransomware recently based on, the bad guys went after the vendor, got into the vendor and used the vendor portal then to get into Hancock Health and cost them a lot of issues. And the other thing is, we have stuff out there called ransomware, right?

MARK:

Yes.

ERICH:

And the thing about ransomware is, it doesn’t really matter if your information is important to anyone else, it’s important to you, so there’s value to that, right? They lock it down. They keep you from getting to it. You can’t continue doing what you’re doing. It’s valuable to you, and really that doesn’t matter whether you’re a single person practice or even at home, right? People at home have had their photographs and kids’ pictures and all that kind of stuff encrypted by ransomware. It doesn’t matter what size you are. If you have data, it’s important to you and you’re willing to pay for it. That’s all they care about.

MARK:

Yeah. And am I correct in saying that a significant percent of the, for lack of a better description, attack factors are automated are being pushed out to hit anybody that sort of happens to fall victim, as opposed to very specific targeting? Is that accurate?

ERICH:

Yeah I mean the bulk of it is definitely just kind of a spray and pray if you will sort of will.

MARK:

Yes.

ERICH:

I mean it’s phishing. You put the line in the water and you hope somebody comes by and catches it. They do this in bulk. I mean, just tons of emails a day, it’s mind-boggling. However what’s happening is, as things are getting more advanced, and they are getting more advanced, right? You got to understand, these are kids in their mom’s basement drinking Mountain Dew, eating pizza, all right? This is organized groups and in some cases organized crime, even up to nation-states and things like that, that are automating the processes. So imagine this, right? There’s a breach that gives you some of your information is out there and it seems like no big deal now; but they take automated methods to pull that together, put that information in there, and actually make it much more targeted without a lot of work because they’re employing automation just like we are. So although the bulk of it is very, very generalized, what we’re seeing is definitely an improved trend and at least some customization towards the individuals, just because your information’s out there.

MARK:

Right.

ERICH:

I mean, let’s face it.

MARK:

Right. I like that. What it makes me think about, not only do we have this increase in automation but lawyers will also say, “I’m a smart guy. I wouldn’t be fooled by these things,” and they’re thinking the sort of old, early Nigerian prince kind of scams, you now, that are so just crazy and obvious, pouring on and on. Did the scams today, are they as easily identifiable? Are we getting to be more sophisticated there as well? Do you see where I’m going in terms of proper English, that kind of thing? Can you affirm or deny for me as to where we’re going with that?

ERICH:

Yeah. This honestly certainly has nothing to do with intelligence. These groups have gotten very, very good at their trade. We see physicians, we see all kinds of very educated people get hit by these because they are so good at what they’re doing. And it’s interesting, we have this dark web, kind of the underbelly markets that are out there, right, that support some of the cybercrime. There’s actually services that will take what these people want to do as phishing emails. They will correct the grammar, they’ll correct the spelling. They’ll improve them for a fee and guarantee increased click rates, okay? So there’s a whole market behind this, right. And that’s what I think people a lot of times, they underestimate just how good they are. And again, this isn’t about being intelligent. It’s not about how smart you are. It’s about being aware of the attacks that are coming and having a focus on watching for them. Because really, you’re not too small and they’re just so good at what they’re doing these days, they really are.

MARK:

Right. And sort of what that underscores for me, with the exception of possibly the true solo who even has no staff, one of the other things we need to think about is that if I was … I practice at a small firm. Let’s say there’s three or four lawyers and we have four or five staff, maybe even hire a high school kid during the summer, do a little running, a little filing or something. We are exposed in terms of all these users. So even though I may, as a guy that’s very interested in security and I keep on all of this stuff, I may not fall prey but I do have to understand others in my employ, others that access to these systems, also represent a very real risk. In light of that, what kinds of steps can I take as a small business owner to try to limit becoming the next victim?

ERICH:

Yeah, it’s tough. It’s not easy.

MARK:

Yes.

ERICH:

There’s no denying that, right?

MARK:

Right.

ERICH:

It is something that is difficult to do. However, when it comes to being a small organization the first thing that I say, and I mean this sincerely, not just because it’s what we do, but training people, getting people aware of what’s going on. At least if you make them aware of the threats that are out there, that’s very, very helpful, right? Because we see all of these different types that are all very slick. Some are after gift cards.

MARK:

Right.

