EPISODE 111
Ethical Phisheries

EP 111: Ethical Phisheries

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

August 2, 2022

How do you run a successful anti-phishing program that will actually reduce your risk without sacrificing employee goodwill? Our guest, Ean Meyer, knows how. Ean is Associate Director of Security Testing and Assurance at Marriott Vacations Worldwide. Your hosts Kip Boyle, vCISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

“How to Really Make Sure that Cybersecurity is Everyone’s Job” (pt 1 & 2)

https://cr-map.com/podcast/88/
https://cr-map.com/podcast/89/

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle Virtual Chief Information Security Officer at Cyber Risk Opportunities and Jake Bernstein partner at the law firm of K&L Gates, visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today on episode 111 of the Cyber Risk Management Podcast.

Kip Boyle: Hi Jake, it's good to be here with you and we have a guest today.
Let me tell you about that. But what are we going to talk about? Well, we're gonna talk about how to run a successful anti-phishing program. I have been talking to people like crazy about this for the past year and and doing some deep dives and I recently met somebody who I think is a thought leader in this space um because we we want to actually reduce the risk of of phishing attacks with but we want to do it without sacrificing employee goodwill. And Ean Meyer is our guest today and he talks about this as having an “Ethical Phishery”.

I don't know if that exactly the turn of phrase you use Ean but that's kind of, that's kind of how I've started thinking about it and Ean is the Associate Director. Let me get your title correct of testing and assurance right at Marriott Vacations Worldwide.

Ean Meyer: That's me, Yeah. Associate Director for Security Assurance at Marriott Vacations Worldwide. I run a small team of penetration testers vulnerability managers etcetera. Were a spinoff of Marriott International, we broke off in 2011 and more, the resorts and timeshare wing of of that. It's a $4 billion business globally. So we see a lot of the problems that many of your audience might see where it's like, I've got people all over the place. I've got people of all different ranks and whatnot.

Kip Boyle: Yeah I'm sure phishing, phishing has got to be a big thing for you guys. I mean, given your industry and size and so on. So well, Ean welcome so much to our podcast, Thank you for being here.

Ean Meyer: Absolutely, yeah, thanks.

Jake Bernstein: You know, it's interesting, I think, you know, hospitality industry, you know, it's a, well, you know, everyone, everyone who's heard this podcast is well aware of the FTC versus Wyndham Worldwide Corporation case from 2015, kind of the kickoff really of the court cases that really cemented the FTC's ability to kind of do this. And so it's, you know, it's no question that your industry, and of course that was forever ago in internet time. Also, it was pre pandemic, which makes it feel even longer ago than it was before time, but you know, this is a huge deal and you know, I can't remember if phishing wasn't, it was an aspect of the Wyndham case.

But certainly, you know, I was just reviewing the 2022 state of the phish report, which is relatively just came out, You know, I think, I think in the last month or so, maybe even more recently, and it said that you know, phishing has gone up, which I don't think surprises every anyone. What did surprise me a little bit in a kind of depressing sort of way is that it's gotten more effective. And you would, I would have thought that, you know, aren't people aren't people getting better at detecting phishing. And you know, maybe let's just start with some of the some of the basics like, what are you seeing? And by the way, you see how I didn't even start on the script, like I just went off the script immediately, couldn't even, couldn't even get three seconds in.

Kip Boyle: But, but stay in the, in the shoulder of the road. Okay.

Jake Bernstein: Yeah, yeah, yeah. Hey, you know what, at least I'm saying phish, that's like we're, I'm close. But no, I mean, I just think this is, let's set the context for the rest of the discussion, which is really like, you know, it's still a problem, isn't it?

Ean Meyer: Yeah, absolutely. Yeah. So, I mean, it doesn't surprise me at all that one, it's it's increased obviously, and it doesn't, it also doesn't surprise me some of the other challenges that we're seeing that it's becoming more effective because anything any take the criminality out of the phish, right, just take it away and take any practice that anyone does. And when you start doing it more and more scalable E and whatnot. You start seeing metrics and quantitative analysis. And we've seen this out of like ransomware group playbooks, like the Conte leaked playbook and whatnot. They track these things, they do it like QA AB exercise.

