Close this search box.
Some Workgroups Deserve More Protection Against Malware

EP 108: Some Workgroups Deserve More Protection Against Malware

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

June 21, 2022

Due to the way some workgroups must work, they deserve more protection against malware. But how can you do that in a minimum viable way? Let’s find out with your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

EP 63: Quick look at the “Essential Eight” mitigations

“Implementing the NIST Cybersecurity Framework”


Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at and

Jake: So Kip, what are we going to talk about today in episode 108 of the Cyber Risk Management Podcast?

Kip: Hey there, Jake, I thought we should talk about the fact that some work groups in our organizations actually deserve more protection against malware, and also thought we could talk about how to do that in a minimum viable way.

Jake: And when we say work groups in our organization. And so we're actually, you know, we're talking generically about groups of workers throughout, you know, we're going to the organization's not, you know, in the world and I'm thinking here, okay, the first thing I think of is, is a business email compromise and that's Accounts Payable. But what other work groups are you thinking of? There must be more.

Kip: Yeah, I think that's a, I think that's a really astute thing for you to think. Yeah, because we talk about business email compromise and and it's all about money and yes, Accounts Payable, people seem to be the ones that are getting attacked there, but that's only one workgroup. Alright, so Accounts Payable is a work group and you know, there could be many Accounts Payable functions depending on how large your organization is, how many divisions you have or, you know so you know we could be talking about a lot of people situated in a lot of different places but there are also other work groups like Sales, Customer Service and Human Resources.

There's probably more but I just want to focus on those four today and and the reason why I want to focus on them is because the nature of their work requires them to take greater risk every single day because they have to open up many emails from unknown senders. I mean it's just it's just endemic to to the nature of their work and because of that and it's no secret cybercriminals are very well aware of this and they design attacks around this fact and and I thought we could look at one specific attack today and then discuss just use it as an example but then but then kind of pull the camera back out and then discuss about how to deal with the whole problem.

Jake: Oh this sounds good. Okay, and I'm thinking okay Accounts Payable, Sales, Customer Service and HR. Ah So let's let's start by being clear about why these four work groups are doing something that many of us are told over and over again not to do.

Kip: Exactly, isn't it? Isn't it strange? I mean if you work in one of these groups and you're going to the mandatory right annual training or maybe it's more frequent than that and and and the conversation about phishing comes up, right. And I'm sure they're rolling their eyes.

Either you can see it or they're doing it in their heads and they're thinking, yeah, right? Like I can ignore all of these unexpected emails from unknown people. They're like, that's never gonna happen, Right? And so that really gets to the, to the heart of it. And so yeah, so let's, let's look at why that is for each one of these work groups.

Jake: Yeah, I'm thinking about how most of the time, you know, particularly these days you get an email forwarded from someone and it's like this email originated from outside your organization. And these groups, like that's, that just fades into the background so rapidly because all of most of the emails they receive are from outside their organization.

Kip: That's right, That's right. And so probably that little warning just becomes, you know, the din of their work environment, right? That the brain automatically tunes out. And that's exactly why I think they need more protection. I think, I think, you know, as we spread protection around, I think we need to spread extra protection onto these work groups. But let's unpack each one just for a little bit.

Okay, Accounts Payable. And, and I'm glad you mentioned that first because I think it's probably the easiest ones to understand. So they're getting invoices by email from new suppliers all the time. And my observation is that they're not even told when new suppliers are contracted with, I can tell you as the owner of a small business, right Cyber Risk Opportunities, it happens all the time. We get a new customer, I ask them, where shall we send our invoice? They give me the information. And one of the first things I get back from submitting the invoices.

Who the hell are you? Where's your W9? So I know this is happening all the time. And, and, and I'm I'm sending a legit invoice in. Right. But you gotta think that even though most of those emails are probably authentic, we know that some of them aren't. And, and even though business email compromise is sort of the first thing that comes up because it's phishing, I'm also concerned about malware and I really want to focus on malware that is designed to silently sneak into their workstations and to give criminals a foothold in their in their target.

