Holly Story & Ian MacMillan - How Layers Mitigate Risk and Contain Threats

[Music] We have uh Holly Story and Ian McMillan on uh how layers mitigate risk and contain threats. Here you go.

Hi everyone. Hey. Hi Ken. Um, welcome to our presentation. Super nice to be here again in person this year. I went I was actually um at the last bides in 2019, but that seems like forever ago now. Um, so we're here to talk about ogres onions mostly and a little bit about cyber security. Um, my name is Holly Story. I work with Sarah. Um, I've been with their with Sarah about five years now. And then I have Ian here as well. um he works at Boseron. We have like a whole introduction slide uh one each but uh just to to say that we have a partnership with Bzeron to deliver um the cyber security awareness training

solution to Canadian organizations. So we're co-presenting here today. So cyber security loves to use metaphors such as the castle defense is often seen in the cyber security strategy. The Swiss cheese model meaning that there's holes in each individual slice of cheese, but when you stack them together, it creates different layers of security, defense, and depth. Um, less threats can, I guess, come through the cheese layers. Um, as Shrek said, you know, much like onions, ogres have layers, too. Um, so in the next 40 minutes, we're going to be talking about how layers can work together to protect your organization, how standards and frameworks are designed with layers in mind, and the human layer of defense. So, a little bit about me and

Sarah. I'm from St. John's, which is actually not true. I'm actually from Portugal Cove, so it's not St. John's. Um, and I just realized just then that that was on the slide. I guess I was like, "Oh, yeah. I'm from Newf Finland." And then, uh, my marketing, um, she's awesome and she was just like, "Oh, she must be from St. John's." And put it on the slide, but whatever. Close enough. Um, we manage the.ca registry. So, we're not forprofit managing three millionc.ca domains. uh in 2014 we diversified into the cyber security space based on our infrastructure that was already in place for the CA and our expertise of the DNS. So you know some of our services are at the DNS layer and

then we have the cyber security awareness training and partnership with with Berron. Um and as I mentioned we're not for profofit mandated by the government to run the CA. Uh and we have our community investment program which is pretty cool. I thought it would be a good thing to put in here. Um, every year we give $1.25 million to help fund projects aimed at creating a better online Canada. So, it could be projects for cyber security based projects or digital digital literacy um to and there's a grant process that happens every year in February. Um, so to date, we've funded 185 projects um worth two $9.2 2 million and I certainly encourage any anyone to apply if you

have a good project. We have funded quite a few here in Newf Finland as well. Um about the cyber security services obviously aimed at decreasing the risk in or junction with Bose Rona in 2019 over 250 current customers. Um and now I'm going to pass it off to Ian. I will come back for a brief talk later. Um, and I'll also say that please think about questions during the presentation because we have so many mugs to give out that um, shipping back to Ottawa might be a thing. So yeah, thank you for the demonstration. This is a presentation about mugs. So great. Okay, thanks Holly. Uh just before I get started, I just want to

make a point today to thank Holly for being here with me as the only female speaker today at Bside St. [Applause] John's. Okay, so a little bit about me. Uh my name is Ian McMillan. I'm the chief evangelist and a co-founder at Bosrun Security. I have a technical background. So I was a software developer. I've been introducing myself as a former software developer. It's been kind of weird. I've made a transition over the last five years into security professional. Uh I'm a certified information security manager for Isaka. I'll actually be small plug speaking at Isaka in October. So you can come and see me there if you want. Um my background is in product experience,

interface design and architecture. And uh and that's what I did originally when we co-ounded security. And I'm passionate about making cyber security tools more usable for people. And I bring that same experience from my software development background into my security experience. I really think that the things that we do for people to make them be more secure need to keep in mind the things that they're trying to do every day, which is their job, right? So, um I've worked with national banks, with telecom companies, with energy utilities, uh with higher education institutions, with governments, municipal, provincial, and in federal capacities, helping them design security awareness programs that engage their population and protect their organization. A little bit about us at

