security awareness

How to Think About Security Awareness for Your Organization

In Converge TechTalk by Shelly Kramer

security awareness

Today’s guest for Converge TechTalk is Kyle Metcalf, CEO of Inspired eLearning, a security awareness and HR compliance training firm. Kyle spent 12 years at Rackspace before taking the helm as CEO at Inspired eLearning, and is focused on helping the company become a leader in the highly competitive and growing market of cybersecurity training.

Why cybersecurity training? Internet security is perhaps the biggest threat businesses of all sizes face today. Employees play a significant role when it comes to protecting against cyber-attacks, as they are, quite literally, on the front lines of defense. Keeping them aware and knowledgeable about security risks and trained on protecting themselves and the company is business mission critical today.

Our discussion centered on the following touchpoints—

  • Trends in security that make security awareness and training important.
  • Why your board needs to be involved in and committed to security.
  • What does a robust security awareness program look like?
  • How to justify budget for security awareness.
  • How to drive knowledge retention within your organization.

If you like what you’re seeing/or listening to, be sure to hit the subscribe button here and stay in touch with all the latest business and technology news from Converge TechTalk.

If you prefer a podcast, you can subscribe to the Converge TechTalk podcast here.

And slide over to the Converge Tech + Business website to check out our full coverage on business and technology events, webinars, and other offerings.

Transcript: 

Shelly Kramer: Hi everybody. This is Shelly Kramer. Welcome to this week’s episode of Converge TechTalk. I’m your host and I’m joined today by Kyle Metcalf who’s the CEO of Inspired eLearning. Hi Kyle. How are you today?

Kyle Metcalf: I’m good. Thanks.

Shelly Kramer: Great. Well, let me tell you all a little bit about Kyle. He spent 12 years at Rackspace before taking the helm at Inspired eLearning as the CEO. Inspired eLearning is a San Antonio based security awareness training company. They do HR training as well but these days they focus a lot on security awareness training. Why? Well, security awareness is probably one of the biggest risks to businesses today, businesses of all sizes. So, if you think this is a small thing, I want to throw out a stat here that I saw just the other day. The Internet Crime Complaint Center, which is a division of the FBI that focuses solely on reports of internet crime, complaints, investigating internet crime and trying to recover funds, reported that it receives 351,936 calls, complaints, in 2018. Okay? So it received, 350,000 plus complaints about internet crimes in 2018. That’s an average of more than 900 complaints a day, responsible for some 2.7 billion in losses in 2018.

Some of the things that happen are things that you hear about on the news. Some of the things that happen are things like ransomware attacks, some of the things are phishing, schemes. Some of the things, I was reading something in a local newspaper the other day, actually I think I might have gotten an email from our church, a relatively small Catholic parish in the neighborhood, warning people that there had been an email scam that had come reportedly from the priest asking for donations. Some parishioners had fallen for that scam.

So these things happen. That’s a personal scam but from a business standpoint, scams happen all the time. So we’re going to talk a little bit about that today, we’re going to talk about how to think about security awareness for your organization and again, this really applies regardless of the size of your company but also I think the thing that’s important to know is that form an enterprise level, the bigger your company is, the bigger the risk is because there’s really only one thing protecting you and your company from a hack and that’s those people on the frontline, really.

So, Kyle, let’s talk about this a little bit. Let’s talk about some trends in security that make this conversation today so important.

Kyle Metcalf: Sure. One of the biggest things that we’re seeing right now is ransomware, which is basically the bad guys will get into your system somehow and they will grab a lot of information and they’ll encrypt it and that way you can’t get to it. This could be hospitals get targeted so they can steal patient records. It could be a business; they could lock you out of your customer system. It could be a number of things. Then they’ll say pay us X number of Bitcoin or whatever the dollar amount is and we’ll release the info. Often times, companies are in such a bad spot that they’ll go ahead and pay it and the info will get released. Sometimes you pay it and nothing happens.