Jake: Yeah, and I think that's probably one of the most concerning aspects of phishing emails these days is, you know, business email compromise. It does have to get the defenses against that are oftentimes less technical right. Don't wire money without several people, you know, authorizing it.

Kip: Some two person rule.

Jake: Probably don't go buy a bunch of gift cards for your boss who has never asked for that in their entire life. But malware particularly of the sort that is silently installed. That is frightening. And I think that I think that's worth defending against. For sure.

Kip: Absolutely. Because by its very nature there really is no opportunity for the person who opened up that message to do anything. It's going to slither in a Remote Access Trojan or something like that. I mean these things are designed to not be noticed and so I mean if you, so if you think you know what in retrospect, you know sometimes can appear to be a very obvious phish. Well you know, if that can be overlooked because somebody's hustling along and trying to get work done, you know, there's no chance that they're going to see a Remote Access Trojan landing on their on their machine under typical circumstances.

Okay, so that's Human Resource. Sorry that's Accounts Payable. Now, what I want to talk about is I'd like to turn to Sales and I'll let you I'll let you take this one Jake. What do you think is going on over in the Sales department that's causing them to open up a lot of unexpected email from unknown senders?

Jake: Well, I mean I think there could always be inbound inquiries. Their, you know, their system is likely set up to allow a contact us page. There might be emails to contact.

I mean, you know, I'm sure Sales guys love it when they get inbound emails. Right. I mean if you were a Sales guy ah or gal and you are and you get an unsolicited email inquiry from a potential customer man, there's nothing better than that.

Kip: That's a hot lead.

Jake: That's a hot lead. It's you know, frankly it's it's probably a more exciting lead than all the replies to your own emails that you have sent out and there's a, there's a certain charge of excitement that I think the Sales department is particularly vulnerable to and I'm just really thinking through this in real time because you know, Kip your script says respond slash discuss which is not not the hugest amount of detail that you could have provided me.

Kip: I know, but I want your authentic reaction.

Jake: Early morning, you're you're getting it. But now that I think through it, I mean that's that's a that's a potential insidious target, right? Because you're really, you're really playing ah you know, I think so a lot of phishing emails are, you know, they're based on fear, right? Or or anxiety, right? I want to make sure that I don't get in trouble.

Kip: It's designed to provoke strong emotion.

Jake: Yeah, exactly. And this is this type of positive excitement is perhaps one of the, you know, every no Sales guy wants to believe that a lead hot lead like that coming in is fake, like they just don't want to believe it,

Kip: that's right and I want to add because I think I agree with the things that you've said so far and I want to pile on a little bit. Not only is a hot lead exciting, but it's exciting for a particular reason, Sales people typically have a quota that they need to make and, and, and those quotas come at, you know, one quarter at a time typically, right? So around the end of March and in the end of, you know, every third month there is intense pressure not only to make quota but to exceed quota.

And the reason that you want to exceed quota Is because there's typically an accelerant or a kicker. In other words, when somebody, let's say they're making 10% commission Once they hit their quota, that percentage rate goes up typically. So it could become 15%, 20%. And if they get even further along, there could be some other incentive in there. Like, you know, the lease for a new car or a trip to Hawaii or something like that. So there's a lot on the line, you know, when a Sales person receives hot lead, right? That's what's running through their mind is is, you know, oh my gosh, you look at all the great rewards, you know, that that are available to me if if I can convert this into a Sale. So, it's amazing.

Jake: And I would bet that the criminals know that end of quarter is the best time to send these emails. So it's, it's timing, it's context, it's the content, it's, you know, a whole whole mix of mostly positive emotions going through the Sales guy. Yeah, that's a sneaky one.

Kip: Yep. How about Customer Service? You wanna take a stab at that you want to respond slash discuss?