Bushron Security. So, we're a Canadian firm, proudly Canadian. We're headquartered on the East Coast in Frederickton. That's where I'm from. I'm not from Portugal Cove. Um, we build, we're really more of a software company, truthfully. We build a cloud-based software as a service that does security awareness program management. So, your good oldfashioned fishing simulations, which I know everybody in this room loves fishing simulations. We automate security awareness training. We do uh employee engagement, user engagement to get them involved with the awareness program. And gamification is one of the big things that we do. And I'm going to talk a little bit about that today. As one of those security layers, we've got over 650,000 customers, excuse me,

600,000 customers across 650 customers. Uh, and we have a proven relationship with Sierra. The our partnership with Sierra just makes sense. It's two proudly Canadian brands coming together to make Canadians more secure, delivering Canadian content uh with a Canadian focus. So, um, yeah, it just makes sense for us. So, let's talk about security now that we've gone through sort of all all the introduction stuff. So how layers protect a good security strategy is designed with layers in mind. We apply and implement controls and measures to reduce risks to prevent incidents and these often overlap in a lot of different ways. So this is the onion diagram. It's not the prettiest diagram in the world. I tried to make it

prettier but you just can't make something like this pretty. Um but this sort of talks about all the different layers that we see in security. So uh you know people the outer layer is people because people proliferate through all of the assets and controls that we put in place. Everything that your organization does inside and outside involves the people within. Uh the second layer there is our secure perimeter of course so that keeps malicious actors out. Our third layer is network security which allows for monitoring of traffic, detection of anomalies, things that are happening within the environment. Uh endpoint security can prevent the spread of malware and ransomware. Application security keeps our transactions of data

safe. And then finally, the data security layer keeps storage environments protected from data exfiltration. And this sort of that's what this looks like. We often sort of think of these as stacked layers that land one on top of the other. But the reality is they are more round like this because the impact of people has an impact on all the other layers, not just the subsequent layer below it. So we have to keep that in mind when we're applying strategies to pro to try and protect the organization uh from threats on the outside. In terms of frameworks, uh I I want to talk a little bit about standards and frameworks, how they incorporate layers. This is one of my

favorite XKCD comics that talks about talks about uh frameworks. You know, there's 14 competing standards. Ridiculous. We need to have one standard that covers all use cases and now there's 15 competing standards, right? So as security professionals, I think we deal with this fairly regularly. Um, you know, I put a couple up here, right? So, NIS, CSF, and SP800, uh, CIS version 8, CyberCare Canada. You know, these are all designed to cover us in a lot of different ways, but I think they all have a consistent theme of the layered approach to protection and defense. Uh, this is an example of copying the 13 controls from CyberScure Canada. It's one of the smallest, so it's the easiest

to fit on one slide. And as you can see, you know, there's a lot of if you compared this to that onion diagram that I showed, you know, you would find a clear delineation between any one of these controls and and several of those layers. So, I just kind of wanted to change your perspective a little bit about these these protective measures we put in place based on these frameworks and then how they actually fit into the layered approach. More specifically, I want to talk a little bit about this guy, which is providing employee awareness training. Super specific control, I know. Um, in recent years, I think we've seen an emphasis on how individuals can help protect our

organization. And we're seeing awareness as now one of the controls in a lot of these frameworks, which is really great. I'm really happy to see that. At one time, there was no awareness training component to these frameworks or these standards or these compliance requirements. It was just, do you have the technical controls? The people are stupid. You'll never make them smart enough to protect the organization. But fortunately for us, we're starting to see this stuff. And for fortunately for me as the co-founder of a company that develops a tool to do this that's you know really good. Um so the human layer let's talk about the human layer. I want to talk about how we

can improve that layer of security. What kinds of things you can do to do that and hopefully give you a little bit inspiration as we come into cyber security awareness month uh next month. So typically this is the standard approach that we see you know surveying users fishing simulations courses reporting and although skillfocused education is really where we've put a lot of our resources you know teaching someone what a fishing email looks like teaching someone what malware might look like it's really an evolution in security behavior that our layer of people should be. So, it's not necessarily about just saying don't click on links. The skill is not to click on links. It should be developing

