Everyone is at risk when they’re online. But there are simple security measures that you can implement that will make it more difficult to be hacked. Today’s guest is Lisa Plaggemier. Lisa is the Interim Executive Director for the National Cybersecurity Alliance. She has held executive roles with Ford Motor Company, InfoSec, and Media Pro. She is also a frequent speaker at major events and is a thought leader for innovative security trainings and awareness programs.
“Our mission is to translate what’s happening in cyberspace to people who are not technologists.” - Lisa Plaggemier Share on XShow Notes:
- [1:05] – The National Cybersecurity Alliance has a mission to enable a more secure interconnected world.
- [1:45] – Lisa was working in sales and marketing with Ford Motor Company, but shares an experience that changed her career trajectory.
- [4:27] – Lisa created a series of videos that became popular with viewers.
- [5:58] – Security professionals are well intentioned, but when educating people who are not technologists, you want to give just enough to stay interested.
- [7:21] – People use technology to enhance their lives. The internet was never built to be secure.
- [9:30] – Doing things securely doesn’t always mean that the user should be frustrated.
- [11:04] – With keeping track of passwords, Lisa reveals the common misconception of password management sites.
- [12:28] – Another problem is with business accounts and corporations where employees think the company handles security.
- [14:23] – Unfortunately, there are some sites that don’t make using a password manager easy.
- [15:31] – It really isn’t necessary to change your password every 90 days as was previously important to do.
- [16:46] – It is important for people to research a company and their possible security breaches before doing business.
- [17:57] – Part of many sites are requiring two factor authentication as a part of the setup process.
- [19:27] – What if everyone did two factor authentication?
- [21:46] – Lisa shares some stereotypes of hackers and phishing emails. But they aren’t like that anymore. Hacking has become very sophisticated.
- [24:42] – Advertising and stock images feed this stereotype.
- [26:24] – Organized crime is structured just like a professional organization.
- [28:40] – People involved with organized crime look at what they are doing as just their job.
- [30:04] – Lisa’s prediction in cybersecurity will get worse before it gets better.
- [31:54] – In the security world, security professionals are improving their ability to educate the populace.
- [33:52] – If we don’t report things, trends will not be noticed.
- [35:31] – Always keep your software and apps updated. Updates are usually security driven.
- [36:47] – The language barrier between employees of a company and the IT department is something that needs to be bridged.
- [39:31] – There are a lot of free resources available on the National Cybersecurity Alliance’s website.
Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.
Links and Resources:
- Podcast Web Page
- Facebook Page
- whatismyipaddress.com
- Easy Prey on Instagram
- Easy Prey on Twitter
- Easy Prey on LinkedIn
- Easy Prey on YouTube
- Easy Prey on Pinterest
- Lisa Plaggemier on LinkedIn
- National Cybersecurity Alliance Website
Transcript:
Lisa, thank you so much for coming on the Easy Prey Podcast today.
Thanks for having me, Chris.
You're welcome. Can you give me and the audience a little bit about your background, what you do, and why you do it?
Hi, I'm Lisa Plaggemier. I'm the Executive Director of the National Cyber Security Alliance, and we're on a mission to enable a more secure, interconnected world. We're all connected these days and that has risks to it, right?
Our mission is to educate people, not just security professionals, but the general public. People like my mom, my kids, and people who are just trying to get through their day without getting scammed in some way or getting a malware infection on their computer or on their phone. We're really there to help people navigate technology in a way that keeps them safe and secure.
That's awesome. Was there a precipitating event in your life which got you interested in cybersecurity?
Oh, yeah. It chose me. I didn't choose it. I was happily working in the marketing department of an automotive technology provider. I started my career in sales and marketing with Ford Motor Company and just really liked working and managing a big global and iconic brand like that, and doing advertising, fun stuff like that. I love cars. That turned into a career in the technology space but still in automotive.
I worked for a company that had half a billion consumer records to protect. When you go to a car dealership and you sit in the finance office, you give me your Social Security number, your driver's license, your co-signer’s information, your address, and all this personal information that was in our system. The chief security officer wanted to start doing some thought leadership around security about the time that the Jeep hack happened. Nissan had a data breach and we were seeing car dealers have their bank accounts wiped out.