Jake: I will respond, I will, I will yes. Open bracket respond slash discuss. I think Customer Service, it isn't going to be the same as for the Sales department, right? In a Customer Service department, by definition, you're receiving inquiries and emails from alleged customers who need, who need support. And you know, it's your job to respond to that and keep people happy. And now that I say that and this is talk about your real time, you know, exploration of the, of the question here, if your job is to receive emails from unknown parties who are probably customers and to keep them happy.

You're probably very much thinking about how to do that as opposed to not responding or not opening. In fact not opening an email and not, therefore not responding. Probably going to it's probably the exact opposite of what you want to be doing as a Customer Service person.

Kip: Yeah, that's right. Not only that, but they're getting measured. There are when you work in like a call center or Customer Service function in a large organization, There are metrics, you know, how many requests do you handle? How, you know, and then you get a satisfaction rating, right?

So you you help somebody and then they get queried like you know how happy are you with the service that you received. So they have every incentive in terms of the metrics to to to to really lean in to these messages and really find out what's what's going on and and and not only that but but but they have to work fast because that's another metric right? Is how how like what's the average time to close a ticket or a request? And Customer Service could be anything from you know like a consumer facing sort of thing.

But it could also be the IT. Help desk right? The IT, help desk also provides Customer Service and they are part of this. And I could easily see a phish come in that would say something like hey I just bought your product and and it fell apart. Please see attached picture, well.

Jake: That's that's I mean yeah well you do win. And you know I've often thought I know we're not gonna this is not a specific specific work group but you know lawyers send a lot of attachments around to each other and you know you want to know really actually maybe I shouldn't even I'm not gonna I'm not gonna even give the idea although I suspect that hackers have already thought of this. But you know the yeah there's a lot of ways there's a lot of professions where there are by necessity emails coming from unknown parties with attachments that you may not that you may be required to look at under normal circumstances.

Kip: Yeah, that's that's right. And so this is just.

Jake: Speaking of that Human Resources, right?

Kip: Yes. Human resources. Okay. So what do you think is going on over in HR that's causing them to open up messages from unknown people?

Jake: Well, this one is, this one is perhaps one of the starkest examples yet. Your job is to review and you know, hire people which requires you to accept resumes and applications which are going to be rolling into your your organization probably via email. I mean, unless you're a really really really big organization and you have some kind of super special online recruitment tool. And you know, those exist, I you're probably still going to be receiving emails with, you know, attachments, resumes, cover letters. They may be in PDF I think, I think an awful lot of people probably send their resume as a word file even though I shouldn't do that. So yeah, this all happens.

Kip: yep. It does a regular stream of unsolicited email from unknown people at unknown times submitting resumes in response to job postings. Can you see that? It's just endemic, right? It's like they can't do their job without exposing themselves to this sort of thing. The kind of system that you talked about. A recruitment system is actually called an Applicant Tracking System or an ATS If your job it has.

Jake: Of course it has a three letter acronym.

Kip: Of course it does. And if you're a job hunter, you hate ATS. Because it's an awfully difficult thing to to to squeeze through. And I've got a whole rant on that, but I won't I won't go there. But but even if you have an ATS, you generally don't control what people push into that ATS. Right? Because I can open up the web page on your website that you know, lets me submit a resume and I can upload an attachment and your ATS. You're just going to slurp it right in and I I don't know do ATS.

Jake: That seems problematic.

Kip: Yeah. Does it have, You know, malware detection in it? And then that and then it's going to sit in the ATS until somebody until a recruiter opens it up. And at that point, I mean it might as well be an email attachment, right? You're just going through there clicking on everything. So I don't know that ATS. Is providing you with much cover. In fact, it might even give you a false sense of security because at least in an email client you've got some vague awareness that that some of this stuff could be a phish.

But in an ATS you probably don't even have a context clue that you know that that something's going on. So yeah, so the HR team I think, Yeah that's our fourth really I think good example of why some work groups really deserve more protection.

Jake: Okay so you know this is all very very interesting but how theoretical is this threat?

Kip: Yes, that's a that's a great question. Right? Hey Kip is an install. Just a bunch of theory. I mean sounds good but you know, so what? Well here's the so what there was a report that came out recently from a Managed Security Services Provider or you know an MSSP. Because there's not enough three letter acronyms in the world.