behaviors and competencies that users know that they should use every day. I was I was just talking to somebody actually a couple of minutes ago about I heard a CIO say to me recently uh of a fairly large organization, global organization. He said they've started adding security awareness moments into information uh technology meetings into IT meetings. So, just like how people on the shop floor have a safety moment where they talk about, "I saw something on the floor and I picked it up and I moved it out of the way before someone hurt themselves," we now have people saying, "Hey, I got this fish. This is what it looked like." Or, "Hey, I got this USB drive in the mail and this is

who I went and reported it to." You know, these sorts of things that are at the cultural level of the organization, not just don't click on that link or you're going to get in trouble. So, engagement in particular, how does that help to the organization? Training and engagement helps. I'm just going to display all these points here. Training and engagement helps reduce the likelihood of an incident. Engaging individuals in the awareness program builds culture of security and using metrics like education completion, click rate, report rate can help your IT teams make sound decisions in the way that you're going to implement further controls. When I say engagement and culture, these two words, they can be

interpreted by people in a lot of different ways. So, I wanted to give some examples. Cyber security is not my job, not my problem. None of you have ever heard that before, right? We want to try and change that to I have a role in protecting the organization. My job is part of the security strategy. That's what we want to try and and and create. It is making me do mandatory training. I know nobody's heard this one before. We need to change that to I need to learn how to protect these assets that are in my care that I'm a steward of this information and when I'm handling it, I have to do it in a way that's secure. I

clicked on a fishing link and I'm worried I'll get in trouble. This is probably the biggest downfall to negative reinforcement. You know, when the security team becomes the department of no o, we get in trouble if we do something. I click on a fish by mistake and now I have to take remedial training. We need to change this to I need I made a mistake and I need to report it right away. Each layer in that onion diagram that I showed you has strengths and weaknesses. So I want to talk about some of the things related to that human layer to security awareness. Getting people motivated to complete training is not easy. Um motivators like rewards

both intrinsic and exttrinsic can be really really good drivers to drive your program forward. Um negative reinforcement does have a place if you're looking to drive instant change. I was curious if it was going to pick up my snap like that. Uh if you're looking to drive instant behavior change in the organization. A negative reinforcement technique can definitely create an instant behavior change, but it's not good for sustained long-term maintenance of that behavior. Uh, on average, about 79% of users will complete their first cyber security awareness course the same day that it's assigned. And this we found this through our experiences with Sierra. This is actually a stat out of the customers that Sierra's had. The

challenge is getting that other 21%, you know, takes some time to do that. So, you have to generate that buyin, create that behavior change, get people excited about that, and you have to make your training relevant and engaging. Uh, we published a white paper not long ago about how it's not all about having 1500 pieces of content in your library. It's about having the right content that triggers people in the right way to do the right thing at the right time. Best practices for launching your training. So, communicate, set expectations, generate buyin. If you want to generate tickets at the help desk, send out blind training to the whole organization. I guarantee that will happen. Get an executive sponsor or

a member of your leadership to communicate about the importance of your program. Don't just pay it lip service. Show the importance of getting people involved in security awareness and protecting the organization. Choose metrics to track success like completion, like education score, like click rate. A lot of time what I find is organizations will select a tool or an application or a series of content to deploy and they have no way of tracking if it's working or not. The only thing they're looking is looking at is that compliance requirement. Have we delivered training and have people completed it? But the reality is if you're not actually measuring the success of the impact of that training, what are you actually doing? I had

somebody tell me one time that security drives uh excuse me, compliance should be a byproduct of good security. So you should apply that same theory when you're doing your security awareness program. Don't just roll out training for the sake of compliance. Deliver training that's actually going to teach people and change their behavior and the compliance will come second nature as a result. This is a really good example, sensitive topics. So stay away from sensitive topics that can frustrate users and make them feel disengaged. Uh this is a real tweet from this year. My university sent me an email about providing $7,500 in assistance to those experiencing financial hardship to the to the pandemic. And it turns out it was