All these terrible things were happening. We thought we'd go out and do workshops for dealers on how to protect their businesses and talk to some of the manufacturers about what they were doing. A connected car was a new thing. Then the company got spun off from our corporate parent. I was asked to join the security team. I said, “Well, I'm a marketing person, what are you going to do with me on the security team?”
He said, “We need somebody to run a training and awareness program.” I said, “What's that?” He said, “You know that stuff that our corporate parent made us do once a year?” He said, “I want your name to be on it. We're going to humanize ourselves in the security team. It's nothing. It's going to say, like, ‘From the security department who spies on you in the background.’ We're going to be, like, human beings. Everything that comes from our department is going to have a name on it as well.” “My name is going to be on it. I don't want to do that stuff. People hate that stuff.”
He was fantastic. He gave me enough budget to work with a creative agency out of Portland, which I was used to working with ad agencies in the past. We just did some really crazy, funky stuff that went viral through the company. I'll never forget one of the campaigns I did was a series of short videos. It was a game show. The game show host was Pablo Draganov […]. He couldn't decide if he was charming or furious, depending on what answers the game show contestants gave him, but the game show was called Do Yes or Do No.
I had people in the company who—a couple of times this happened—pinged me on instant messaging and said, “I missed an episode. Can you tell me where to go to find those?” They're all about security, but they were entertaining. So just to have somebody ask you to—”I want to watch more security videos,” said nobody ever, right? We had a ton of fun.
I did communications on incident response, which was fascinating to me and very fast-paced. If you're kind of ADHD, it's great, because it's like this adrenaline rush. It’s like, over here, over here, we have to work on this. Oh, wait, this is happening over here. It gives you an excuse to follow the squirrels all day, and it is pretty fascinating. My role is really to translate. I think we still do that. That's our mission at the National Cyber Security Alliance is to translate what's happening in cyberspace; translate that to normal humans that aren't technologists.
I think it makes a difference when you're approaching cybersecurity from a marketing perspective versus a compliance perspective. The compliance is going to be this really cold, “Well, don't, don't, don't, don't, don't, don’t.” Marketing is, “How do I make this interesting?”
Yeah, I had a VP of Marketing once who said something that I live by this adage every day: Don't feed them lunch, just make them hungry. You only have to make them want more. I think a lot of security professionals are very well-intentioned. They'll write an article for a company newsletter and they'll put all their security advice in there. “We're going to tell you these 20 things that you need to know to stay safe.”
The reality is, you should really only just give them some breadcrumbs to get them to click through to read more content on your company intranet site, or in our case, our website, staysafeonline.org. People rarely change their behavior because you dumped a bunch of information on them. Human beings don't work that way. What you're trying to do is motivate behavior change. You just have to be a little more sophisticated about it.
People rarely change their behavior because you dumped a bunch of information on them. Human beings don't work that way. -Lisa Plaggemier Share on XIs there a reason that you see, or that you came up with that of why people kind of don't do the right thing security-wise or don't move in that direction?
Why does my mom click on everything? If I knew that, Chris, I'd be living on the North Shore, on the big island right now, retired. We have a lot of optimists in the world. The reason that they use technology is because it enhances their lives. They don't realize that the internet was never intended to be secure. We're trying to back our way into this really, cure something that was never built to be secure.
The internet was never intended to be secure. We're trying to back our way into this. -Lisa Plaggemier Share on XI think people just look at the promise of technology. They look at, “How the heck did we communicate with our family across the country before FaceTime, before Zoom?” I guess I talked to my parents maybe once a week or something on the phone for 10 minutes when I lived 1500 miles away in my first job out of college. Technology has really enhanced our lives in so many ways. I think people just see the upside. They just see, “Well, I can do great stuff here.”
The technologists have done a really good job at making things frictionless and easy to use. UI/UX design is all about, “How do we pull you in and how do we make things easy?” I think because the security folks are kind of chasing after all of the advancements saying, “Hey, wait a minute.” Then to just get our […] to slow down and say, “Wait, before you do that, think about this.” We're going against the tide, really.
Any security person will tell you this, and it's really, really important to be involved upstream. It's really important—security by design, privacy by design—those are real things. I think anybody in any business, whether you're working in a customer service organization or whatever it is, everybody is at risk of being scammed or defrauded in some way.