ERICH:

We’ve seen ones where they’re redirecting payroll, you know? All of these things are very, very slick, how they’re doing this. And making sure that people are at least paying attention to what’s coming in is really, really important. What I find is a lot of people, it just slips their mind to even think about these as attacks. Now, generally speaking, email systems, watch for those flags that say, “This may be spam.” Make sure that when you get something that has a link in it, you actually hover that link and make sure, put your mouse over it for a second, and make sure it’s going where it says it’s going. Whenever you’re in a place where you’re logging in, this is a trick that they use, they’ll send you to a link that looks like you’re logging into the email, but it’s actually their own website and so they’re pulling your username and password out of that. Look up in the URL bar up there and make sure it’s actually going to Microsoft or Google or, you know, not something else because those are the tricks that they use, is when people don’t look for those it makes them very susceptible to that. So that’s some of the key things that you can do to, just the small things that you can do, when you’re doing this. But again, we need to let people know to do that.

MARK:

Right. You mentioned earlier in our conversation here about ransomware, and maybe we should take a quick moment and just make sure everybody even understands what that is. What are we seeing in our cybercrime? What are lawyers becoming victims of sort of most frequently? One, it’s just device theft. You either are good about handling your equipment, you know, your smartphone or whatever it might be. But the other two biggies, really we are seeing a lot of ransomware and we are seeing a lot of wire fraud and business email compromise. I mean there’s all sort of different acronyms for how we get to wire fraud. Can you just sort of underscore, for businesses that become victims of these kinds of crimes, can you just underscore. What is the number one attack vector, for lack of a better term. How is it most likely? Is it really going to be email or are there other types of things? Could I get in trouble with a text message? Could I get in trouble with a voicemail? I kind of what to explore the lead vectors, but can you just confirm for the audience again, what is the number one vector? Do you have any idea sort of how, I mean is it 90 percent, 50 percent? You know, that kind of thing.

ERICH:

Yeah. So what we know is that 91 percent of successful data breaches start with spear phishing, okay?

MARK:

Okay.

ERICH:

That’s the key thing. And 98 percent of attacks have some sort of a social engineering angle to it, which is tricking people. Basically the scams, the tricking people into doing something, right?

MARK:

Right. Right.

ERICH:

Text messages are absolutely something that’s big out there. We all know somebody that’s gotten a text message from the IRS saying, “If you don’t send us a bunch of iTunes gift cards right away you’re going to jail,” right, okay?

MARK:

Yeah.

ERICH:

And it’s funny because we see that and we kind of laugh about that, but we can do that from the outside. When they’re putting the pressure on the person a lot of times, it kind of messes our thinking up, right? So those are actually still pretty successful. We see phone calls. And what’s even more dangerous is I’ve seen cases of hybrid attacks. And what that means is, you may get an email in your inbox and a few minutes later you may get a text message that says, “I just sent you a very important email,” and it looks like it’s from somebody you know. “Please go check this email.” Well now they’ve validated the email through text and the email’s really a very targeted phishing email.

MARK:

Right. Right. Got it.

ERICH:

So, very dangerous. It puts your guard down because you think, “Oh they obviously know who I am.” But really, it’s not that hard.

MARK:

Yeah, yeah. Oh, wow. There are days when I heard stuff like this. I want to go some remote island, go off-grid, and just sell juice or something. Just completely disconnect.

ERICH:

My plans are to come up there in Montana with you and I’m going to have a little place and dig a moat around it. I’m going to retire back there. No electricity, no nothing, man. I just, yeah.

MARK:

Okay. You and I are absolute in agreement on a lot of this stuff. You’ve been at this far longer than I have, but I really do believe that awareness and training is key. Regardless of what IT can do in terms of firewalls and patches, the user can circumvent those defenses and we can still be attacked and become a victim in ways that can be really devastating. So with that in mind, how often do you feel some type, have there been any studies? How often do we need to kind of put these reminders, this training, out there? Is there some guidance in that? Is it the kind of thing, oh we talk about this once a year at a firm meeting, a get a little pizza? “Please, everybody. Don’t click here!” Do you have any thoughts on that?

ERICH:

Yeah, I mean that’s obviously very successful, right? No. If you think about it just think about it from that standpoint. Yeah, you give somebody training in January and you expect December they’re still thinking about it. That just doesn’t happen, so what’s really important is that you get some training out there. Now what I really advocate for is yes, once a year you do a big training. And especially if you’re in a organization that’s large enough, you got to deal with compliance, you do have to check those boxes. But you do the big training once a year, okay? Make a big hub bub about it, longer stuff. And then at least quarterly put out four to five minutes of training. And what I like to see people do is make it something that’s relevant, especially to that time of year or what’s coming up, right? We know first quarter’s always going to be tax fraud. It’s tax, tax, tax.

MARK:

Yes, right.