We need four letter four. Sometimes we do. Alright, so an MSSP. Published a report and they do this, right, let's be serious. Any vendor out there is motivated to you know do a little research and publish a report. It's just it's marketing. Okay. So no surprise. I mean we've looked look at Verizon, right? We we on this podcast, love as we have glee when we receive the latest issue of the Verizon, you know, data breach incident report and and and we devour it and we take it seriously.

And yeah so this is a known pattern. So I grabbed this report from an MSSP. And I started going through it and and I thought it was a very good report. I thought was reasonable. They didn't publish their research methods. So I was a little concerned about that anytime, I don't see sample size and exactly who did the research? You know I think it's a little suspicious. But what they talked about in there was a phishing campaign where attackers were posing as job applicants and luring corporate hiring managers into downloading what they thought were resumes from job applicants. But the resumes were bogus and they contained a piece of malware called More_Eggs. I have no idea.

Jake: You know More_Eggs, makes as much sense as anything else.

Kip: Yeah I'm thinking of omelets right I don't know but More_Eggs and you can go look this up. It's actually a Remote Access Trojan which is designed to steal user names, passwords for all kinds of accounts like bank accounts, emails, IT administrators. But it can do other things too. Like it can inject a system with malware whether that's ransomware or crypto mining you know utility or something like that.

I mean it's just you name it. Right. A remote access. Yeah and and and a RAT right? A Remote Access Trojan by definition is silent. It gets in their silent, it operates silently it allows somebody remotely to monitor the system and do and do stuff.

Jake: There's a three letter acronym that you just gotta love. I mean it's a it's a it's a RAT. It's a RAT you don't want RAT. Nobody wants rats.

Kip: Unless you're Chuck E Cheese you might want rats.

Jake: There you go. I think so.

Kip: Can you believe that a restaurant with a RAT as a mascot? Who would have thought? Yeah nobody ever would have thought that would have would have worked well. Okay so so I read this report and then I thought well this is really interesting. I, you know this isn't this is an example of a specific attack against one of these work groups. You know, they're thereby demonstrating that it's not just theory here. These are workers that really do need extra protection because they are in fact targeted. So there you go. So I I thought the report was good.

However as I mentioned, I'm always on the lookout for bias and for the lack of information about how the research was performed. So I kept reading and and I'm not going to name the vendor because I think I think that would be unfair. There's no point calling out one vendor when this this behavior Is rampant. And and so I went to the recommendations section and they suggested three things Security Awareness Training for All Employees. They also recommended Managed Detection and Response, which we call MDR. And they said don't forget you need to Monitor your Threat Landscape. Those were the three things that they suggested. And what do you think Jake? Does that sound? Okay? I mean what's your reaction to that list?

Jake: I mean I suspect that, yeah those are all three things. I guess my question is how much of those costs and who's going to supply them to me? Let me guess it will be it will be our friends. The unknown MSSP. Which is fine. But are they recommending are they recommending specific products? Because as a concept I agree with all of these security awareness training, good managed detection and response, good monitoring the threat landscape a wise thing to do. But if when you get into specific implementations of all of these I think you always have to always have to be careful.

Kip: Well, you know, so it turns out that this MSSP that published the report, those three things are what they sell and that's all they were recommending so and if you unpack it, I mean MDR is not cheap. If you're not doing MDR already then you may not know but it can cost $100,000 a year or more. Especially if your organization.

Yeah super expensive. And and you might wonder like really? I mean do I have to do MDR. If I'm not doing it right now and you know and just for this right just just to deal with More_Eggs or you know kind of you know, things like that. And I think that you that you should wonder about about recommendations like that. So if you're a cyber risk manager for your organization. it's not just enough to know who's at risk like these work groups. We talked about Accounts Payable, Human Resources, Customer Service and Sales but you have to carefully choose how you're going to deal with it.