Jake Bernstein: I was gonna say they do A/B testing, don't they?

Ean Meyer: Absolutely do. So, you know, when you start using those types of analytical practices to to to sharpen what you do, it doesn't surprise me at all. And I think many organizations that do phishing training or do simulated phishing relied far too long on, oh well these are people who maybe English is not their native language. And so look for spelling errors, look for grammar errors. Some of these look like they were written by New York advertising firms, like they're incredibly well written, their pixel perfect. So of course it's gotten better. You know, they've sharpened what they do because it is an effective strategy with more people working from home and they've got quantitative data to see what works, it's a business to them.

Jake Bernstein: So getting to the kind of first of our discussion points here, you say that phishing simulation as it's done now is more about budget than protection.

And I think the question there, you know, why is that true. And then my last piece of off script commentary on this is it? This might be..

Kip Boyle: Nice try.

Jake Bernstein: yeah, my last piece.

Kip Boyle: That's a False Claims Act violation.

Jake Bernstein: My last piece for the next five minutes Is, I read and Kip and I have talked about this, but like even best case scenario, you know, phishing, I'm gonna say phishing training of people like you still end up with something like a 3% click rate. So Like we know that there's no way to make phishing. We know we know that there's, it's probably impossible to get to a 0% click rate. So having said that, maybe explain this idea of, you know, this is more about budget than protection, which I agree with fundamentally.

Ean Meyer: So I mean there's a couple of ways to take that and I'll start with one and we'll see where it goes. But the reason I say it's more about budget than protection is because often it's a very easy win. And when I say win, I don't necessarily mean when like in a yey, we, you know, beat cancer. It's more like, yey, we crushed a village and took their land. It's not a real great victory.

So the reason I say that is you go through and you can go to one of these phishing simulation companies and say we want to send a phish and we want, you know, to see who clicks on it and then get a metric back how many people clicked on it, They get some training and then later we show the click rate went down okay. But but really it's this false. It's this it's this false metric. And the thing I always think about, and I guess it applies when you think about like a Remote Access Toolkit. But rats and I think it was in France or it was in Louisiana. There was a rat problem and this was, you know, maybe 100 years and years.

Kip Boyle: Like a real rat, not a Remote Access Trojan.

Ean Meyer: Yeah, a real rat. And what they did was they put a bounty on rat tails. They said, don't bring us all the rat carcasses, we don't want them just bring us the tails. So a bunch of very smart, you know, criminal entrepreneurs said, cool, we'll just raise a bunch of rats cut their tails off because that's easier than hunting them and they would turn them in and the rat problem didn't go down. But the metrics show, but we've killed all these rats. What happened?

Jake Bernstein: That's an amazing story? I love that.

Ean Meyer: Yeah, it's a false incentive, right? Because you've trained them to spot this one. Very specific thing, but you haven't trained them to partner correctly. So unless that very specific thing happens or in the case of the rats, if somebody shows up with a rat tail, you assume, oh well, I guess the rats are gone. No, there's just a bunch of tailless rats running around. So yeah, it's all about budget because you can easily go and say I spent this money, this happened and this bad incident went down, give me more money and I'll do more of this. I'll find ways to do it.

Jake Bernstein: So it's fair to say. I think, I think what I was thinking was it's this is also about show like, you know what and I have called, you know, security theater. You know, things like that. And I think that what you're saying is it seems to fit that very well. This is, it's a, and I think it's dangerous because it creates a false sense of security by those who are, you know, by those who are doing the budget. They're like, what do you, you know this is, it's fine. Look, the number went down, but I think that's that's that's a great idea, so..

Kip Boyle: It's just, it's just a bunch of rat tails.

Jake Bernstein: Just a bunch of rat tails.

Ean Meyer: We killed all these rats. But the rats, why are the rats tailless? Oh..