a fishing exercise. Is this a joke? Uh I can tell you from experience when I worked at the university that if you do this about vacation time being suspended, you get the same result. So stay away from those sensitive topics. Focus on things that you typically are seeing. Get in touch with your uh your um excuse me, your thread intel teams. So your CTI teams if they have stuff that's coming into the organization that they're picking up, use that in your fishing simulations. It's a great way to expose people to the things that they might actually get in their inbox. Some best practices for fishing. So, a really good segue there. Blind fishing seems like a good idea, but in

reality, it's only a really good way to trick people, which we're not trying to do. We're trying to get their buy in. We're trying to generate awareness. So, we're not trying to get the highest click rate possible. The best approach is to say, "We're going to be conducting these exercises because we want to make sure that you're prepared for when these threats come." And then you send out your fishing exercises and I can guarantee that you will have people click on them even if you've warned them. I promise. Progressive difficulty is also a great way to improve the effectiveness of that program. So if you're sending your IT admins that have been in the organization for 20 years,

fishes about their iPhone they just ordered on Amazon with spelling mistakes, you know, chances are that they're not going to click. You're not actually doing anything but annoying them. And I've had them tell me that personally, believe me. So increase that difficulty a little bit over time. I've had a couple of folks say to me, "Hey, and that fish you sent me, you know, that was actually a pretty tough one." And it's like, "What fish?" And that's how we know that that program is working. People are actually seeing things, thinking that we're sending fishing simulations, and they're actually real fishing emails. Timely, relevant, remedial training. Um, this is a really big one. When our CEO, David Shipley, was the uh

security manager at University of New Brunswick, uh he was having a really hard time following up with uh staff and faculty, getting them to complete remedial training in a timely manner. So, what ended up happening is, you know, someone clicks on something and then like six months later they're in a a room learning about fishing and they have no idea why. So, timely is important, relevant to the material that they they clicked on in the fish, for example, or the incident that happened. I'm using fishing, but anything really, any incident you have. You know, that remedial training is is critical to to changing that behavior. And then give give users or individuals the opportunity to redeem themselves as

well. It doesn't have to all be doom and gloom. They already feel bad about clicking on a fishing simulation and they already probably feel pretty ashamed about it. So, when they complete that remedial training, give them a thumbs up. give them that little bit of dopamine, that serotonin hit that we all crave to make them feel good about the fact that they've remediated themselves. Finally, some best practices for training here. So, making your training relevant. I already mentioned that about remedial training. Uh, customize it where possible. Use local examples. Relate it back to organizational practices. Brand your awareness program. Uh, be cyber savvy, be cyber smart, get cyber smart, however you want to do that. Make it a relatable

brand. Uh, make it easy for them. So make sure that it's easy for them to take for it's e easy for them to understand. We've got a copy of the report a fish button that we deploy. This is sir's version. Make it easy for them to report emails. A simple workflow to identify indicators in a fish and report it is a really great example of that. Uh already mentioned that. And then uh make it engaging as well. So this is probably one of the biggest pieces of feedback that we get. You know some folks want a video and some folks want a choose your own adventure and some folks want death by PowerPoint. you know, sort of depends on your

organizational culture, but uh whatever works for your organization, uh make it engaging and then incentivize it with that positive reinforcement, excuse me, reinforcement that I mentioned. So, I give an example during uh security awareness month. Um I'm our security awareness manager in addition to all the other things I do at Bowron Security. And uh I tell people, anybody that completes supplemental education during security awareness month, you're going to be put into a hat for a draw. We're going to give you a $50 gift card. Simple as that. Uh you could be drawn for $50 gift card, I should say. So just that small incentive, we see a substantial uptake in the number of people that go in and voluntarily take

security education. Are they doing it to get a gift card? Probably. Are they learning something as a byproduct? Definitely. So that's something to think about. All right, so I'm going to turn it over to Holly again. She's going to finish up our presentation. Uh thanks very much. So um yeah. Thanks, Ian. And we had a discussion earlier about this presentation. Ian's like, "Okay, Holly, we're the last presentation. You know that we're standing in in between a whole bunch of, you know, maybe 50% Newfoundlanders drinks and prizes." I was like, "Yeah, that's that's fair enough." So, um, won't take too much more of your time, but um, cyber security insurance. So Ian was talking a lot about, you know,

