Episode #127

Russia Cyberwarfare & the Security Culture Maturity Model

With Jed Fearon
Solution Advisor at Integris
March 7, 2022

Anthony & Jed discuss the cybersecurity implications of the situation in Ukraine, and a Security Culture Maturity Model as described by KnowBe4.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite podcast app.

Transcript

Introduction

Anthony DeGraw: Welcome to another episode of The Helpdesk. We’re back on Friday afternoon with Jed Fearon out of our Atlanta office. Jed, welcome, welcome back, man.

Jed Fearon: I’m glad to be back. Happy Friday to you.

Anthony DeGraw: Awesome. Today, Jed has a couple of interesting things he wants to run by me.

One of ’em is obviously, I think we’re a week and a day into the escalation of Russia and Ukraine and what that means from a cybersecurity perspective. So we’ll touch on that. He has some questions for me there. And then we’re going to get into an interesting thing that Jed found, which is called the Security Culture Maturity Model, which is very interesting and ties into a concept that we talk about called operational maturity.

So with that, Jed, I’ll let you take it away.

Jed Fearon: Fantastic. Well, I wanted to mention to everybody that’s tuning in that we don’t have any big reports about serious incidents that have erupted yet due to the Ukrainian Russian standoff. But it’s moments like this that create a nice pause for people to be on the lookout for certain anomalies.

So at the same time that I’m processing this particular plot point, Anthony mentioned that he was speaking with a client who brought up some current concerns on the topic.

Anthony DeGraw: So yeah, this morning on March 4th, we were talking to a firm out of Washington, DC. And they specifically brought up.

Hey, what are you all doing to protect your clients from the cyberwarfare that’s going on in with the Russia and Ukraine conflict? And specifically brought up the group Anonymous. So the group Anonymous is a decentralized group, meaning they’re all over the world. Group of individual cyber hackers that get together and go after targets that are committing different types of acts or crimes or things that they would like to see undone.

So with Russia’s invasion of Ukraine, Anonymous got together and started going after Russia specifically. Hacking into their news systems and playing Ukrainian specific news things of the Ukrainian vision of what’s going on over there. Specifically taking down government websites, all different types of things they’re doing to disrupt the overall Russian economy as Russia continues to push into Ukraine, obviously. Before that, even before the Anonymous thing or the client bringing this up.

There was a couple of different news articles. I think we found one on CNBC. We found one through a couple of our different vendors, in terms of what to expect in the US here, as these things go on from a cyberwar perspective.

And obviously, we are constantly under threats and attacks all the time. Our clients are. All businesses are, the governments are. They’re constantly going back and forth with this kind of stuff. And it most likely hangs out in the background unless a specific incident really blows up like a target or a large name per se. But the prospect’s specific questions you mean was like, what are you guys doing in addition, blah, blah, blah, about cybersecurity.

And the answer is, unfortunately, it doesn’t change, like all the things that Jed and I have talked about for weeks past that we’ll talk about weeks going forward. It’s very simple, which is a layered security approach. And the layered security approach starts at the outside of the network and works all the way down to the endpoint, or the laptop/desktop that your users are working on every single day.

And if you’re putting in the right layers, using different vendors for each layer, the goal is that at that time you should be about 90 to 95% secure. We’re always going to live in a world where we’re humans interacting with technology. So there will always be a piece of human error that we can’t do anything about.

Like for instance, if I send Jed an email, and we work at the same company for him to wire money somewhere, and it wasn’t supposed to go there. There’s no technology in place right now that will stop me from sending that email to him and him sending it in the wrong direction, based on the advice I gave him.

So there’ll always be the human component, but if you follow best practices, if you follow the different framework, you can do a really good job of making yourself become less of a target because you’re harder to get into and they’re going to go focus their time and attention somewhere else, as well as once they get to you, you’re going to have all these blocks or roadblocks in place. That’s going to prevent them from getting it.

The quick answer is these attacks are always going on. Yes, it’s a little bit elevated right now because of the current situation, but they’re not going away. If this situation ends tomorrow, which hopefully it does, there’ll be ready to go again for the next day.

So at the end of the day, you should be following the best practices. You should be implementing the right policies, procedures, and you should be doing the human training, which is the cybersecurity awareness training, which flows perfectly into what Jed wanted to ask me about next.

Jed Fearon: Great set up there, Anthony.

So I received an email a little bit earlier today from KnowBe4. And their motto is “human error conquered,” and they had a five-piece framework, the five maturity levels of cybersecurity awareness. And I’m just going to mention each level and let Anthony, you know, pepper each level with some of his own commentary.