Kip Boyle: It's a new exotic breed. Do you want to buy one? You know when you, Oh I want to ask you a question Jake.

Jake Bernstein: Go ahead, Go ahead Kip. Go ahead. I promise I'll be quiet.

Kip Boyle: All right. So there's a very well known vendor that you can purchase phishing testing services from and when I get their promotional emails, they talk a lot about budget right there like, hey, if you need more budget for your program. Show him this, right? And I mean they're just like, so when you, when you were talking, you know, when we were prepping for the show and this, and this bullet came up, I was like, well, I don't know if he has anything else to say about that, but I know I could point to at least one vendor that's actively promoting this as the way to go.

Ean Meyer: So.

Kip Boyle: And you smiled knowingly.

Ean Meyer: Oh I very knowingly. I mean, one might say that I've known about this vendor long before we had this podcast. And you can read that sentence however you'd like. So with that said, yeah, no, it is very much is that it's, it's, it's there. They know they're selling this is this. And any time you find an organization selling something where they found what works, I mean, why would they change it? If I can send this, this thing that says do this and I'll get you more budget. And our thing costs this much and I can give you an ROI Of this because you spend 50 grand with us and you know that turns..

Kip Boyle: It's Marketing101, right? Sell people what they want, not what they need. You know, and people want more budget. So you figure out how to, you know how to sell it to them in a way where they can get what they want. So, I mean, I totally get that, but that's but that, that I think comes with the caveat and that and that's this first point, right?

That you're making, which I think is a good one, which is like, don't don't fall for that so completely that you're actually not moving the needle at all in terms of protecting your organization from phishing, but rather you're playing this funny little, this funny little game here. So,

Ean Meyer: Okay, you gotta, you gotta take that even a step further, right? Because whenever you deal with any sort of budgetary thing, whenever you deal with any sort of new controls, I always wore my students and others and people advising what are the downstream impacts? Right? Sure you're going to get this now. But what is the, you know, what causation and what happens from that? We'll somehow, metrics have to be generated that show this uptick and then downtick.

But what action is actually generating those metrics? And it's your people, your people clicking on things, spending their time getting these emails that they think maybe are a really great thing. Like, oh, I'm, you know, maybe the gas, this is a really good example, Gas prices are up. That's universal, right? And maybe they're struggling to get back and forth to work. And then they see a thing saying, oh, you know, you're getting a free gift card. I've actually seen a couple of these where they're using..

Jake Bernstein: I just saw an article about this too, yeah.

Ean Meyer: Oh do not do that.

Kip Boyle: Yeah, that's awful.

Ean Meyer: It's awful. Ed Miro was in the talk that I did at Wild West Hackin' Fest and he was great in the back we're talking about here because because it's not just wrong, it's cruel for a moment. I'm like, it is, you're absolutely right. It is, it's cruel. And the downstream impact of that is you go get your budget and you're like, hey everybody we're here to help, we're here to secure you and they're like, we hate you, go away. like you know.

Kip Boyle: Yeah, exactly. So let's talk about that now because this really resonated with me Ean when I heard you talking, by the way everybody I met Ean at Wild West Hackin' Fest, which I started attending a couple of years ago. And so I've been in a couple of Ean's presentations and that's kind of how we met and how I began to understand Ean's approach, which which was great because I didn't have words before, I heard Ian to describe some of the things that I was feeling as a Chief Information Security Officer and why I felt that the way we do phishing testing is dirty?

And shame, right? I mean, Ean that's really what you're talking about is you're shaming people were exploiting them just as much as as the real criminals are, but even worse because you know, they have to continue to interact with us. Right? And so there's a whole relationship dimension here. You're way more interested in partnering with employees. Would you talk a little bit about why shaming doesn't make partnership happen and what does make partnership happen?