clicking a box and the difference between just checking a box for a requirement such as cyber security uh insurance or proactively changing the culture of an organization so that everyone feels like they're part of a solution. Um and that's definitely what we're seeing now is with cyber security insurance there's definitely an increase of the requirement for cyber security awareness training. um and 59% of Canadian organ organizations now have cyber security insurance. It's true that um the rise in applicants due due to the pandemic has underwent a 29% increase um especially with the rise of cyber attacks and covid related um cyber cyber attacks as well. Yeah. Is there any breakdown? Oh, that would be a very Yeah. So, um we

actually publish a cyber security um survey every year. Uh Sarah, so if you look on the website, we we have the latest one out now and normally there's a whole bunch of information on it like the breakdown and graphs and all that. I don't have it off the top of my head, but certainly if you're interested in that. Um yeah, there you go, Ian. The mug. the mug. Now everyone's gonna have a question hopefully. Um, yeah, they're good travel mugs for for picnics or whatnot. Um, 35% increase in premiums from 2020 to 2021 as well. So, the last kind of subject of the day is the DNS layer. Um, the domain name system. I'm not sure how many of

you are familiar with that, but it's basically like an address book to search up websites on the internet and where Sarah runs the.ca, my organization, that's kind of our expertise. So, you know, as as cyber aware as your employees may be, all the training that you put them through, all the fishing simulations, there still will be um employees that click on those malicious links at that point in time. You know, speaking to the layers, cyber security awareness training reduces the number of clicks. We actually see a three times reduction in the number of clicks after the first six months of starting with training. Um, but the Sarah DNS firewall or any DNS firewall will also help to

better protect the organization as a additional uh layer in the onion, the ugly onion diagram that that Ian was mentioning earlier. Um, so it's a defense and depth kind of approach uh that makes the difference and the goal with the DNS firewall would be to block what is currently being missed by your other layers of security. I have some statistics here. I thought it was pretty interesting. So threats blocked in Eastern Canada with the Sierra DNS firewall. Um, we have web filtering, uh, malware and fishing and a breakdown with all of it. So, in terms of Atlantic provinces versus the rest of Canada, um almost 9% of of the blocks came from the Atlantic provinces in terms of malware,

which is, you know, quite a lot of blocks if you're thinking about it compared to, you know, other really large provinces in Canada. You know, the Atlantic provinces themselves, they're up to 9% there. Um, but we have a whole bunch of statistics on and we have a whole bunch of breakdowns in terms of what we're blocking with the service because with the DNS firewall, you're essentially sending all of your traffic to the service and then we're blocking what is uh malicious via our our partnerships um for our threat feeds. So, we have partnerships with AI. They're adding an an additional 100,000 new threats daily. the Canadian Center for Cyber Security and the Canadian Center for Child Protection.

Um, off network protection um definitely an extended an extension to uh the DNS firewall um protecting mobile devices, laptops and so forth. So basically um offering device level reporting, full deployment in minutes um and network management. Those are the supported systems up there. Oh, it's cut off a little bit, but you can see Android, iOS, Windows, Chrome, and Mac. And um we're going to be launching that on Monday. So, I was like coming soon. It's like coming very soon. We've been working, my development team have been working on this forever. And um I guess like with the increase of working from home, I just gave a presentation in Tua River and the title of it was like

working from uh home wherever something else and it was like or the beach. It's like literally working from the beach. I don't know. It's going a bit far with it. I don't know if any of you guys work from the beach in your very much, but uh basically if you did, then uh the off network protection would be super valuable because you're you're bypassing sometimes, you know, your network, your VPN, and other layers of security that you might have. Um and that's it. So, um this is basically obviously my email. Um, and if you have any questions, uh, feel free to ask them now. And if not, yeah, there you go. Um, does anyone have any

questions? I know that it's been a long day. Yeah.