Having a security person at the table in your business to talk about not just technology, but people and processes and designing those things upstream. It just makes a lot more sense. It can lead to a better customer experience that's also secure. Doing things securely doesn't always have to mean that the user is incredibly frustrated.
Doing things securely doesn't always have to mean that the user is incredibly frustrated. -Lisa Plaggemier Share on XTroy Hunt likes to post these on his Twitter feed of weird password issues that he runs across a bank saying, “Oh, your password has to be 16 digits.” “Oh no, you can't have an uppercase.” Or it has to be this, it has to be that saying all these rules just make people not want to participate in security.
Yeah. It's interesting because we tell people, “Don't use the same password on multiple accounts.” We have all these real weird rules for length and complexity that you just talked about. The average person says, “Well, how the heck do you expect me to remember all those?” The obvious answer is a password manager.
When we did research last year, it was our first year to do something we call the Oh, Behave! report. We surveyed 1000 people in the US and 1000 people in the UK about their behaviors. It was funded by the Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security in the US. We had a partner in the UK, and we're trying to expand that survey in 2022.
In last year's report, we asked people how you keep track of your passwords, and the vast majority of people said, “I write them down in a notebook.” I think the second-to-last, most-popular answer was, “I use a password manager.” Then we dug a little deeper on that. We said, “If you don't use a password manager, why is it?” The most popular answer by far was, “I don't trust the password management company.”
That was a tearjerker for people like me because I think there were some breaches in the early days of that technology when it was maturing and being pressure-tested on the market. That stuck in people's minds and it's unfortunate. We're actually working with all the leading password management companies now to drive some more attention to the reasons why you can trust them and using multi-factor authentication for the main password that gets you into your vault.
People don't understand things like zero-knowledge architecture. They kind of think, “Well, every software developer at that company is going to be able to see my password,” things like that, and we tell ourselves that just isn't true. We fill in the blanks with things we don't know. We make assumptions. We want to dispel some of those myths.
The other thing I hear from IT professionals is, “We don't need a password manager for corporate use because we have everything handled through SSO.” If you think you have everything handled by your SSO, then go spend the day in your marketing department and see how many accounts and things they're using—SaaS applications or whatever—that you didn't know about that aren't part of your SSL.
I'm a big fan of password managers. I think the other misnomer out there is people think that, “I may have to spend my whole Saturday afternoon setting this thing up. I'm going to pick one, which is hard enough, but I'm going to have to install it on my browser, and then I have to sit there and load all these accounts in there.”
Well, guess what? Do one or two. Then as you visit other accounts, it'll pop up and ask you, “Do you want to add this?” You just click “Yes.” It's not as big a task I think as people make it out to be. Then when it comes to those rules that you mentioned, when you're setting up a new account somewhere, a password manager can configure a password that's going to meet all those rules a whole lot faster than I can.
Yeah, a password with a capital P. Well, it's got to have a number. So it's Password1, oh, and an exclamation point.
You can have special characters but not a dash or not a dot or a period, right? Yeah.
That’s what I never understood. You have to choose from these four special characters and only these four special characters. Why can't I use a different one?
Yeah, the other gripe I've seen lately, and this has shown up on—they're just a few angry security people on Twitter that like to rant and rave, and I'm never one of them. But websites that won't let you—the password managers essentially pasting that password in there—on until you actually type it yourself. I'm just like, “Why? I'm trying to use a password manager, which is the gold standard, and you're not making it easy for me to use a password manager.” So I paste it on Notepad and then type it in myself and it's extra work.
That hits home because sometime in the last week or two, that exact same thing happened to me. “What's wrong with my computer? Why is it not pasting? I can type in that field but I can't. Well, let me paste it into Notepad. OK, it's pasted on. It's not pasted. What's going on?” It was one of those things where my password was 30-40 characters with uppercase, lowercase, and multiple special characters. Then, of course, it puts stars in there so I can't even see if I'm typing the right one. After four attempts, I got it. I'm not using your service anymore. It was the system that every 90 days, “We're going to force you to change your password.”
Which is another thing. NIST tells you you don't need to do anymore.