The FBI’s stance on this is don’t pay it. However, if you’re a business owner or business operator and you can’t get to your clients or you run a hospital and you have to be able to figure out, you know, what your patient records are, because everything’s online or stored electronically, it’s a tough spot. The way that ransomware typically gets delivered is through a phishing email. So, phishing is, you see different stats everywhere, but phishing is definitely one of the top threats to an organization. It’s really hard for bad actors, bad guys, hackers, to get into a system through the old method where you see someone typing away at the keyboard in a dark room with a hoodie on and they punch through. It’s much, much easier to send a thousand emails to a thousand employees and say hey, this is your IT department, I need you to reset your password. Please enter your username/password into this link or into this email. When someone does that, then the hacker gets into the system through appropriate means.

So there’s no trigger, there’s no alarm, nothing goes off. They’re in and they can run that. So, we see companies spend millions, tens of millions of dollars on software that hardens their systems and makes it harder for the hackers to get in, but what’s often neglected, because I’d say it’s the least sexy part of security and cybersecurity, is training the employees who really are your, in some cases, your first line of defense and in some cases your last line. It’s often neglected within organizations, is what we see.

Shelly Kramer: Well, and you know, we work with you guys, disclosure, Inspired eLearning is one of our clients. We are, so we know a lot about the security space. You and your team know about a lot about the security space, but the reality of it is, this happens to, this can happen to anyone at anytime, any day.

Case in point. One day a couple of months ago, I got an email and I think the reason I got it was maybe because we use G Suite for business. So, if we have somebody, we have a team of about 30 and if somebody leaves our organization, their email is shut down, but any emails that are sent to them end up in my sort of general email box. So I got this message and I looked at it, because I thought it was kind of interesting, but it was an email that had been sent to somebody on my team that looked like it had come from me that was talking, that was asking to please grab the company credit card and send this information to me.

So I looked at it and I knew immediately what it was. But it had, and actually, you know what, it hadn’t come to me by accident, it had gone to an active member of our team and I don’t know why I ended up with a copy of it. The language on it was just weird enough that I knew immediately what it was and I reached out to everyone on our team as a result and I said, this is an example of CEO phishing. So what happens is that this email looks like it’s coming from the most important person in our company, me, ha-ha, and it’s asking you to do something that I normally really wouldn’t ask you to do and I certainly wouldn’t ask you to do by way of email.

The reality was this person to whom this email was directed, she was kind of like you know, I got it and I thought it seemed a little weird but I kind of put it on my list of things to do because you asked me to do it. So, that’s the thing that’s so important. Teaching those people on the frontline to really look at what it is that ends up in their email box and to understand that if there’s something that looks a teeny, tiny bit off, that they need to dig deeper and take a look because it really does happen to everybody.

Kyle Metcalf: We call that a security first mindset. Everyone’s familiar with safety first and if you’ve worked in OSHA job sites and all that stuff, that it is part of the culture. That’s what we’ve tried to instill here because we get targeted as much as everyone. I’ve gotten multiple phishing emails today, alone, according to our IT group. But really, it’s all about just taking an extra few seconds, we’re not trying to kill efficiency and organization, but just take a little bit of extra time to look at the email, hover over the links, make sure it really is what it is and what, we get those emails, folks on my team get emails from me asking them to do other tasks and we’ve gotten really good with they’ll just come directly and say hey, is this you? No it’s not. Usually they’ll be able to tell it’s not me because it’s not from my real email address. That’s something that we’re really passionate about internally and so passionate about it that we actually labeled one of our product lines around it.

Shelly Kramer: So, I’m going to deviate from some of the things that I originally planned to talk about. But that’s the thing I think that is so important when we talk about security awareness because security awareness is not, it’s not a one and done thing. It’s not a hey Shelly, welcome to our team. Here’s our employee manual. Or here’s your online training. Oh, security awareness, well you’ve had that module, check that and go on. Truly, security awareness has to happen, it has to be part of a conversation every day, every week, every month and you can’t just assume that your employees on the frontline understand that or understand the importance of password management or sharing things by way of email or anything like that. I think based on my interaction with clients and with businesses in the field on this, is that people don’t really understand how important this ongoing training and conversation is and it really is a critical part of business security.

I think that’s the thing. Security awareness is one part of it. Security awareness that never ends is the important part of it and like you said, it’s not a knock on productivity, it doesn’t have to get in people’s way, but when we’re talking about client critical information, employee critical information, that’s really a pretty big deal. So, because that’s such a big deal, I think that it’s tremendously important that, especially at a board level, organizations understand how important security is. I know you feel the same. Tell us a little bit about what conversations you have with board members of companies that you work with and what conversations you’re out there in the field having. I think that’ll be interesting.