Ean Meyer: Yeah, I mean that's probably my favorite topic from all of this because if you can, whether you use a big platform that you purchase or whether you build something yourself, you know, no matter what, empathy, shame and and how you target the people that you're trying to protect is by far your biggest, you know, contributors to success or failure. And essentially my my thoughts on this are with with shame. Right? So if you have not watched anything, well what I should say is watch or listen to anything Brené Brown does, she does research in shame in all types of shame and how it impacts what we do. And she's got a great Netflix special. She's funny. Please go watch it. You'll learn a ton about shame cycles and how to avoid them.

So in this particular aspect, what we're doing is we're saying, hey, I sent you this pixel perfect email sometimes that you know, it just speaks to you in a way that's like, oh gasses rising. This is a gas gift card. Oh my gosh, how wonderful. Right. Or it's you know, set up as a company internal email saying that there's been some change to pay or that there's been bonuses or whatever it is and they click on it, they get their hopes up and then immediately get some terrible phishing.

Like you caught a phish, take this 15 minute training, dum, dum like and that's terrible because as you said in the end, you've got to protect these people and they have to trust you so that they can come to you and say, hey, I found something weird and I don't know what it is and I think I did something bad. Guess what we all do. We all do. We need to make those people feel comfortable as a partner saying, I think I did something really bad and cool.

Like how do we fix it? And I always go back to the child kind of methodology and I kind of vacillate between using it or not using it because I hate talking about professionals as children, but I'm using it more as a metaphor with my children. So I have four kids and I feel very confident that if they ever found themselves in a situation that was just overwhelming, very adult didn't know what to do. That they would feel comfortable coming to me and telling me knowing that I'm going to help them, right?

That's the relationship that you need to foster with these folks if your first phone call or their reaction here, the security team's calling is. Oh man, I don't know what I did wrong, but I don't know why they're calling if it should be no different than them getting a call from, you know, anyone else in the organization saying, hey, what's going on? Let me how can I help?

Kip Boyle: And preferably from a friend.

Ean Meyer: Right. Yeah. Yeah, exactly. Like if you're not building, the phrase I use a lot is within incident response, but it's here too. The first time you meet your security team or people that you're charged with protecting if you are, the security team isn't shouldn't be when you're exchanging business cards during an incident response like alright, everything's gone crazy. My name is Ean nice to meet you. You're not with Wolf. You're not showing up in the NSX Going I'm Winston Wolf, I'm here to fix problems. You may feel like it's some days, but I guarantee you it's much better to be the friend that shows up and says, hey, what's going on?

Kip Boyle: Oh my gosh, I could talk so much about this. I mean, and I think that's one of the, one of the issues here that kind of cuts to the core of people who have a long history of working in information technology. There's so much the atmosphere in IT I've noticed is really dominated by sarcasm contempt. It's not relationship oriented at all. And really that's what we're talking about here, right? Is we're talking about building good working relationships with with people, right?

Ean Meyer: Oh, 100%. Yeah, any good security is built on relationships and you know it outside of information security, you know, you have a problem. You go to your trusted advisors, maybe your spouse, maybe your parents, maybe an old friend, people that know you well that will tell you the truth that you need to hear and you go to them because you know, you can trust them that they're not trying to hurt you. They're not they're not going to try and willing willfully give you bad information etcetera. And you take that information and you take actions on that outcome. Now some random stranger shows up from security and says you did this bad thing and you got to do this, you gotta do this.

It's very overwhelming. Whereas if taking even phishing out of the conversation, I feel that most security awareness and that's part of this, the training bits in the end. But I feel that most security awareness where it falls on its face, is trying to teach people how to do our jobs. Like I kind of fundamentally get a little itchy when when people say, well security is all of our jobs, hmm is it? Like it is in that, you know, you have a responsibility to try and follow the rules to try and behave safely so that the people that design those rules and create those protections for things that you might not be aware of can do their job.

But trying to train all your employees to like deep read MX records and, and headers and whatnot because that's the level you really need to get at this point.

Kip Boyle: Yeah, it's unrealistic.

Ean Meyer: It's completely unrealistic. However, training them to trust and communicate well and partner with the security team so that when they call the security team, one, they know how they know how to get ahold of them. Two, they feel comfortable doing it. And three, the security team knows how to communicate with them in a way that lets them know, hey, you're a victim here.

