Practical Analysis of Awareness

Cooley as my lovely introductory set already at four and six Kendra on Twitter which is for forensics not like I don't know I've had people ask me if it's like hpv4 or six no it's forensics all right so yes the name of this talk is practical analysis of awareness but what I really wanted to call this talk was your six percent click rate doesn't mean how many of us have like security awareness programs where we work or school how many of you guys have heard the touting of the the low click rate on those oh it's so it annoys me drives me absolutely insane all right so let's talk a little bit about me because I

know that's what you guys are here to learn about is me um so I got my bachelor's degree in digital forensics from a very small school in Michigan called Davenport University did not even know that we were the Panthers that's how much I didn't give a crap when I was in school um but apparently we are so now fun fact you guys all know that as well um I have my cissp so you guys can trust me I specialize in incident response on a day-to-day basis uh the detection side incident response side of it this is my favorite meme ever of the cute little guy from minions and also a big part of what I do is security awareness training

so shocker that's what we're going to talk about today now the non-technical side of who I am I'm an animal lover I have three lovely dogs that are actually still in Michigan I don't live there anymore but they're there and then I have three ducks and a goose which goose is clearly missing from photo but they are surviving The Long Winter in Michigan while I am enjoying lovely Atlanta um I'm a Wine Drinker do-it-yourselfer Pinterest has literally been the death of me I I can't even tell you how many projects I've attempted and if you ever go online and you look at like Pinterest fails where you see you know things that what it should look like versus what it

actually looks like oh God I I should probably have every single one of my projects posted on there um and I also like to tell stories so I'm sure we'll probably get into that a little bit but here's a map of the United States in case you guys didn't know I used to live there in great old Michigan and I most recently worked for a company called Duo security everybody know Duo yeah pretty great company right yeah um but in October I made the giant leap of moving to Atlanta Georgia to become a southerner oh it's a different breed of people down there anybody from the south in here you just work six months down there so

you got like a Southern drawl now are you saying y'all oh I've already started picking that crap up all right so now I work for a company called MailChimp everybody here of MailChimp before all right perfect so it's been a lot of fun the company is a lot larger than I expected we're about 750 people hiring rapidly if anybody is on the hunt for a job but it's been a really fun last couple of months and a very interesting transition to see a company that was so focused from a security perspective such as Duo to move to MailChimp where their focus has been very focused on the security of their application which makes sense but unfortunately when that happens you

kind of leave your you or your actual employees out a little bit so that's kind of where I've been targeting a lot of my focus for the last few months all right now who are you guys I'm gonna pass the mic around y'all introduce yourselves I'm just kidding just kidding but by a show of hands how many of you guys are like brand new in infosec awesome that's really cool how many of you guys have been in infosec for like the five to ten year mark all right cool and then 10 and above awesome now by another show of hands how many of you guys in here would consider yourselves more defensive or blue teamers

okay good number of you and what about red team offensive side all right so you guys are in here to learn all our secrets I see I see what's up all right so why are you guys here I asked this question of my employees or the people that I give security education uh trainings to every time that I start a class why are you here what motivated you to come here was it organic did you come on your own or was it mandated did you have a genuine interest in coming here you came to learn or was it obligatory did somebody say oh by the way we have this once a year training you guys have to come to and

you have to be here right we probably all have heard that Spiel and we've all ended up in those types of trainings which means you came to check a box hopefully none of you are here to check a box hopefully you're here because of that genuine interest all right so at the bulk of what I want to talk about at this for this presentation is the fact that we have to take education more seriously when it comes to security and Dr lovely earlier this morning if you guys were here during opening remarks he mentioned the human element of security and why that's so important because at the end of the day we've all heard you can't patch the humans right

and it only takes one mistake to potentially bring down a company so education is extremely important So today we're going to talk about the current state of security awareness what we're getting wrong whether or not your program is successful and then how we can improve our efforts all right so currently security awareness is broken down into a few different types of like training modules um one other thing that we probably all just got bombarded with in October National cyber security awareness month right did everybody participate in something for NC Sam yes it's like shove it down your throat for one month and then we're gonna forget completely about it and then the fake fishing campaigns which if you guys

have listened to the first couple of Keynotes this morning we've heard a ton about fishing already because fishing is effective it's one of the most easy ways for an attacker to get into a company and to get the information that they need on top of regular social engineering but the problem is is we're overfishing our users so at the end of these you know these few things that we're doing to kind of put together security awareness training we end up with users especially at the end of October like this they're like no I'm done I don't want to do this anymore I don't care it's security awareness I just check the box let's move on guys I've got other