Kyle Metcalf: Sure. So, board members by default and executives by default, are looking for return on investment for anything that’s done. They’re looking for it to be very specific and very measurable. So, it’s a difficult conversation for us to have, it’s difficult for employees to have to justify the return on investment. It’s almost, what’s the ROI on insurance because this is somewhat an insurance policy and when we talk to executives and board level folks, and they say what’s the ROI? We commissioned studies that show ridiculous numbers on ROI but really it comes down to you need to invest the time and you need to invest to dollars to make sure that your employees are trained to prevent something extremely preventable. It’s very easy to take a few extra seconds, look at an email, look for suspicious activity, someone’s calling in asking for odd stuff. If you train folks on that, then they’re not going to screw up and that could potentially save your company millions and millions and millions of dollars.

Also, egg on the face. If it’s a public breach, you read about these things almost weekly where people are, companies get their brands tarnished but where it really hits home is in the CIO or the CISO or the whatever the acronym is at the company, the person responsible for security, cybersecurity infrastructure. Their job is on the line. Their reputation as an individual is on the line. So, really once that resonates, oh I spent 50 million dollars on all these systems and we have this fancy room with monitors everywhere or we can see everything going on all over the place, again, all it takes is for someone in Accounts Payable to give up their access and all that is useless.

For all companies, not just ours in the security awareness space, the price of it is not a huge lip. It’s nowhere near these technical solutions that are out there and it’s be an awful spot to say we decided not to do that, it sounded like a little bit too much time and someone slips up and that’s it. It can absolutely kill a company.

Shelly Kramer: Well, and I’m going back to this IC3 report from the FBI division, the most financially costly complaints that they receive hands down, business email. Business email compromise is also the most, so it’s the most common and it’s the most financially damaging and their report showed that these attacks resulted in 1.3 billion in losses across more than 20,000 incidents.

So when you’re on a board and you’re asking what the ROI is, what’s the risk? What’s the risk if we don’t do this and by the way, establishing a security awareness mindset and investing in security awareness training on an ongoing basis is not a tremendously expensive thing. I mean in the big scheme of what’s the ROI, who can afford to lose millions of data records or millions of dollars or anything else. It just kind of seems like a no-brainer.

One other data point here is that phishing, vishing and smishing claims, and these are social engineers, these are called social engineering things, and what this is is that people try to trick people into doing something whether, and that’s social engineering. They approach you in sort of a non-threatening way, your friends, your whatever. Their request makes sense. They approach through email. They approach you through text message. They approach you through social channels, voicemail messages, you know you get calls all the time. This is the IRS. We need you to stop right now. That happens all the time.

So these scams snagged 72 victims every day. Okay? That number may not sound like a lot, but when you extrapolate it out, 72 victims every day in 2018, by the way I can promise you that number’s higher already now, that cost about 48 million dollars. So it really is a very, very huge thing and a financial toll is on businesses can be tremendous.
So tell us what, okay, so we’ve set the stage. You all need to be doing this. What does it, tell us what your vision of a robust security awareness program is.

Kyle Metcalf: Sure. So, there’s two types of what we would say customers out there. Someone who is just trying to check a box. They’re seeking a means to an end. And then you have someone who is actually very serious about the program. This company historically catered exclusively to the folks that were very serious about the program. We were targeting a very enterprise class customer who was very savvy, which I will say is rare. Most folks are not savvy in this space and we would build very, very high quality content and we would work with the customer to customize it and put in their speed limit policy or their address code or their password or whatever it may be.

We were incredible for the enterprise market. We were overkill or we were perceived overkill for everyone else. That could be an enterprise customer who just says I don’t want to deal with all of that, just get me something that works. So, what we’ve done is we’ve mirrored what our policy is internally and we have a very, very tight security policy. I’ve said it many times, I would be absolutely devastated if this company had some sort of bad incident or breach and I talk to the employees about it all the time.