One of those things that I like about what Troy is doing with Have I Been Pwned, with some of the password managers that they probably all do it now is they're now starting to integrate with Have I Been Pwned. I'm not saying it happened to Amazon, but let's just use Amazon because everyone knows what that is. If there was a data breach in Amazon, the password manager now tells me, “Hey, there was a data breach. You need to change this password.”
Oh, that's, that's nice and convenient. I don't have to be watching the news every three days and listening to every data breach after every day and trying to figure out, “Was I impacted by that one or not?”
The company that I used to work for—a technology company—belongs to ADP, the payroll processor, human capital management company. A long time ago, they started that practice of looking for credentials on the dark web and reaching out to customers proactively and saying, “You might want to change your password.”
That, to me, is the nice, positive thing about technology—is I don't have to be watching for everything that goes wrong. You'll now tell me when things are going wrong.
Yeah. That's an interesting point because when are we going to get to the point where customers don't just appreciate that when it happens, but actually seek it out before they choose to do business with a company. We're not there yet. We're probably there in the financial services realm. But I'd like to see us get there beyond just, “I care about the security of my bank because they have my money.” People need to start seeking things like that out.
Well, I think part of that comes back to what's default in that user onboarding experience and how much friction does that cost? I know there was a study back probably 10 years ago when companies were looking at 401(k) enrollments. They found that, “If we just auto-enrolled people, we’re quite happy to contribute to their 401(k)s.” If they weren't enrolled on the day that they started to work for the employer company, only half of them would ever actually start participating in the 401(k) program.
I know that was one of those things that Google just recently changed, I think, with Gmail is it used to be if you wanted to enable two-factor authentication, you could dig through the menus and figure out how to turn it on. Now they've actually started to, as part of setting up a Gmail account, it just says, “We're going to enable two-factor authentication. You can disable it later if you want to, but we're going to enable it,” and they found out the adoption rate was really high and almost no one turned it off.
Exactly. Yeah. MFA is one of those things that makes a huge, huge, huge difference. Especially now with push notifications like Duo, Microsoft Authenticator, and all those kinds of things. It doesn't even have to be a text sent to your phone or an email that you have to go fish out. Those authenticator apps are really quick and easy. I'm a big fan of forcing MFA on people without them realizing it.
Those authenticator apps are really quick and easy. I'm a big fan of forcing MFA on people without them realizing it. -Lisa Plaggemier Share on XI think that's because it's proven to be, aside from some SIM swapping that happens occasionally, if you choose the text method and have a cell phone provider that hasn't trained their customer support on how to avoid being social engineered. I think it really does make a huge, huge difference. I saw an interview, I don't remember who it was. One of the major technology companies came out and said that since they enforced MFA, they hadn't had a single account, credential-based, compromised since. That's huge, right? That's enormous. Think if everybody did it, what kind of dent can we make in global cybercrime?
Yeah, and I imagine the vast majority of it is, yes, if you're a billionaire and someone's specifically targeting you, SMS authentication is probably not what you want to be doing. But if you're not being specifically targeted, I don't know that people are going to go through the hassle of, “Hey, let’s SIM swap Lisa's mom and see if we can get $80 out of her bank account.”
Have you met my mom?
No. They're not going to go after random people. Not that they won't, but to me, there's this mentality of, “If you're not using the hardest, most sophisticated security, you just shouldn't use anything.”
You asked earlier about security folks with this laundry list of things that people need to do. You touched on one of them. One of them is it doesn't always have to be like Fort Knox-style security. We have to be happy when people take any stuff […] at all.
The other thing is all the discussion around multi-factor authentication, it's a very big priority for […] right now. They would love to see more of the American public and more companies using MFA. When I think about the average company newsletter on security or whatever, what if all you focused on was MFA?
What if you just focused on one or two behaviors that you wanted to influence, as opposed to trying to influence 20 different behaviors? Oh, you got to report phish and you got to that. Before you know it, the reader just goes, “I'm out. I have other things on my mind. This is not my first job today. My job is something else. My job is not security. If you overload me, I'm just going to tune out.” It's the same with using fear, uncertainty, and doubt (FUD). And pictures of hackers and hoodies.