stuff that I need to worry about right and at the end of the day security really fits in various parts of our organization how many of you guys actually work for like a security team in your organization that's great right and you probably recognize the rest of these teams there's compliance teams there's human resources legal training our I.T Department in some companies the security responsibilities don't even fall within the security team itself and that's actually something that I am working to combat right now at MailChimp a lot of our security functions live within our I.T Department which is scary just say the least so working to pull that back into the security company or into the security team where we actually

care a lot about security and the things that people are clicking on and we're actually working with them to educate versus just saying yep thanks for sending that fish you know we'll we'll do our best to remove it from servers things like that and depending on where that fits in your organization you see differences in your training programs obviously if the security awareness portion fits within your compliance team you're going to get a lot of what compliance focused training you're going to get a lot of information about like data privacy and what types of things you can share and what type of things you can't share if it fits within like the training and development team it's

going to be the widest cast net over as many things as they can possibly train you on it's going to be like an inch deep all right and at the end of the day we're all trying to avoid what being the next big news story right none of us want to wake up in the morning and look on slack or whatever messaging app or get an email or see in the news company X Y and Z next or latest breach that feels awful right well it would I don't know for sure but we have options when it comes to security awareness training as well we can either build our programs or we can buy it

and because I'm such a do-it-yourselfer I prefer to build it yourself approach or yeah the build it yourself approach I think I'm going to put together a security awareness Pinterest page laughs totally kidding I don't have that kind of time um but I think you know it could be fun right to kind of get more of like a a collaborative approach on security awareness because there's no really good one way to approach security awareness we all have different types of users we all have different types of problems that we're facing and at the end of the day we need to meet our compliance needs we obviously have to stick within a budget darn budgets we need to educate our employees and it

needs to be relevant to the things that we personally deal with you know if it's news related obviously we want to be able to protect our reporters and things like that if it's a financial services industry there's different things that we want to protect there as well if you have a large customer base you want to make sure that you're protecting the data that your customers have trusted you with such as credit card information and unfortunately if any of you guys have recently recently Googled security awareness programs has anybody done that recently like to see what kind of vendors are out there holy crap I'm going to show you a few full disclaimer I do not support or

suggest using any of these I'm just trying to show you a few that are out there fish me wombat I mean we have a ton of different programs out there that we can pick from that all specialize in what securing the humans making sure that they're educated when it comes to security and you look at these and you're like how do I even pick well each one of them seem to offer really similar things you know fishing modules and training modules and things like that but how do I know if it's really going to connect with my users and my audience the fact of the matter is you really don't until you get in there right you

don't know how successful that program is going to be until you actually start to use it now from a do yourself perspective you can still meet those security compliance requirements in fact you can meet them better because you actually have the opportunity to meet with your compliance team and your legal teams and ask them what's important to us in our customers in our users in our employees what types of things do we need to protect for them and you can really start to kind of fine-tune the types of training it can be more cost effective right usually you can educate the employee just the same as you would with a bot program hopefully if you're doing it right and it can be

more relevant to your industry again you can fine tune it to the things that you actually care about and it can be challenging and completely but completely personalizable which is great and if something doesn't work if you find that something isn't working in your program you can tweak it ship it out the next day it's that simple you don't have to deal with customer support oh and if not you then who is going to do it how many of you guys buy a show of hands are actually responsible for running any type of security awareness and that can be as simple as sending phishing tests to your employees so there's a good group of you in here that's awesome

one of the biggest changes that I think we need to make when it comes to security education is building a security culture based on education instead of fear there's nothing I hate more than walking into an organization and having them shout paranoia and fear and making people afraid of clicking on things because that is not a good way to create a security culture all you're doing is creating a fear-based culture which at the end of the day is just making your your employees paranoid they don't want to click on anything and if they do they think that like people are going to come out of the ceiling and come down on them and like snatch their laptops and

they're going to get fired because you haven't built that rapport with them just to let them know that hey things happen it's okay we are all human but this is how we prevent it going forward so what are we getting wrong now this is where I want to open it up to you guys to see what types of things you guys think we're getting wrong from a security awareness perspective where are we failing go ahead once a year check that damn box compliance training yep terrible what else where else are we failing go ahead same training oh yeah so same video modules you just click through terrible anything else you guys think we're failing on