You received a phishing email, you clicked on something. Someone spent an inordinate amount of time targeting you. You know, figuring out how to target you were technically millions of other people, but making a phish that would work. They spent all this time doing this and you're just trying to do your job and your job is opening email. Like try and tell a recruiter that they can't open PDFs an email.

Kip Boyle: Yes, or salespeople or accounts payable people.

Jake Bernstein: Or lawyers.

Ean Meyer: Lawyers, oh lawyers, like I'm actually, I'm one of those weird people that like lawyers. I really do.

Jake Bernstein: That's good. We like you too.

Kip Boyle: Welcome to the show.

Jake Bernstein: So, so you know, one of the things I've been thinking here, being silent as I promised and it's been more than five minutes now. Yeah, exactly chess timer. Is this really reminds me of the culture, the culture change episodes that we did Kip, right? And how, you know, so much of this is, you know, you talk about budget, right? And and spending spending money on unethical phishing exercises versus you know, money that could be spent, you know, improving the company's cybersecurity culture is really it's an interesting component and Ean you said something that is kind of a paradigm shift for me in a way which is, you know, and the way you said it makes it seem incredibly obvious.

At least it was very convincing to me. Of course, of course everybody's job can't be security like and and you know, and I'm and I'm and I'm saying that as you know, Kip and I have said that we're all frontline soldiers in the cyber wars, right? That is true. It is true. But to say that security is everyone's job is an unrealistic and frankly unfair statement to make to people, right? It just, it just can't be. And I'm thinking through the ramifications of kind of of this, this realization here.

And and I'm starting to wonder, okay, we've talked about phishing simulation, we've talked about the budget, we've talked about how, you know, you're making these these false these these the metrics are real, but the the interpretation of them as some kind of effective security mechanism is incorrect? So if like what should, what's the best way to do this? Like what is an “Ethical Phishery”? And what can we test and, and, and even, and let's assume that we we were all in, you know, extreme agreement about this notion of creating a culture and being able to, you know, have trust the security team, but at the same time, you know, that can't happen overnight.

So, what should people be doing, what should security folks be doing? What should, what should lawyers like me be advising clients to do about security about phishing? You know, I still tell people, you know, are you doing phishing testing? And it's not because I really so much believe in it to be honest, I've been skeptical for a while now. Not forever just for a while. But at the same time it kind of feels like that is the that's the standard of care still, like if you do it, you won't get in trouble and and maybe this is kind of what I was thinking too.

Ean Meyer: Is falling back to due diligence and due care. Well, if I did this, I can I have a modicum that to defend myself with and that's not a wrong answer. It really isn't because I think I've got over here, I'm gonna..

Jake Bernstein: I love those hats by the way, I see those.

Kip Boyle: We can, everybody who's listening to the podcast, we can actually see Ean we're doing like a video conference right now as we're doing our recording. So, and Ean's just retrieved a whole bunch, it's a really cool ball caps from his wall.

Ean Meyer: So I got my red team hat on, right. And that's the hat, that's..

Jake Bernstein: literally, literally, literally folks, he has a hat that says red team.

Kip Boyle: And it's red.

Jake Bernstein: And it's red.

Ean Meyer: Right, but then the executives, they want something different. They want to know that security is done right, Right? But the business, they just want to be able to do their job and open the pdf's. You've got to wear all the hats when thinking about how you do this stuff.

Kip Boyle: Oh, there's more than that.

Jake Bernstein: I need a collection of those hats, yeah.

Ean Meyer: Not only way more hats there, but I mean I've got on my little wall of, let me put my hat on, I've got legal, purple team management, security, compliance and on IT engineering, blue team and user development and the end user one. That's the one I really should have grabbed because..

Kip Boyle: you need an influencer one too by the way. And a sales one because we influence and sell all the time.