So, there’s really three tenants of it to answer your question. You want to do an upfront assessment and ongoing assessments. So, testing is a big piece of it. We typically will run what we call a Site Q assessment up front, which is cyber security quotient. 10 questions sent out to everyone. It’s going to show where you’re strong, where you’re weak.

Shelly Kramer: Only makes sense, right?

Kyle Metcalf: Yes. That’s your baseline. Okay, here’s where we are today. We then will do, then comes the education part. We’ll run a fundamentals course and those are available in 15, 30, 45 and even longer courses based on the customer’s time budget. Time budget’s something we battle against as well because you don’t want all of your employees in hours and hours of training every single week. It does start to hurt productivity. So the efficiency of the training is important as well.

You run the baseline fundamentals then you test again. At the end of the course there’s a test. 100 times out of 100, the scores from the frontline, the very first assessment to the assessment after the training, will get better. However, you’re still going to have areas where people are weak and need more education. That’s where the reinforcement part of it comes in.

You can’t do a 30 minute training in January and then expect everyone to retain all of that knowledge throughout the rest of the year. There needs to be ongoing reinforcement. That could be a three minute micro video that covers one topic, malware or USB baiting or whatever it may be. It could be, we just got a picture from a client who, they have our posters up, we provide posters for folks to put up around the workplace. It could be screensavers. It could be a lot of things but reinforcement is incredibly important.

Then the other part of it that I’d say is the most easy to prove the ROI on and also I’d say the IT departments and the CSOs enjoy the most, is our phishing simulation tool. You can use our tool to send fake phishing emails to your employees to see who is more susceptible to click on that. Then, if they do click on it, then it can automatically enroll them in training; it definitely reports back and then you can follow whatever your internal security policy is. This is ongoing.

We released a report recently that showed your 80 some odd percent less likely to have employees click on a phishing email if you run a simulation every month. They’re expecting it. They’re looking for it. They’re more aware; they’re more diligent. You’ve done, you’ve spent almost none of their time. It takes me no time to look at an email and report it along and you’ve saved the company potentially millions of dollars. So that ongoing program of assessment and training and reinforcement is what we’re all about.

So, we still have products for the very savvy customer who has super specific needs and wants to customize everything and needs it in Swahili and these other crazy languages,

Shelly Kramer: Which is fine.

Kyle Metcalf: Yes, which is fine. We took all of that knowledge and we packaged it up into what we call our Security First Solutions where everything is prebuilt by our team of experts and we have a panel of experts as well that we work with. It is completely foolproof. You upload your users and set the hierarchy however you want to and then it runs and that’s it. So we tried to take all of the complexity and decision making out of running an effective security awareness program and using our years of knowledge with the enterprise and giving everyone access to that high quality material.

Shelly Kramer: Right. I spent some time talking with Misona Riggins from your team. Didn’t she tell me once about how you add a gaming aspect into it and is that something that you do internally or do you do that for your clients as well, because I think that, everybody, we’re all competitive; we all want to win. Tell me a little bit about that. How do you make it fun?

Kyle Metcalf: Gamification. Everyone wants gamification. What gamification really boils down to is some sort of interactivity or competitive scenario. So, scoreboard. Right? I love in my staff meeting with my leadership team saying, you know, man engineering did really well on this last assessment whereas sales, you guys are stinking it up. Then that gets, the competitive spirit’s there. Everyone wants to be top of the scoreboard. So that’s one area of gamification.

Another one is where you compete against a hacker or you compete against other folks, but really what it’s, the purpose of it is to one, make sure that people don’t just run this stuff in the background and start checking their emails, so you need to have some sort of interactivity to check in and have them engage. It is all about retention of information. If you’re engaging with the platform and engaging with the information, your rate of retention is going to be higher.

We take a, we do have gamification built into just about everything. It’s not games like Angry Birds or something like that, because if you go too far into it, you’re wasting people’s time. It’s too much. You have to build story lines, all this stuff that no one has time for. It’s all about interactivity which leads to higher retention of whatever it is that we’re training on.