understanding what's relevant okay

exactly so not paying attention to the ways that people actually take in content some people are very Hands-On right we learn at a young age that we all have different learning styles and mechanisms in which we absorb information some of you that are sitting in this room right now listening to me talk it's like whatever I'll catch it on the replay maybe some of you are reading the content on the slides and you're like okay I'm getting that I don't really give a crap about what she's saying some of you if I had an actual activity up here that we could do you would learn from that right so why when we're doing security education are we doing it one way

we're saying here's your here's your online training module or go sit and watch Kendra talk for an hour not everybody learns like that sure go ahead

oh we don't relate to the human aspect of security at all at the end of the day what we're looking to do is make sure that we're fulfilling those compliance requirements and making sure that in the event we get breached and somebody says hey were you doing X Y and Z we can say yep box checked good to go but did our users get anything from that sure go ahead

yeah so not taking into account the different technological skills that your user base has has as well not every user that walks into your door on day one really has much knowledge about a computer and then you have those other folks that are like yeah I know everything about computers but yet they're still missing some stuff when it comes to security right so the other thing that we're really messing up on is the special snowflakes who knows who those special snowflakes are anybody I'm sorry purse developers are definitely special snowflakes what about that sea level don't fish them they get angry I don't care fish them they need to learn too but those are your special snowflakes

that you're dealing with right and again we we mentioned check the box it's hit or miss with your employees there's no transparency when it comes to security oftentimes if an incident occurs at a company a lot of times we keep it like really hush-hush we're like oh that wasn't something we needed to disclose we'll just keep it right here but the more aware our users are of the threats that we're actually facing the more Vigilant they become and able to actually detect these things we're using the same tactics you guys did great did you guys look at my slides ahead of time I don't trust any of you hackers all right and employees are getting so

good at spotting the fakes so good I actually had a friend a couple of days ago you messaged me and he was like I got a question for you so I've been using the same fishing tool over and over again on my employees bi-weekly in my click rate zero percent they must be doing really well right I'm like that's so cute you need to come and listen when I talk um but really your users are getting good at spotting The Fakes they're learning the types of things that you're targeting them with and we're not using the types of tactics that a normal attacker is going to use if an attacker is really focused on getting into your company specifically

they're going to do what Spearfish they're going to do that oh sin ahead of time they're going to look for what types of things your users are going to to fall for right not just sending out one mass email across the entire company saying hey your credit card was charged for upcoming travel okay what percentage of your company even travels maybe like 10 so that leaves about 90 of your company that's like well I'm not traveling delete this is not relevant to me so they're going to get it getting really good at spotting the fakes and then again highlighting security education only once per year every single day that you go into the office or every single time that you

interact with a user a customer an employee guess what you have the opportunity to educate them every single time and if you engage them in conversation you'll you'll surprisingly find how interested they actually are tell you one of the best ways to get people to start talking about security and letting their guards down how many of us love to Lockpick lock picking is so much fun get a bunch of locks set them down in like a common area at your work and invite people to come pick locks with you oh the questions you get from people who are just not really thinking and they're just tinkering the stuff it's amazing and it's such a good way to

start to build that rapport with the rest of your company and let them know that the security team really isn't as scary as we look I mean I have to wear a lot of makeup just you know so people don't get scared by me but it helps so if you have to do that do that too so now we want to talk about is our program successful what do you guys think what types of things are you guys using currently to determine whether or not you think your your security culture is strong go ahead don't be shy what types of metrics are you guys using or how what types of things are you seeing when you're walking around the

office that indicate yeah it's all right anything days since last breach whoa all right uh yeah that's that's a good indicator wow all right anything else I was gonna say everyone's afraid to mention that six percent click right now sorry ruined that for you all right what about like training module participation levels does that really matter doesn't matter honestly no why they had to take them anyway they don't give a damn they're just clicking through them now how many of you guys have training modules with like a quiz at the end and the user has to score like I don't know what what's the general like 80 let's say 80 percent how many times are you guys re-letting

them try those five questions how many times Unlimited yes which means I can click through that content and then just look at the questions as many times as I want or ask my neighbor hey what was the answer that one and I got nothing from it and if you have honest conversations with your users they'll tell you yep that's what I do it happens we're all human right same thing with when like the sexual harassment one comes out every year I'm like I mean it sucks like I'll admit it um but we all do it we haven't been breached yet or days since uh last breach sure hopefully that's a very big number but I actually had a meeting one time

in a large company and we were trying to get some new software we were talking to the sea levels you know talking to them about budget and things like that and I'm not kidding you the person said why do we need that we haven't even been breached yet I was like if my head could have spun around it would have for sure so how do we know if we're getting things right then if those really aren't that good of indicators what types of things should we be looking at any idea go ahead