Ean Meyer: Yeah, yeah, absolutely, absolutely. You know, you bring up a really good point there because one of the positive things that, that you can do is instead of sending people to security training, you know, when they spot a phish, give them a reward and it doesn't have to be the best. It was the, it was the most recent Wild West Hackin' Fest out in San Diego.

Someone told me their company got those color changing mugs, right? And when you spotted a phish, like the aquarium would fill or something and it was like, I caught a phish or something like that and they were really cool and people coveted them, they ran out of them and people were starting to get irritated like why didn't I get my mug? I spotted a phish and it was such a great thing because you're in the, you know, for folks who are in the office there in the break room, they see this mug, they're like, what's that? Oh, I spotted a phish, the security team does this thing. And if you spot it, you get a mug and like, oh my last company, I had to do like 15 minutes of training and they said no, they just ask you.

Jake Bernstein: you know, it's funny. We, I think, I think we really sometimes underestimate the value and the little kind of cultural significance of some of these things, you know, and, and it doesn't have to be as expensive as a mug. I mean, it can be, any reward seems to be effective.

Ean Meyer: Yeah. Were there is no shortage of academic evidence that positive reinforcement is always better than negative. It's harder and it takes longer. You know, you get punched in the face and you go, well, I don't want that again, but you're not happy with the person that punched you in the face. You don't want that again. Yeah, yeah.

Kip Boyle: Fear and shame is is is rewarded by the person doing the shaming and promoting the fear because they get instant feedback by the looks on people's faces and the fact that they scurry away, but it's not sustainable and it's not relationship, it's not partnership and so it's great.

But listen, as we come to the end of the episode, I really want to to ask you in, what is it, what is an “Ethical Phishery”? We've dropped that term a few times, but in our in our typical fashion, right? We haven't actually gotten to the point yet.

Ean Meyer: It's just good conversation. So somebody's gonna be listening to this driving in their car going, oh man, I got to work and I don't even know what this thing is yet, so.

Kip Boyle: I have to sit in the parking lot. Come on guys.

Ean Meyer: The NPR moment, right? Where it's like, oh, I gotta hear you know how that Yeah, so “Ethical Phishery”. So it's a series of talks I've been doing for Wild West Hackin' Fest. If you want to hear it in significantly more detail the talk Ethical phisheries from Wild West Hackin' Fest Deadwood, which is virtual is up. You can you can search for that. And it's a go go to stage webinar meeting you just sign into it and and you watch it. So I go into immense detail.

But the summary of it is really this a while back, it dawned on me that, that what we do with phishing exercises and overphishing of sea creatures, if you will, you know, tuna, all this other stuff are very much related, right? You take these these big trawlers and these nets and they had to put regulations on them because they were just scooping up dolphins and everything and and depleting the ocean. And I said, man, there's a there's a meta, there's a metaphor here because you can do these phishing exercises and you'll get people to click on lots of links.

But in the end, later when you want to go back to them and say, oh, now help us out, they're not going to be anywhere to be found just like the phish are gone. Right? So building the idea of “Ethical Phishery”, what rules, what kind of constraints can we put in place to get similar results or results without doing this. And the crux of it is really, this is your, your phishing emails can't use any sort of food. Fear, uncertainty doubt. Right? So things that would be 100% off limits or layoffs, you know, changes to salary. You know, emergency phone calls from family, you know, things like that. 100% no..

Jake Bernstein: God, do people do that?

Ean Meyer: Do people? Oh yeah.

Kip Boyle: You mean part of their anti-phishing training they do that?

Ean Meyer: Oh yeah. Well, so some of them. Yeah. So the phone calls from family. I haven't seen that, But the criminals absolutely do. There's a whole series of..

Jake Bernstein: Criminals I can see doing that. The criminals for sure. But like as part of the phishing training, like..

Ean Meyer: No, but the other ones I mentioned. Absolutely. So layoffs, you know, your, and I'll be, I'll be perfectly honest, early in my career, I was that person, you know, fully like sending an email saying your direct deposit has changed on payday, on at like three o'clock and you're expecting that you gotta pay your mortgage and whatnot. That had 100% click rate like period, right? But it's unfair.