Jake: Absolutely. So Okay $100,000 a year. I'm not sure that counts as minimum viable, MinVi mitigation Kip. So how would you deal with More_Eggs? Is there a way to deal with More_Eggs that does not require spending six figures or more on a regular basis?

Kip: I think so yeah there there is and and I and I and I wanted to use this as an opportunity to to really demonstrate to folks that okay. MDR sounds great. Sounds like an easy button quite frankly. Right? I'll throw some money at the problem.

And this outside service provider this MSSP people just handle it and I don't have to deal with it anymore. I can go off and do the other things that are that are actually much more interesting. Okay, well I mean if you can afford to throw $100,000 or more each year at MDR. And you're not doing it already, maybe that is the right answer for you. But if you're not ready to do that, I just want you to know that there are alternatives and one of those alternatives is called the Essential Eight and we've talked about the essential. In fact we did an entire episode about it. So it was episode 63 That published on September 29, 2020. And since I have been shamed shamed by my podcast, co host into doing show notes, I will put this link in the show notes.

Jake: Good, good. I just smiled. You know, I know it's not, I know that's not visible on this, on this medium, but yes, it's I did. I smiled large.

Kip: Okay, so let's recap you can go listen to the whole episode and I really think you should. But just to recap the Essential Eight is a collection of mitigations and they're designed and modified over time, which is really important. So the eight don't always stay the same and they don't always you don't always use them the same order and so forth. Right? And and so it's a really, really practical framework. But the central Eight is specifically designed to stop malware infections of all kinds and I'm just going to quickly read off what the Essential Eight are Data backups, Application Control, Patching your Applications, Restricting Admin Privileges. That's number four, Patch Operating Systems, Configure or restrict Microsoft Office macro settings. That's number six, you want to harden your Web Browser Security.

Jake: Pause, pause pause time out.

Kip: Multi-Factor Authentication. number eight.

Jake: But number six configure Microsoft office macro settings, particularly relevant to this discussion given how, given what we're talking about, right? There's a lot of you may be getting in throughout all of these whole bunch of word files or excel files or who knows? Right. but man danger.

Kip: If you don't need macros.

Jake: If it's not set up properly absolute danger.

Kip: The only work group of the ones that we mentioned where I would think macro's might be in active use would be Accounts Payable because they're the spreadsheet gurus and they constantly are in spreadsheets and they're trying to automate stuff so so they may have a legit need for macros but even still I would advocate that they need a setting that that pops up a dialog box every time macros try to run and say you know are you sure you want to enable macros?

And I think I think at the very least that is the setting you want. But if you're in a work group where macros are just not required then you just want to shut it down completely. Don't even let them run. And if it you know and if it becomes an issue let them request an exception from IT. Or or however supervisor whoever, whoever's responsible for that. But now More_Eggs in this particular example doesn't rely on macro settings. It's actually a javascript based exploit and that's where number seven comes in which is the web browser security.

Jake: Yeah that's no good.

Kip: So okay so okay so now we've got this very practical framework. The Essential Eight. So Kip what would you do? Well I'm so glad you asked Jake.

Jake: What would you do Kip?

Kip: I would start by explaining the risk to the senior decision makers in the HR department. I would start there because because I can show them More_Eggs. Right? And where And maybe I can show that to the to the other decision makers and the other work groups. But it might not be that convincing compelling. Right? So, I'd start with HR and then I would go find other attacks or the other work groups.

But I would I would try to get their support to mitigate the risk. And I think I think that would not be too difficult if I had an exploit that I could that I could, you know, talk with them about. And then so the next thing I would do is make sure that nobody in HR is processing email or browsing the web using an administrator account of any kind because that just opens the door even wider to exploitation would take that away. And then I would harden their web browsers against More_Eggs. And that would be to restrict javascript. Now, this is difficult because a lot of websites use javascript in order to be able to actually present themselves.

Jake: That's a tough one. If you're turning it off, then there's going to be..

Kip: I would restrict it. I would and I don't know how I would restrict it exactly because I haven't actually gone in and done the analysis.