okay about security so how many people are are they actually engaging with about security kind of like outside of their regular day-to-day job routine I love that that is that's that's really great you know like and it can be kind of weird to like approach someone in the hallway and have a random conversation about security right oh they come to you that's great too yeah so and again so you can you can encourage people to come to you you can have Security office hours get people to come and approach you do that lock picking thing throw out other random challenges uh show them giant password databases and have them search for theirs in it that can be fun different

things to just engage your users because at the end of the day they're not attending conferences like these they are getting their news about security from what you tell them the types of things that they need to be aware of and then the news which is terrifying holy crap stay off the news yeah that's not the best place to get your security education sometimes is it but that's where our users are getting a lot of their information and then they come to us and they're like oh my God I heard about this this thing is my computer infected what are you guys doing to protect us and it's great to be armed with responses on what we're actually

doing and how they can protect themselves at home right because we want to relate it back to the person not just the employee so five things that I always always always preach in my security awareness are these five things here everybody has seen these right everybody is doing these in this room you better be no I'm just kidding um updating your devices as soon as those updates are pushed like let users know why that's important why is that important well because there's these little exploit kits out there that the longer you let your machine go on updated it becomes easier for attackers to exploit them right let them know that using strong passwords why is that important and even more so

why is it important to never reuse your password on another site or on multiple sites using a password manager this is probably the most the bulk of the conversations that I have with users because they constantly are forgetting their passwords and having us reset them I'm like well you know if you use the password manager you wouldn't have this problem right password managers have personally saved my life a million times and if we can get users to relate to why that's important it makes for our jobs to be a lot easier and then using two-factor Authentication whatever that is really hope it catches on all right so relating the why to them personally instead of to a policy

how many of us really care about policy yeah good so there's a few of us in here who do and a few of us who answered honestly that we don't give a crap policy at the end of the day is extremely important we all know that it helps us to tune our procedures it helps us to know what kinds of things we can and cannot do but at the end of the day we need the why why can't I use an eight character password with no uppercase lowercase or special characters why does that put me at risk why does that put the company at risk and if we can have these conversations and let them know directly why it's

important to them and what types of things they can even bring home to their family it helps to make our security efforts that much more successful one thing that I also like to do is to encourage our employees to take these special tips home so everybody gets like a printout that has those top five things for security and I encourage them to put it on their fridge at home if they have kids talk to their kids about it it's never too early to start with security education right so that can be fun you know most of the employees that sit through my security education I'm sure they are the life of the party at New Year's and

whatever else so how can we improve how do we make this better how can we improve the security culture I love this I always have to find a way to work this in summer no we're not perfect none of us are perfect security education is never going to be perfect why because every single one of you sitting in this room myself included have different things that we care about I have ducks and a goose that I care about how many does anybody else in here have ducks and a goose that they care about no okay probably because I'm weird but the fact is we all have different things that matter to us we all have

information that we don't want to get out there which makes us all extremely unique so in order to fix this what we need to do is educate everyone including those special snowflakes if you get pushback from like the head of your security department or I.T or something like that that says last time we tried to fish those sea level guys they got a little a little antsy about it good do it again and let them know why that's important your sea level or even the folks that are just below them are the most known in your company right they're the most targeted they're the easiest to Target and they click on everything literally everything so we need to educate everyone we need

to make sure that even the brand new guy that comes in the door is getting that basic level of security awareness training right on up to that sea level and then we need to specialize that training role-based training is extremely important if you have folks that are sitting on the phone all day talking to customers what types of things do you think you need to educate them about social engineering right falling for people calling and trying to get customer data or trying to scam any type of information out of them that's super important we need to switch it up that same training every single year boring it's boring it's boring for us right we put it out there we don't even

want to take it so switch it up we have so many different Avenues the news pick up a newspaper pick a new new story and educate your users on that like what happened what could have prevented it what types of things are we doing to prevent that how can you protect yourselves at home relate it back to the person not the employee not necessarily the policy and transparency so again real examples if you have things that you can share which granted there will be things that come across as like a security analyst that you can't necessarily share widespread with the entire company but share as much as you can for instance if a user loses their