I remember seeing a training module once that the phishing emails were depicted. He saw people working in an office in this video and the phishing emails were depicted as they had little bat wings flying around people. I thought, “You know what? Phishing emails don't look bad. They used to look bad, they used to have really bad English, really poor graphics, were just laughable, and everybody in the office got them at the same time.” We'll be like, “Hahaha, did you get this thing too?”
It's not that way anymore. It's targeted and it's sophisticated. It's well-written and well-crafted. It goes to a website that looks real. If we teach people that these things look bad, if we teach people that hackers really do wear hoodies, they're out to get you, and we use all that fear—fear, in most people, creates a fight or flight response. That's not what we want. We want people to engage. If fear was a great motivator and it sold a lot of products, every ad we'd see on TV would be scary.
Have you seen a really scary ad during the Superbowl? People don't use fear. People don't wag their finger at you. People don't tell you you're being attacked. “You need to defend yourself and defend our company.” People don't generally respond to that. Maybe security professionals respond to that or veterans, but for the rest of us, that's not motivating.
You're not trying to feed them lunch, you're just trying to make them hungry. What do you need to tell them that pulls them in, gets them interested, and gets them to eventually change their behavior?
You're not trying to feed them lunch, you're just trying to make them hungry. What do you need to tell them that pulls them in? -Lisa Plaggemier Share on XBefore we were recording, we were talking about like, it also sets up this false impression of, “If you see someone walk through the front door in a hoodie, you know he's a hacker.”
Yeah or he's got a sweatshirt with a skull and crossbones. He's wearing a […]. Trench coat with a hat on like, “Don't let this person tailgate behind you into the office.” Guess what? The person who's trying to tailgate behind you into the office, who's maybe there for nefarious purposes, is just going to look like everybody else.
I was working with a graphic artist a couple of years ago, a designer who's a really, really, really smart designer. We dreamt up this idea for a campaign that I think might actually come true this year. We were joking around with it, but I think it's something we really need to do.
I want to start #nomorehackersinhoodies. I would love the media to stop using this or stop using close-ups of motherboards, fiber optic networks, close-ups of keyboards, hands reaching through the screen to come take your credit card out of your wallet, and things like that, all these images that are just very funny.
Anyway, his idea was to have a picture of a girl on a beach just walking on the beach with totally serene pictures of somebody enjoying their vacation. The caption would be something like, “I paid for this vacation by phishing your grandmother.”
You could do a million different things, like just a guy walking down the street and then some caption. “Today, I have my day job, but last night, I did blah blah blah. I sent ransomware to your company,” or whatever it is. The reality is that these are everyday people in criminal organizations. They're other human beings just like us. I think there's something out right now on the internet called the Conti leaks. Conti is a ransomware organization in Eastern Europe.
Somebody has leaked their internal communications or instant messages to each other. It's really been quite entertaining to read because they complain about, “[…] got promoted. How come I didn't get promoted?” They complain about the same things. Their office gossip sounds just like us. Guess what? Just because they are just like us, they just happened to be cybercriminals. That's the whole point of organized crime. It's an organization, just like we work in organizations.
It's divided into departments and people with different skill sets, just like we have in our organizations. I think when you show that picture of a hacker in a hoodie, that gives the general public the impression that there's some guy in a basement somewhere or in a warehouse by himself in the dark just trying to guess your password.
It's so much more sophisticated than that. We're up against a machine. That's when you realize, “OK, then just changing that one digit at the end of my password for every new password, that's not going to cut it anymore.”
To me, that was the interesting thing in talking with a couple of guys like Jim Browning who does scam-baiting on YouTube. I don't necessarily approve of the tactics that some of these guys use. But to me, it was really interesting that these organizations are run like a call center that it's, “Oh, you're not bringing in enough revenue, so we're going to put you on a performance enhancement program. You sit with Bob here and figure out how he's getting so much money from people. But if you don't improve, you're out.”
This is not some lone guy in the basement in a hoodie in the dark. This is an organization that has training books. They've got someone who tries to figure out, “How do we make our business run smoother? How do we get people to steal more effectively?”
Probably more efficient now.
To me, that set off the epiphany of like, “Oh my gosh. I don't even like to use “organized crime” because when I think of organized crime, I think of the mafia. Six guys walking up with baseball bats with lots of jewelry on.” These are guys in office buildings. They don't have to be halfway across the world or in a third-world country. They could be down the street. They don't necessarily look at it as a crime like you would think the mafia with baseball bats, “Hey, we're going to shake your hand.”