Kip Boyle: All those rat tales Ean.

Ean Meyer: Exactly. Exactly. So it's unfair. So in, in, in an “Ethical Phishery”, what you're doing is you're trying to do sustainably raise these, these resources, the people you're trying to protect the resource is the phish in this case, not, not the actual bait. So, you know, things that are much more applicable, like, maybe a password reset that might be okay. Other things like, news and updates from the team, you know, items where you can go through one of my favorites by the way is you've been added to a SharePoint site because that one often come as an external. So that flag doesn't work. And it's innocuous. It's like, oh, I've been added to this team site. What is it?

Kip Boyle: Yeah, and that happens all the time, right with somebody. I mean, somebody added me to a SharePoint site. I somehow, I got assigned to a new project. I didn't even know about it. That's how I found out.

Ean Meyer: Exactly. Yeah. And so it's very normal. And that's the thing is you want to send them things that you're testing stuff that they do every day. So try and if you're focusing on a specific group, like if it was HR Or if it was finance and billing, yeah, finance and billing, I might send them an invoice that says, hey, I'm a, I'm a vendor. And you know, here's the thing for 1000 bucks, right? That's just part of their day to day job. That's not going to freak them out. Oh, I get an invoice. I open it. I look at it doesn't need to get paid what project doesn't get billed to.

Jake Bernstein: So keeping an eye on the time here for this. So one of the things that you said as well as you suggested that we can test rather than testing people, we should test anti-phishing controls. Why or what? And and what do you mean by that? And then why would that be the case? And I think one thing I want to point out is that, you know, “Ethical Phishing” and “Ethical Phishery”. And even despite the early comments in the episode about, you know, budget versus protection. I don't think you're saying we shouldn't do phishing exercises.

Ean Meyer: Correct, but we absolutely should. It's just the way you do them do them. Right? So that's the second part and I'm glad you let into that because I I as well we'll, we'll just, I love talking about this. So, but the second part there is testing the controls. So you send the phish that isn't going to really affect someone's, you know, you know, psyche their, their day, their, their mental health really. And you send them that and they click on it and instead of getting a hey, go take this training, I've literally put in things, hey, you clicked on a phish and that's okay. We all do it, help us understand what you were doing at the time that made you think this was okay and I'll ask them a series of questions, not them providing, you know, hey, go take the same training.

I'll say, hey, what were you doing? Were you multitasking? Do you feel like you have enough time in your day to answer all your emails? Is was this phish like something you do every day and during the text of the questions it asked them like what did you check? Like did you look at the headers, did you, did you check these things and now we're having a conversation, you know, even though it's, it's asymmetric, we're having a conversation. We're saying like, hey, I know you're not stupid, I know you've received this training, what did you check and then I let them know that the reason I'm asking these questions is so we can sharpen our controls.

I teach at a school that's primarily known for movies and gaming and whatnot. But they have a college of IT and a college of information security. And I tell the students there all the time that listen, I can go through and I can, you know, I, well I can go through and I can try and train everyone how to do things or and since their gaming school, I say, what happens when a developer makes ask you guys, what do we call it when when a developer makes a weapon too powerful and they do something about it in the game, You know?

Jake Bernstein: They nerf it.

Ean Meyer: Yes, they nerf it, you think about like the old like nerf, nerf toys, right? You wrap it in foam and now it's a foam sword and now you can beat your brother with it. You take a beat him with it and you get in trouble. You have no, right? So they go, yeah, you know, I'm like, you need to nerf their email, you need to go through and build controls based on their feedback that says, yeah, I checked this, this and this, but nothing looked amiss. And you say, okay, there's, what else could we do when an attacker does this that allows the control system to keep it from getting to you because you've got to open emails, you know,these people have to so that's really the.

Jake Bernstein: Yeah, that's great because I think what it's saying is, you know, we know that the bad guys are deploying A/B testing resources, research and development, psychological tools, research. You know, that is understood why, you know, rather than just trying to shame our people, why don't we also conduct our own defensive R&D use our own A/B testing and do and use it for the for good instead of evil. I think that makes a lot of sense.