ERICH:

So why not start reminding people, maybe in December that, hey this is coming up. Or maybe in early January, hey, just keep an eye on these things. We know that the tax attacks are higher this year. Or during the holidays we see that kind of thing going on, so remind people going into that with relevant training to what’s happening there, you know? And then it’s also important to do spot stuff, right? So any time there’s a natural disaster, any time there’s something major news breaking, you know the bad guys are going to turn around and turn this into an attack because they rely on emotions. They really do rely on emotions to make these successful, so if there’s something that has you emotionally wound up they’re going to use it to get you to click on things. They’re going to use it to get you to donate to fake charities. They’re going to do all of that kind of stuff, so if you see something like that put something out about it.

MARK:

Yeah. And what I like about that, and thanks for that comment, that’s great. We at times think about these emotional responses as fear. A judge is going to send somebody out because you missed your jury duty or you’re late on the IRS or behind. But there’s this other side, too, playing on our generosity. “Oh, these poor kids in Haiti.” And I think even political kinds of things. “I am so upset with the Democrats or the Republicans or whatever,” so I just want to underscore. Don’t fall victim to scams. It’s not just about fear. There are all kinds of emotions people can play on and we just need to keep that in mind. This has been great, Erich. I really love what you’re telling us. I would like to give you a little time, if you have a closing thought or two. But I’d also like you to share, because I so believe in the value of what KnowBe4 is doing. I mean, I really, really feel that this is an essential kind of an investment that businesses of all size should be making. So I would love if you’d like to take just a little bit of time and share with our listeners, if they have any interest how they can additional information? What kinds of services can you provide the solo small firm kind of market? And so I’ll just turn it over to you.

ERICH:

Yeah, so you and I do share in that definitely. I’m a security guy. I’m where I’m at right now because I’m super passionate about this part and I’ve seen, for so many years technologists have really, or IT people have really focused on technology not on the human side.

MARK:

Right.

ERICH:

And I totally get that because honestly, most of us technical people, we don’t want to have to train people. We don’t want to, that’s not why we got into technology, right?

MARK:

Right, right.

ERICH:

And so it’s not easy for us to do that. And frankly we’re not always effective at it. If you’ve ever been trained by a technical person and you’re not necessarily [crosstalk 00:20:26]

MARK:

Maybe from one or two.

ERICH:

Yeah it can be painful, right?

MARK:

Yes.

ERICH:

So that’s really where we kind of bridge that gap. We come in there and we provide the training. We make it easy to do, that’s what I really love about it. The platform for the people on the backend, really really easy to do. It doesn’t take a lot of time and it’s just very, very effective, right? When it comes to the smaller markets, one or two-person shops, we generally don’t start out that low. We usually start, I think it’s around 25 seats. However, what we do have is we have a great channel program or MSP, manage service providers, right?

MARK:

Yes.

ERICH:

Some of the people that are already doing your IT work, a lot of them resell us or offer us an option, and that is where you can really turn to when it comes to the one or two-person shops is go to those folks and they can definitely get it out there for you as well.

MARK:

Okay. Good to know.

ERICH:

Yeah. It’s a great thing to look at and ask the folks that already providing your IT services. “Hey, what do you know about this?” Because they can buy those blocks and then turn around and take care of it all for you, it makes it nice and easy.

MARK:

Yeah.

ERICH:

But again, regardless of your size, you really do need to be doing some sort of training with your folks. We put on a lot of webinars, and you go to KnowBe4.com and then there’s a resource, oh no there’s an events are there I think that does the webinars. We also have a resources place where you can learn a lot of this stuff if you want. If you feel like you want to learn and you want to put one or two people through it, that’s all free. And it’s good information.

MARK:

Yeah.

ERICH:

I talk about the scams. We have, Roger Grimes here talks about things, so we try to give a lot of information like that that we can, even if you’re in a position that you can’t necessarily or aren’t in a position to afford it or have somebody to get it to you, we really do try to give you some stuff.

MARK:

Perfect. And for folks listening, I want to underscore, KnowBe4.com is K-N-O-W-B-E-and then the number four. The number four, so KnowBe4. And we’ll put a link up on our site. Erich, thank you so much. It has indeed been a pleasure. I really appreciate your taking the time to visit with me a little bit today. To those of you in the listening … I’m getting tongue tied, it’s Monday. To those of you in the listening audience, I hope you found something of value today. I strongly encourage you to reach out and take a look at this website. This company, I have been very, very impressed and I’ve personally taken some of their training and it is good stuff. But in addition, if you have any thoughts or ideas about other topics or guests that you’d like us to visit with, please don’t hesitate to reach out to me. You may reach me at mbass@alpsnet.com. Thanks, folks. I hope you found something of value. Have a good one, bye-bye.

 

ALPS In Brief Podcast Intro/Outro Music: Walk In The Park by Audionautix is licensed under a Creative Commons Attribution 4.0 license. https://creativecommons.org/licenses/by/4.0/

Artist: http://audionautix.com/