You think of it as their job. “This is my job.”
It's a job and it's just like, “Well, these people have lots of money,” and they figured out a way to justify it, that they're OK with it. But to them, it's just a job. It's like, “Oh, that really changes the dynamic of who these people are.”
Right. A lot of them are really gifted technologists. One of the conversations in the league is a supervisor who's unhappy with the coding skills of one of the […]. They operate on sprints like any other […].
Agile development. They've hired some business coaches, apparently.
It's frightening. When you really think about it and just how sophisticated it is, it's frightening. I go back to the days of the mafia dons sitting in the corner of the restaurant at any time. At least you knew who it was.
You at least saw it coming. Do you see things getting worse before it gets better?
Yeah.
Like much worse?
It's interesting what the current events have done. As we're recording this, there's war in Ukraine. I think cybersecurity has gained some attention through this. Those of us who work in the field know that this is a war that's been going on for quite some time. Anybody who watched the pipeline attack happen or stood in line for a castle in the Northeast. Anybody who's been paying attention to the stories knows that this is a war that's been going on for quite some time.
Now we have a physical war that's just another facet of the aggression that's been coming out of Russia from a cyber perspective for a really long time. I think in a way, it sort of highlighted what's happening in cyberspace that most people don't really think about every day.
Maybe there will be a couple of months down the road where we'll see that people are thinking a little bit more about how to protect themselves online and the role that we all play. Not that that's any kind of silver lining. I don't want to communicate it in that way. But I do think it's going to get a little bit worse before it gets better, before people take a more active role.
We have a lot to do in the security community to be better communicators about it, to be more helpful, more welcoming, and more empathetic to folks like my mom. What we try to do at the National Cybersecurity Alliance is express empathy and keep things really simple. Use everyday terms to explain very complex technology. I would love to rename multi-factor authentication. I just can't think of a better word, but why do we choose these things?
What we try to do at the National Cybersecurity Alliance is express empathy and keep things really simple. -Lisa Plaggemier Share on XThat's why I always say two-factor authentication because if someone hears multi, it's, “Wait, how many things do I have to do?”
I think I'll change to your word, Chris. I like that better.
“I have to have a password, then you have to send me a code, and then you want a retinal scan and a voiceprint.” At some point, we're just going to have slides of our blood that we're going to put on scanners before we go indoors. Hopefully, it doesn't come to that.
Yeah, I hope not too.
Earlier, you talked about if we could just get people to focus on one or two behaviors. We talked about password managers or two-factor authentication. If we get people to do one, two, or three things over the next six months, what else would it be?
The other two biggest for me are reporting phishing. If you've been defrauded or scammed in any way, report it. I've had this conversation with folks at the FBI and the Secret Service many times; they really want people to report things.
I think people have this impression that if something happened and either there's a shame factor, like, “I was a victim of a romance scam or something.” Or they feel like if they go to those websites and they report, nothing's going to happen. It's just going off into cyberspace and nobody's ever going to be brought to justice. Nobody's even going to look into this.
The reality is that if we don't report those things, just like any other organization, they're looking at data and they're looking at trends. When they start to see—maybe it's money being wired to a particular bank account that's attached to multiple victim stories. Then they say like, “OK, this is something we really need to look at. There's a lot of volume happening here. There are so many dollar amounts, there are a lot of victims,” whatever it is.
If we don't report and they don't get that data, you might not get a friendly call from your local Secret Service agent the next day after you report something. You should know that that does make its way into a database that can eventually be a part of a larger investigation because guess what? They're not just scamming you, they're not just reporting you, they're not just stealing from you. They're stealing from a lot of people.
Federal law enforcement needs that reporting. The SOC and your company needs to know that that was a phish in your inbox. It could be reporting phish, reporting something that doesn't look right, doesn't sound right. My aunt, who's a widow, got her bank account wiped out by some guy on Facebook, whatever it is. Those things need to be reported.