Shelly Kramer: Which is super important as we talked about in the beginning. We can do all the training up front, but the reality of it is, we’re busy. We’re have lots of things going on. We’re distracted, everything else. It’s that putting that stuff in front of us, all of us, on a regular basis. It’s like my CEO phishing email. It’s like holy crap, this happens to me too. Oh my gosh. Let me show this to everybody. I think it’s also simple things like if you do, if you have a Slack group that you communicate in or you have an internet or you do any kind of a little enewsletter, anything, however it is you communicate with your people. My team and I jump on Zoom and do video chats every now and then. So sometimes it’s just touching base on some of that. Hey, this happened or hey I want to tell you about this or whatever. I think it’s really important.

So all this is really good. I don’t see, again I’ll admit to bias because I’m so immersed in this space as are you, but to me, this is, it’s just a no-brainer. I don’t know how this can’t be mission critical for your business, every business no matter what size. So how do we pay for this? How do we justify a budget for this and obviously I think the answer is simple. What, give me, what does a budget look like? What kind of money do we have to spend on something like this?

Kyle Metcalf: It really boils down to how many employees or what we would call learners you have in the organization and then how many courses you want those learners to consume in a given year. So, pricing, our pricing, everyone’s pricing in this space is by the learner and then there are going to be different packages of content. Some companies go for volume, that’s not us. No one eats the whole buffet. If I offer you 15,000 different courses to choose from, I think that’s just more of a daunting task to pick the right one and you’re never going to watch all that stuff.

With us, there’s three packages. It’s good, better, best, right? The most basic package is for someone who really is almost admittingly is just trying to check a box. It is the minimal that you can do but it’s still high quality, very effective content. Middle package is where most people go and then of course, you have the high end package for the folks that want the absolute best of the best.

Shelly Kramer: Who wants more customization.

Kyle Metcalf: Right. All of that. Pricing is again by the user. Volume discounts are in place, so I’ll say the per user cost can range anywhere from $5 a user to $20 a user. The justification on that is again, it’s simple. It’s insurance, peace of mind, being able to sleep at night but you also have our testing and our phishing simulation tools that can give you real time, in the field results. We show you the graph that shows your results over time and I will assure everyone, if you’re doing this on a regular cadence, you will see your risk decline in these graphs and in the results themselves.

Shelly Kramer: You know, I have a rule, I spent 10 years of my life as a paralegal, I have a rule that I rarely ask a question I don’t already know the answer to but I don’t know the answer to this question and it’s really kind of random. I think we are seeing more, I think we’re seeing insurance companies get involved, offering cybersecurity insurance policies and that sort of thing. I feel like even though we’re still in the early days of that, which surprises me, again I’ve been immersed in this space for a long time. Do you think, are we seeing, do you know, or do you think we will be seeing cybersecurity insurance policies requiring security awareness training and proof of that? Do you think that’s something? To me, that is kind of a no-brainer as well.

Kyle Metcalf: Yes. Yes is the answer and we do work with some insurance companies who provide our training as an option to their folks. It’s a religious debate within insurance companies whether or not they mandate this and it’s a whole, insurance companies are typically 100 years old and they don’t move very quickly.

Shelly Kramer: But, if you’re an insurance company and you want to mitigate your risk and exposure, it only makes sense that this is a requirement of your policyholder. Brilliant idea there, I guess I need to go sell it to insurance companies. It just makes sense.

Kyle Metcalf: The early adaptor insurance companies who are heavy in cyber are already having these types of discussions.

Shelly Kramer: Totally makes sense. Well Kyle, I think that is, wraps up our time here today. Thanks so much for taking time as always to talk with me about this. I know that you talk about this all the time. I talk about this all the time and I just feel like, I know that you have something to sell so you’re motivated, but to me I do really feel like this is the business gospel and it is so, so important to understand this, to make sure your employees understand it and to really understand that everyone from the board members to the senior leaders, the IT team to the department managers to your employees on the frontline, this effects everybody.

Again, I know that you know that but hopefully this has been a value to our audience and again, Kyle is the CEO of Inspired eLearning and I’ll share his information when I make this video live. Thanks everybody for hanging out with us today and thanks Kyle for sharing your expertise on this topic. I really appreciate it.

Kyle Metcalf: Yeah. It’s my pleasure. Thank you.

Shelly Kramer: All right. Well we’ll talk to you next time.

Kyle Metcalf: Sounds good.

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”