laptop that one hurts right it happens a lot though sadly you get a report of a user that's like hey guys just so you know uh last night I went to the bar and I was drinking a little bit and then I forgot my backpack there which how do you do that I don't know forgot my backpack there I know exactly where my laptop is though so it's fine like I'll call him when it opens and I'll get it back we're still treating that exactly the same as we would as a lost or stolen right we want to make sure that the data is secure on there and those learning opportunities make it kind of funny for your users you

know let them know like without calling someone out specifically but say hey this type of thing does happen and guess what we want to know about it we're not going to shame you but we want to know about it because these are potential security incidents be an ally one of the worst things that we can do is make a list of people who repeatedly fall for our fishing exercises or if you do USB drops around the office which is really fun by the way highly encourage those if you do a USB drop around the office don't publish the names of the people who plugged in those salary spreadsheet labeled USBS that's not nice makes people feel bad we don't want

people to feel bad when it comes to security because when you feel bad you do less what speaking up if you think you're going to get in trouble just like when you're a kid we learn to say it was my brother you know you point the finger you blame others that's what we do we're humans and we're still doing that even though we're not five anymore know what's important to your employees have those conversations in those five-minute conversations that you're having with those employees find out what types of things they care about ask them about their families you know get to know them on a little bit more of a personal level to figure out how you can relate

security back to them in a way that isn't just we really only want you to be secure when you're here at the company because we all know that mistakes that we can make in our personal lives also could ultimately affect the company the information that we're posting online makes us more susceptible to a spear phishing attack that we could get at home or at work so educating those users to make sure that they know why that's important nurture curiosity oh if somebody has a question related to security take the time and answer it and if you don't know the answer get back to them tell them that you will figure out the answer and get back to them

nurturing that curious mind is extremely important when it comes to security because if that ball drops with you and they had a question it could be gone forever right and then they don't have their answer and they never think about it again and then whoops I accidentally clicked on something or oops I downloaded that thing that I probably shouldn't have and then encourage and reward good behavior MailChimp does a really awesome thing where if somebody uh does something good from a security perspective we give them these little chimp coins which they can then go and turn into this really awesome rainbow room where they can pick out cool swag and stuff so finding ways to reward

employees for the things that they've done even if it's I'm not kidding you the simplest thing if you use like a slack or something give them Karma say hey thanks Tom for spying that fish or turning it into into Security app give them those Karma points people love that stuff it's absolutely amazing and you can't turn it in for crap but it means something to them right and this is something that is causing a little bit of stress for me right now create a security culture based on vigilance not on paranoia because unfortunately an organization that I may or may not be with now has preached paranoia for their security education since the beginning of time

which has worked well for them I must say the fishing exercise that I sent out a few weeks ago I was absolutely astounded at how well they did and they had their little tinfoil hats on and they were like yes I caught this like really good about you know transferring the information from other employees but at the same time like if we're preaching paranoia we're not encouraging curiosity for one which is a bad thing and then we're taking away critical thinking skills if we're just teaching everybody to be afraid of everything and then they're turning in every single thing that has a link or an attachment to us we're not teaching them critical thinking skills

we're not teaching them the things that they can look for in order to be more vigilant which in turn helps analysts proactive versus reactive this is so important when it comes to security has anybody here suffered any type of like break-in their house or the car or anything like that terrible feeling right and then once it's done you're like I better get a security system yeah because now we're being reactive versus proactive we can do the exact same thing when it comes to security those five things that I listed a few minutes ago about you know having strong passwords and unique passwords in 2fa and using a password manager and then also installing your updates

those five things help to make you more proactive when it comes to security and if we can get our users engaged and following those five things alone we're going to end up doing a lot less on the reactive side this is something that always gets weird looks especially from upper management for because I encourage criminals so encouraging a criminal mindset is exactly what it sounds like I want employees to walk around the office and identify things that they could do harm with if they see someone's badge just laying on a table pick it up but turn it in please because we don't want that to get into the wrong hands but think about things critically when you see them if you see

a USB laying around think about the harm that that could potentially cause one could it have sensitive data on it yes could it have data on it that you might want to see maybe but we're not going to plug that in letting people know why why these things are important but if you're encouraging them to think like a criminal it also helps them to allow you to alert or to alert you to the things that they see that are weird like oh by the way that back door when I came in this morning the lock wasn't working well if you're thinking about it from a criminal perspective that's awesome I can just get right in but if they're

actually actively thinking about these things and they can alert the proper people to it all right so where should we be looking what types of things can we look at to let us know whether or not we have a strong security culture reports from employees tell Amazing Stories absolutely amazing stories oftentimes some of the things they report especially when it comes to like a fishing campaign first of all are just hilarious uh like one of my favorite ones recently was WTF is this like yeah that's correct um and then hey I didn't have enough coffee this morning before I just blindly clicked on that all right so these are these are telling us good stories about our users and our