Ean Meyer: Yeah, you just described it pretty much to a T. Is we're sending the emails that the attackers might send in the same way that they might send them in context that they might send them. And then we're getting feedback from the users saying, well, this got to you, it got through our controls, what could we do to make it easier?

Kip Boyle: And without partnership you can't, they won't tell you if they don't trust you. They won't tell you.

Jake Bernstein: And like it seems almost it's almost it's almost painfully obvious that this mechanism or this this methodology is better than slapping people in the face every time they click a phish.

Kip Boyle: Yup, and we and we know from research, because I've actually been reading research on these types of training programs, we know actually now based on really rigorous research that sending somebody to mandatory online training after they click on a phishing test is counterproductive. We know that now for sure. So we have to stop doing that now that we know.

Ean Meyer: Yeah, yeah. I saw that you sent me that that article and I loved it. I had the same thought. I'm like, all right, this is great because it's an academic study with real like rigor behind it. But practitioners in the field have either known or at least felt this for some time. Now, there's just like you said, the academic research behind it to say no, this is quantitative. We can say this is..

Jake Bernstein: The reason that's important and I'm gonna have to to to wrap up here myself. But the reason that's so important is that, you know, you do because they're because ultimately leadership and the lawyers that advise them are gonna say stuff about, you know, due diligence and due care, like you almost need this type of kind of firepower, academic backup, you know, to start to convince people to change.

Kip Boyle: Because it's not intuitive, it's not intuitive.

Jake Bernstein: It's not intuitive, let's wrap it up. Otherwise I keep going.

Kip Boyle: We could keep talking for another hour Jake. I know that for sure.

Jake Bernstein: It would be easy.

Ean Meyer: Hold up, Jake's a lawyer, You're telling someone who's been formally trained and you know, argument wants to hold on.

Kip Boyle: Yeah, I know Sisyphus right? I'm just rolling the rock up the hill that just rolls back down again. I get it.

Ean Meyer: I was a hopeful lawyer. So, I understand.

Kip Boyle: So, okay, so we're gonna wrap it up the episode before we do. I want to let people know that if you want to listen to the episodes we did last year about “How to make sure that Cybersecurity really is Everyone's Job”. We did two episodes, episodes, 88 and 89. They were released in September 14th and September 28th, 2021. I'll put them in the show notes.

Ean we really, I'm so, I'm so glad you came to talk to us. Thank you so much. Where do you, where if listeners want to know more right there going to be able to go to Wild West Hackin' Fest and watch your presentation on “Ethical Phishery”, what else? How else can they reach you?

Ean Meyer: Sure, yeah, feel free to link with me on Twitter. I hide myself on the internet. I'm@EanMeyer. E A N M E Y E R pretty much on every social platform where are most active is Twitter. So you know, everything from your, you know, humorous post to the serious info sex stuff. But yeah, Wild West Hackin' Fest has the talks that I've done on this up. And also we are beginning to work on a two day Ethical Phishing course through anti-siphon training. So if any, has sparked your interest on how to do it. We're starting to put together a two day course on it to, you know, help people understand and give them ideas and templates around.

Kip Boyle: Are you going to be a Deadwood this year?

Ean Meyer: I'm going absolutely well, I know this is going to publish later, so, but I'll just say it. I don't think it's right. I will actually be one of the MC's like full time MC there. So yeah, Velda's putting me up on stage two pump people up and, and do the MC stuff. So I'll be out there like all, all week.

Kip Boyle: We got the haircut and the personality 40 and that's fantastic. Okay, well that wraps up this episode of the Cyber Risk Management Podcast before Ean can come back at me at that cheap shot that I just took at him today. We learned how to run a successful anti-phishing program that will actually reduce your risk without sacrificing your relationships and your employee goodwill. Thanks for being here everybody. We'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle, that's keeping you from growing your business profitably. Then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.