The other one that's near and dear to my heart is keeping your software updated, keeping your OS updated, and all those things. Things happen and most people don't realize that those updates are usually security-driven. You kind of think, “Oh, I'm in the middle of something, it's going to shut down my machine, I'm going to lose whatever I'm doing, and I'm going to get off track.” It's a distraction, but it's really, really important. Patches and updates are incredibly important.
Yeah, I agree. I'm not necessarily an install the next major version on the day it comes out. But security patches, I'm grabbing every device I can get my hands on in the house. I'm going to install that, install that, install that. That's when it's going to be used the most.
There are education programs for small businesses. That's one of the gaps we try to bridge is that lack of communication. Maybe I'm a small business. I have one or two locations or whatever kind of business, and I have one IT guy for these couple of stores or whatever it is. They don't really speak the same language, the business owner and the IT professional. We have some training that tries to bridge that.
I was in the car business so I talked to a number of car dealers who don't really understand what their IT guy is saying. All they know is he wants money every time he comes to me, or she. They don't know what questions to ask to know if their IT person is on the right track and is efficient and effective.
One of those things is patching. I've told many car dealers, “It's OK to ask like, ‘OK, so how do we patch? What's the process?’” If you get an answer that sounds kind of squishy, like, “Oh, whenever they're available.” “How do you know?” Even though you don't even understand what patching is, you can ask about the process.
If you hear an answer like, “Oh, it's every Tuesday and it's this and it's that.” I think business owners need to educate themselves enough that they can tell the difference between, “Yeah, I feel like we're on solid footing here. This sounds like a legit answer. I'm going to Google a little bit so I can understand a little bit more. I'm just going to ask enough questions until this person can explain things to me in a way that I can understand.”
You're the business owner. You have the right to ask those questions. When something sounds squishy, you probably need to probe a little bit more.
Yeah. If you ask your accountant how much money is in the bank account and they get squishy, you bet as a business owner, you're asking, “What do you mean there might be this amount of money in the bank? No, no, no, how much money is in the bank? You're the accountant, you should know this stuff.”
Right.
I do think even small business owners with their IT people, I don't know, maybe he's a good IT guy and maybe he's not. It's kind of one of those, I don't know anything about this, and I don't want to know about it. That's the thing that always kind of concerns me.
You may not know how to do accounting, but you want to know that you have money in your bank account. In the same way, you may not know how to do the patches on the router. You just want to know that someone has a plan for it and they're executing on that plan.
Exactly.
That's always my wildcard thing. “When was the last time you updated the firmware on your router?” “You can do that?” See, but now we're getting into number 21 on the list of things that you should do on your security. Are there some resources that people can get on the NCA website?
Yes. Our URL and our name are two different things. We're the National Cybersecurity Alliance, but our URL is staysafeonline.org, the world's best URL. We have a ton of information on there. We have all kinds of tip sheets.
Hopefully, by the time this airs, our brand new website will be out there that makes it even easier to find things. We try to be timely and topical. We see things, like a big uptick in Twitter followers on the pipeline thing happened. People are looking for really plain-spoken information.
We did some metrics lately and the most popular article we have on our website is, How Do I Know if My Computer Has a Virus? People are looking for just really, really simple, like help out here. This stuff is confusing. For example, we have information for, as I mentioned, small businesses but also parents trying to keep their kids safe with all the technology that kids are using these days.
We have a page. There must be 50 different links on there. We have a page with links to all the different popular applications and where to tweak your privacy and security settings.
I wish there was a standard. I wish when you clicked on settings on any app, it would say the same stuff and you'd know exactly what to turn on and turn off. Unfortunately, every different application, including all popular social media apps and everything, puts those things in a different place and even interprets some of them differently.
And then they change the menu structures every few months.
Yes. We have made it easy for people. We have a page, security and privacy settings. If you google “stay safe online security and privacy settings,” you'll find this page that has all these links. We keep up with that so that it makes it easier for people to figure out like, “OK, I really don't want to share my location with every single application that I'm using, how do I do that?”
Information for romance scams, online dating, cyberbullying, you name it. Any kind of topic about staying safe and secure, we've covered it on our website. If we haven't, you can send us an email or fill out the Contact Us form on the website and we'll make sure we address it.
That is awesome. Thank you so much for coming on the podcast today.
No, thanks for having me. This was a ton of fun.