Yeah. So, we um we have um so there's a Canadian the Canadian Shield. So, that's the um at home for at home protection equivalent of the DNS firewall. Um, so if you're using it for personal reasons, like uh if you're using an iOS device for personal reasons, then maybe the Canadian shield is the better fit. But if it's a workown device, then obviously, you know, you want to protect your own network in your own organization. So at that point, uh it works with a client being installed at the device layer and it could be uh pushed out through an MDM or on an by like an activation link. Um, so if you have like a couple users, maybe

activation link, but if not like in tunes or Yeah. Yeah. Yeah, for sure. And like that would be the deployment in minutes, but um obviously anything that you can take out of the end user's hand would be the way to go. Yeah. Any other Yeah.

Is there a difference in demographics?

Yeah. Yeah. Yeah. Yeah. Great question. Yeah. Yeah. Great question. So the question was, is there demographics in terms of age or or demographic otherwise of people that click on fishing emails? I'll see if I can do this. See if I can do this. Nan, don't click on that fishing email, I think is what you said. Yeah. So uh not really to be honest. Um I would say 25% of our users uh that have fallen victim to to fishing emails for simulations at post run security in particular have all been not during working hours. I'd say that's probably one of the biggest things. So, it becomes more about the situation a user's in, how much workload they have,

uh, things of that nature. You know, all things being equal, if we teach people the same things about fishing emails, look for the sender address, look for the URL that you may not recognize, is it something you were expecting, look for a suspicious attachment. Sort of the the four key things. um provided they have a knowledge of that based on the awareness that you've given them. It's more about what are they doing right now when they get that fishing email. Um I'll give you a great example. We did a an engagement with an organization sub 100 people not long ago uh technology based organization. Their CTO fell victim because I sent a coverage email the Thursday before a long weekend and

he was in the evening and he was in the supermarket on his phone and fell victim, you know. So in that case, I mean that's a technologyoriented individual falling victim um because of the circumstance. Another really good example, uh we went into a regional telco in the US, uh about 3,500 people, deployed our first fishing simulation, a blanketed fishing simulation, so everybody got the same one, which we don't typically do. And uh it was a package delivery in November, a missed package delivery, 28% click rate in a telco, right? In in a technology, I mean a fairly technologyoriented organization like a telco. So, so yeah, my answer, it's a long-winded answer, but my answer to your question is no. There's there's

not really any demographics. Those things that we assume, oh, a a senior is more likely, you know, in the context of an organization where we're giving that baseline training after they've taken their training and learned there there's no demographics in that term. Everybody is susceptible. Yeah. Good question though. Great question. Okay. Yep. Do we get better? Yeah. Do are we getting better or worse? Well, I can tell you that the criminals are getting better at what they're doing. Yeah. Yeah. Yeah. Yeah. So, I would say so I left uh I left IBM five five and a half years ago. I've been with Berron through the whole I was the third guy through the door. Um and I can tell you that um

the average kind of fishing is going away. Nigerian print scams still bring in about 700,000 US a year. Um, but call back fishing is up 625% this year. And call back fishing is where they're going to send you an email that says, "Hey, there's a problem with your account. Call us at that 1800 number and use this four-digit code." And then when you call, they say, "Hey, can you give us the two factor authentication code we just sent you?" And they're like, "Sure." You know, and that. So that's that's the kind of things that are happening. We're seeing a a decrease in the complexity of these and an increase in the sophistication. So, it's no

longer Nigerian print scams or the oil company of Qatar trying to get you to hold $100 million in trust. It's here's a job opportunity. Um, a colleague of yours thought that you might be a good fit for this. Here's a link to look at it and the description is in the attachment. And that's what people are getting in their inbox. They're sending them from Amazon SCES, Outlook or Live.ca, live.com and Gmail because all of those services have SPF, Demark and DKIM. They can almost guarantee deliverability and uh yeah. So, so my answer would be that anybody that's a BTON customer is getting better at not clicking fishes, but the criminals are upping the ante in terms of what we're receiving

and seeing organizations receive. Yeah. Does that answer your question? Want a mug? Oh, I got one. You got one. Okay. Yeah. Yeah. So, how can you break employees who otherwise can identify as fish email in a test environment? Yeah. But, you know, in the moment when they're distracted, they'll still follow. Yeah. Great question. So, so question was um we can we can get how do we tell people you know in the test this is one scenario and then when you're actually distracted and you get this email, how can you how you not fall victim? So, great question. I think it's really, really important to break down the barriers for entry in your simulations. I get so many organizations when we