Jake: You would do something.

Kip: But I would I would do something to try to identify, how can I restrict this. Okay, that would be, again, it's not the one thing that's going to stop this, but it's another obstacle, right? Remember we need to become a small target. We need to make it expensive for criminals to exploit us because they generally don't want to, to go after people who are difficult targets. They want the easy targets. Okay. So I'd harden the web browser and then the last thing I would do in this first round of mitigation because you don't want to overwhelm people, but I would try to find a way to turn this person's computer into an appliance. So I would go to a recruiter, a tech savvy recruiter and I'd say, hey, I want to run an experiment.

Would you please help me? I want to reconfigure your computer so that it can only run the programs that you need to do your job and nothing more. Everything you need to do, your job will run, it'll be fine, but we just won't let anything else run. Well, I think so. And this is called Application Control and some people call it application whitelisting. It has different names, there's different technologies out there that, that you can do this with, it's a cutting edge mitigation. So it's, it's not the easiest thing in the world to do, but the idea, which is amazing, I think is to block all malware from running no matter where it came from or what it is, because if you can just take the whole like list of things, I don't want to run and flip it on its head and just say here's the list of things that I only want to run, then any piece of malware that lands on the computer, by definition will not execute, and I think that is so powerful, and it makes the consequences of it makes the consequences of opening a phishing message irrelevant.

I don't care if a RAT slithers into the machine, it cannot execute. And so who cares, right, It's irrelevant. And, and I think this is the future of malware defenses. I know that antivirus vendors are already integrating Application Control of one kind or another into their package. And I think that really, that really makes the case for me that, that I'm not the only one that thinks this, but I this is, this is where I would be trying to really go.

Jake: I think that makes sense. I think that there are, there are people for whom it's going to be hard to use that to the full extent, independent contractors, right? They may not like they may have one computer, they can't really, they can't really turn their computer into an appliance because they need it for all kinds of different things, but in a large organization, in particular it should be done.

Kip: Well, And I think if you look at it from a role based point of view where if you're wearing a lot of hats in an organization, it makes this difficult because the list gets longer and longer and longer. But in a large organization where you're highly specialized, right? Where the role is highly, highly specialized and and isn't it interesting that these four work groups all actually have that characteristic Customer Service, Sales, Accounts Payable and HR in large organizations are highly specialized and I think so it's it's great not only are they at extra risk, but I think they're also excellent profiles of the kinds of roles where turning a computer into an appliance is actually feasible. So, yay for us.

Jake: Yeah. And and you know a computer that's become an appliance, it's just going to be harder to make it do things that that it's not supposed to do. And that's really the name of the game when it comes to malware defense.

Kip: It really is and it's a very different idea from where we've been right when microcomputers first started coming onto the scene, You know, in the, in the mid to late 1980s, you know, they were called personal computers and people really took that to heart and you know, even though it was a computer that was purchased by my employer if I wanted to use it to listen to music or install, you know, a little utility that made my life easier. I mean nobody care.

Jake: I love some of those, those, those crazy midi tunes back in the 80's.

Kip: Yeah, or what was it? Was it limewire? What? No, what was the, all the peer to peer?

Jake: Napster, limewire.

Kip: There was all kinds of peer to peer, music sharing apps in the, in the aughts. And so this is a very different idea, isn't it? Like, like, no, you can't install something on your computer that makes your life a little easier or a little more fun without permission without actually going through a, some kind of a process to add it to a white list.

I realize this is a, this is a paradigm shift as they say. But you know, I was talking to somebody in the manufacturing space recently and I was discussing this and I got the, you know, the, the expected kind of like, look of, are you kidding? You know, like are you serious about this? And I was like, look, I go, you have other business assets that are appliances, Think about your warehouse, you have, you have forklifts in your warehouse. Now, if a forklift driver wanted to burn off a little steam and race the forklift around the warehouse because it would be a little, you know, would be fun and it would, it would, you know, sort of like make their day a little more interesting and relieve some stress.