culture and the types of things that we need to be educating them on we need to make sure that they have a cup of coffee the second they walk in the door okay perfect we know that we can change our culture based on that employee behaviors one of the greatest things that I witnessed while sending that fishing campaign a couple of weeks ago was just kind of monitoring the chatter around the office I wasn't really like that covert when I sent out this fish the entire company got it at the exact same time so if anybody was paying attention and accidentally entered their creds and got that whoopsie been fished then they told the 10 people around them

and it drastically starts to plummet your click rate right so employee behaviors are really important to Monitor and watch because I always encourage people to act even with a fake fishing campaign that they've identified as being like yeah Kendra sent this crap treat it exactly as you would any normal fishing campaign send it to security tell everyone around you not to click on it I don't care make my click rate suck it's not what I'm there for I'm there to educate you guys and I want to see not only how my team responds I want to see how you guys respond as well so it's very important other things that we can look at oh admin right overuse

hole having 15 or more G Suite admins or admins to any other system that you might use probably not best practice right super admins I might add oh that's smart um looking at like the types of roles that your users have and doing those regular audits those types of things tell a really good story about your security culture not even from the employee perspective but like how your security team or your it team is doing in general hold each other accountable and your tools are actually a lot more valuable than you think so our tools can tell us you know when users have updated their devices sometimes we might just push a mass update across the entire organization

but other times we might actually have to like have users go out and update those see how quick it's how quickly they're updating those devices and if you've got some stragglers pull them aside them let them know why it's important and here's another fun thing to do have them pull up what current version of their phone is on and then help them learn how to update them all right so updating those devices using strong and unique passwords if you're using any type of like Enterprise password Suite or password manager you can get a lot of really great valuable data out of that um you can tell you know if people are reusing their master password across

multiple sites if they're reusing passwords in general and then help to encourage better Behavior I know LastPass for instance will just send automated annoying emails to users which is very helpful that password manager encouraging people to use those not only for work but also for personal lives again LastPass has the ability to link your your Enterprise account to your personal account that's good data for us to have lets us know what types of things people are taking seriously and then two-factor Authentication are our users using two-factor authentication you can do a lot of really quick searches and different tools that you use to see whether or not people have turned that on and pro tip enforce it if it's a

possibility that's a that's a really great thing that you can do so those are I guess my main tips for you guys things that we can do to help build our security culture do we have any questions I unfortunately don't have a lot of time to hang out afterwards I've got to catch a plane so if you guys have any questions I've got like 10 minutes or so sure go ahead um so they're already knowledgeable but news work clients finding ways around security burnout as far as like they're just too inundated with news and stuff like that all right yeah um so I guess the best thing that I would say to encourage that something

that could be really effective would be sending out like a quick newsletter of hey here's a couple of things that we've seen in the news recently encouraging them to follow like specific Twitter feeds that don't inundate them with like too much information I know a lot of developers and things like that that will spend a lot of time during the day just combing through different security articles which that can be too much like even for me personally that's too much information I want a concise format that I can just get information one thing that's also really effective is if you do have some type of communication channel so like a slack or something like that posting

limiting who can post in a specific channel for instance and then just putting like top headlines or things like that that they should be looking out for that can be a really effective way to make it so they're not just getting inundated with things that don't necessarily affect their day-to-day life from a development perspective anything else sure

yeah so our security department is trying to be more and more transparent at the company I worked for previously we did a really good job about being transparent the thing that we wanted to obviously always be careful of is getting that like pointed fingers or like making that person feel bad or shameful so something that you can also do in those instances is like collect a few stories and share them like once a month or once a quarter or turn it into something funny like make it look seem like it's not even something that that actually happened put like a random character in it or something that I've done many times is make myself the butt of the

joke put your own name in it I don't give a crap if you think I I lost my laptop this is what we did to handle it and then people aren't thinking like oh was it really Bobby in accounting no it was Kendra insecurity because she's stupid so it kind of like takes that like that aspect out of it um but at the end of the day the biggest message to encourage is like we're all humans we're all going to make mistakes we are all susceptible for falling for a phishing campaign we can all have a couple too many drinks and leave our backpack somewhere or drop our ID card you know just kind of making sure that

you are aware of that human element I think is really important any other questions no all right well thank you guys [Applause]

remember I do not work for the security