first go in that say, "We can't use anything that uses a real brand. We can't send them outside of office hours. We can't send them things that relate to projects that they're working on. We can't send them things that are referring to colleagues of theirs, you know?" So, what ends up happening is we send them, "Hey, thanks for your $1,200 purchase on Amazon." And they're like, "Come on." Right? Like, I'm not going to click on this. So break down those barriers for entry. Try and make your simulation program simul like simulatory like it's as real as it gets. So send them stuff leading into a long weekend for example. Uh send them stuff that's branded. I mean cyber criminals don't

care about branding. Like they're going to send you they they'll find out what payroll system you use and send you a payroll fish from that brand. Right? So now like I said within reason we're not going to send people payroll fishes from our payroll system. that might be a little bit too sensitive. Uh but you know, break down those barriers and then make people aware of that. So a lot of what I'm doing now when we're when we're working with customers to develop education, for example, is it's not just here are the indicators that it's a fish, but also here's when you might be more susceptible. First thing in the morning, after hours, when you start a

new role, that's a big one. You know, you come into a new role and you're being swamped with a bunch of new information. That's a time that you might be more susceptible. So again, this is about raising awareness, not teaching skills. We want to raise their awareness that they are more susceptible at those times. Answer your question. Good. Sorry, I'm a little longwinded today, guys. I just get really excited about fishing and awareness. Other questions? Yeah. Say that again. Sorry. Yep, that's you. Um, the DNS blacklist block list. So, are they open source? So um the Canadian Shield is actually a uh open recursive service. The DNS firewall for organizations is a closed recursive service. So meaning that it's not like

open to everybody to use. Um but in terms of our block lists, we have a partnership with Aami. They're adding an additional 100,000 new threats daily. Um and you know, we they've also purchased two 20 additional block lists from other providers. So a huge amount of of blocks in their within their partnership and also we're partnered with as I said cyber tip Canadian center for child protection and the Canadian center for cyber security. Um so some of the threat the threat feeds in the service are and some are not. That's that's probably the Yeah.

Y yeah, good question. So to summarize, are people clicking on less stuff during awareness month than any other month? or more or or more. Yeah, great question. Uh so I would say uh that depends on the organization because a lot of folks don't do anything for security awareness month. Um I would say organizations that are doing things are seeing a lower click rate and and what I would say is that um so our we believe that the best practice for uh fishing simulations is monthly. So any more frequently than once a month, people just get pissed off and they're like I don't want to get this stuff anymore. I'm trying to do my job and it actually doesn't have any

positive impact on the click rate any less frequent frequently than once a month. You get diminishing returns until about once a quarter and then at once a quarter you're actually getting no benefit. You're just sending people fishing emails and they're not actually improving the click rate. So assuming an organization is fishing every month uh we do see a reduction around security awareness month. I can tell you that's true for us at BORN security in particular. Like like I said, I run our screen awareness program and I actually just did a webinar on this like last week. So what you want to try and do is build momentum and then carry that momentum forward from awareness month.

So you're going to see an eb and flow that spans a about five months or so, six months typically where the the click rate goes like careening downwards October, November and then gradually climbs through Christmas, New Year's, so on and so forth. So the the idea is shorter engagements with your population more frequently rather than a month of awareness activities and then nothing for 11. Make sense? Excellent. Other questions? We It's 5 It's 5:05. We actually I sped through the presentation so we got Yes.