You know, would you like, I mean, would you think that was reasonable? And he's like, no, it would be a disaster, you know, I mean look at the OSHA regulations and so forth, and I'm like, yeah, like this is how, you know, we need to be thinking about computers at work, the same way we think about other business equipment, you know, it has legit uses and even though the operators.

Jake: And potentially far more dangerous than you know.

Kip: Yeah, a forklift driver that causes a lot of damage in the warehouse or maybe even hurts or kills somebody is awful, but it probably isn't going to put you out of business, but a ransomware attack that, you know, blows up and and takes you offline for a month is so much more serious to the future of your business, so anyway.

Jake: So alright, Kip I see one more thing in in this this script that that I think I think I'm gonna go ahead and give you permission to this is not a sponsored episode, but it's starting to feel like one. So I know that you have done many courses you know, on LinkedIn learning and I think even its predecessor whose name is escaping.


Jake: that's right. But now you're you've expanded your your courses this is this is a website or an app that I've heard of called Udemy and it looks to me like you've got one called implementing the NIST Cybersecurity Framework now, you know, anyone who knows me knows that I love the NIST Cybersecurity Framework. So what is this, what is this about? Why would someone want to go take this course? Who's it for?

Kip: I'm so glad you took the bait. I'm so glad I put this in the script and you and you rose to the occasion. I really appreciate that.

Jake: I just, I just, I just totally ate it.

Kip: Well, I've got this this course and I wanted to share it with everybody because it's been out there for two months now and I've been watching the reaction from, from students and and it's it's doing well. And so I thought, alright, now that I've got market data saying that it really is helping people, which is why I built the thing, I think I think it's reasonable to share it with our audience. Okay, so what happened was the other Jason that I podcast with because yes, you're Jake to everybody. But you, you, you very clearly told me that that you're actually Jason and Jake is your your nickname. So it turns out I podcast with you, Jason's go figure, I didn't, I did not try to do that, but that's what happened.

Okay, so over at where we help people get into cybersecurity, so Jason over there and I were talking and he said, hey, I'm, I'm on Udemy and I got this message from them and they said, we're dying for a NIST Cybersecurity Framework course, Jason, do you want to do it, Jason Dion? And he said, and so, and so he came to me with it and he goes, well, you do this all the time, don't you Kip? And I'm like, I do, I go, my whole business is built on it.

Anyway, so, so we went ahead and, and we made a course about implementing it. And anyway, it's, it's doing really well. It's been out for two months. It's got a 4. 6 out of five star rating and that's based on several 100 people who actually gave ratings. But we actually have almost 1600 paying customers from all over the world right now. So it's, the site has labeled it a best seller and I just think this is a phenomenal reaction and I'm really, really grateful that the course is resonating with people.

One of the reasons why it might is because we actually have a bonus when you finish the course, you can get an online google sheets workbook that we made that actually automates a large portion of the workflow that I teach in, in implementing the cybersecurity framework. So it's a nice little bonus.

Jake: People always like bonuses like that.

Kip: It's a bonus, it's a tool makes people's lives easier. So it's out there. It's, it's going, it's going well anyway, I'm really proud of this course. I really do think it makes a difference and I don't want to I don't want to be promoting things that I don't believe actually help people. So I'm happy to mention this, you should check it out and, and thanks to Jake, who has shamed me into show notes, I'm going to put this URL. In the show notes if you want to look at it.

Jake: There we go. We've got it. Okay, well, I think that is going to wrap up this episode and because I am not the one who can wrap up an episode that would just be much too big of a change Kip. Why don't you go ahead and wrap up the episode.

Kip: Alright, well, maybe one day, maybe one day you can say that wraps up this episode of the Cyber Risk Management Podcast and today we saw why some work groups deserve more protection against malware. And we talked about how you can do that in a minimum viable way. We really appreciate you listening to our episodes and we'll see you next time.

Jake: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably. Then please visit us at Thanks for tuning in. See you next time

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).


Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.