Give you a Okay, give you a second. We'll come back. Yeah, no problem. Yeah. Any other questions? Yes. In terms of

y Okay, good question. What is the most effective incentives to get people involved in your program? Yeah, excellent question. So, uh, I like to think of security awareness as like those serial commercials you saw when you were a kid, right? They show you like Tony the Tiger playing hockey and it's like super fun, but then at the end they flash orange juice, milk, toast, bacon, eggs, and then frosted flakes, right? So, the idea is your awareness program should be a balanced breakfast of a number of things. Positive reinforcement is a great example. So I mentioned negative reinforcement is a really good way to change immediate behaviors, right? So that and and falling victim to a fish is negative

reinforcement. People feel bad about that. In terms of incentivizing behaviors, there's two key types of of incentivize incentives rather. Uh intrinsic rewards, which are personal. So these are kind of like a pacemaker. They're they introduce rhythm and pace and they have a long-term impact because dopamine is an interesting drug. it it has a really uh really powerful impact. Um the second type is extrinsic rewards. So these are external. This is more like a defiill to a stop charge. So it's high impact but not long-term effectiveness. So what I usually recommend is once every quarter, for example, at a regular interval, you introduce an extrinsic reward. Bof, here's a contest. Uh caption this meme with a cyber security

caption. create a fishing simulation and submit it to be entered for a draw. You know, these sorts of things that get people thinking about security without having to sit in front of a slide deck and and look. And then otherwise, you're introducing those constant intrinsic rewards that are just making people feel good about what they're doing. So, you complete a course, you get recognized, you know, you uh you report a fishing simulation, you get recognized. Not so little plug, that's literally exactly what we do. So, we give every user a risk score that they own. It's made up of how they do on their training, any external exposures they've been involved in, and then how

they interact with fishing simulations, whether they click or fall victim, and then any other things that you want to introduce in terms of reward and incident. And the idea is that every time they're reporting that fishing simulation, we're emailing them back and saying or showing them in the in the button when they when they report, excellent job. You reported this. It was a simulation. You've received a reward. your risk score has gone down. Yeah. To answer your question. Yeah. So, like the short version, I guess, because I am a little longwinded today. I apologize. Is that there's a a number of things. It's better to do all of them a little bit than one of them a

lot. Make sense? How are you doing? Yeah. Fishing campaigns. Okay.

Yep.

Excellent question. Yep. Yeah. Yeah. Great question. Yeah. So, the question was, uh, click rates are great, but we also want users to report effectively. So, what if users aren't clicking, but they're also not doing what you asked? Great question. Um, so any of the good tools that do fishing out there have a reporting capability that will track based on what you send out. So you send out a campaign, let's say we have a 100 users, 100 fishes go out in the span of a month and we get, you know, 15 people that click on them. So we got a 15% click rate. Um, our tool specifically, and again I'm not trying to make this a

plug, but our tool specifically does a forwarding mechanism and a reporting mechanism. The reporting mechanism is a button that can go in Outlook or G Suite and and you're not telling users report your simulations here. You're telling them report anything here. So the idea is now you've created an easy way for the user to report a suspected fishing email and you're able to record how many of them actually reported a simulation in the way that you expected. Right? So then we also measure how much stuff comes through that's not simulations. So, for example, in my 100 person organization, let's say we got we have a an 80% click rate or excuse me, an 80% report rate. So, 80% of the simulations

I send out, people report properly using the button or the forward. Let's say, okay, for hypothetical purposes. And then I say, well, we had a thousand uh uh real emails that were not simulations that were reported by the same button. And with a little bit of quick math, I can assume that that thousand is probably actually only about 80% of what actually came in because we're only reporting 80% of the simulations that we send out. Does that make sense? So we do that. Uh we also measure ignore rate which is the delta. So you take the number of people that reported and the number of people have clicked and then whatever ones weren't reported or clicked that's the ignores.

So that kind of gives you a focus group of people that you can zero in on and say these people are almost engaged. We just need to nudge them a little bit more to get them to use that reporting button. Answer your question. Excellent. Take a mug.

Yeah. Well, you get fish. Yeah. You have no idea how many people at conferences come up to me and say, "Ah, you're the fish guy. I'm not sending you fishes myself." Any other questions? Going once, going twice. I actually think your time is also wrong on this. So, Oh, is it really? Oh, yeah. Right. I'm a mainlander. It's so funny. I'm running on mainland time. Okay. Uh, if you've got follow on questions about fishing or Sierra's offering and the DNS firewall or cyber awareness training, please come and reach out to us. We're right. We have a booth right inside there. Otherwise, enjoy your social and your prizes. Thank you very much. [Applause]