“Level one” basic compliance

Jed Fearon: So level one is basic compliance. And that’s a bare minimum of training. There’s limited metrics. And it’s basically a check the box mentality. Do you see this much, Anthony, when you’re out and about talking to businesses?

Anthony DeGraw: Yeah, I would say, I said there’s probably a level zero, right? There’s a level of zero of, I’m not doing any awareness training at all for my employees.

So you would start there and then you would get to this level one. And what I’m really going to talk about is the mindset. And I see with level one, the mindset is probably like, hey, my cyber insurance carrier is requiring I do this. So just let me buy it and let me check the box as they mentioned in there.

And obviously that’s not purpose, right? The purpose is to get better and and be more mature, which is why I love their language here of what they call this, which is the Security Culture Maturity Model. And we use a framework called operational maturity and I love maturity models because everybody wants to be mature.

They want to be the more sophisticated business they want to up where they are today to where they want it tomorrow. So to put some framework around specifically just training your employees. And by the way, when I say just your employees, I also mean your executives. I think a lot of times we throw that.

We don’t think about the executives or leadership teams or boards when we’re talking about employees and those individuals, I’ll say those three groups, again, executives, leadership and boards are usually the most vulnerable aspects of this because they don’t have to think about it or they don’t have to comply with the training that’s getting out to the other 300 employees. That’s not the case. There are some of the biggest targets.

Security awareness foundation

Jed Fearon: Excellent. So level two is security awareness foundation, and this is at least annual and onboarding training, occasional phishing simulations, and focus on a variety of different content. What say you about level two? It’s moving up the charts at least.

Anthony DeGraw: Yeah, level two, definitely moving up. You’re doing it annual. You’re doing it when people are coming on board to your organization, you’re doing some occasional simulations to see how people are responding to those emails that are being created. And you’re throwing a couple of different content varieties at them.

So definitely a, an improvement from what we call zero and above one.

Programmatic security awareness and behavior

Jed Fearon: Yeah, it’s a process here. So level three is programmatic security awareness and behavior, and that features intentional awareness program with integrated tools, quarterly training with simulated phishing, and a focus on security, aware of behavior.

Anthony DeGraw: Absolutely. This is where you’re bringing in the awareness program and integrated tools, right? So you’re bringing these two concepts together. Programs, policies, procedures and jumping directly into the tool set and integrating those. You’re moving up from annual to quarterly trainings with simulated phishing every single quarter.

And you’re focusing on security aware behaviors. You know, I think the move up there for me at least is around the quarterly, right. If we’re only doing it on an annually basis, how much is it really sinking in?

But if we start to do things on a quarterly basis, okay, now I’m getting this quarter over quarter, I’m getting used to it. I’m understanding it. I’m retaining the knowledge better. I’m retaining those different situations better than I may be affected by. And now I can make a better improvement.

Jed Fearon: Yeah. Well, I have an analogy for you. It’s a lot like people that might go to Weight Watchers once a year and after a while have to go back next year, versus someone that maybe gets a program, becomes an ongoing part of their behavior, as opposed to, I’m just going to go to Weight Watchers for a month.

Anthony DeGraw: Absolutely.

Security behavior management

Jed Fearon: So that’s a perfect lead in to level four, which is security behavior management. And this has three bullet points, continuous training across varied delivery methods and audiences, heavy use of integrated tools to inform training strategy, and a program focused on real behavioral change.

Anthony DeGraw: Yeah. So the number one point I’m going to touch on here is continuous training across a varied delivery methods. So where you really start to cross the boundaries here. And I like how they put this in level four is that you’re getting away from the software-based training to in-person training.

Maybe some live training. So I’ll give you a couple of examples, obviously, software. I can go through the program as I want to, or as it’s assigned to me. In person, Hey, we’re going to get everybody in the room together. Maybe we’re going to do a lunch and learn of, you know, this quarter. We’re going to do a lunch and learn on the active cyber threats and examples that are happening day in and day out.

Today, not from three to five years ago. Remember because those training programs that are put out, remember they have to film that content at a certain point in time. And then really you could be honest that the next day it could potentially be old content based on how quickly this world is changing.

So you have the software component, you have the trainings, and then another in-person trainings with real examples of what’s happening today or tomorrow or whatever. The next level of that too, is you could do tabletop exercises. So like live data breach responses or incident response plans that actually are like, Hey, we’re going to run through an incident right now as if we were to go down tomorrow.

And what does that look like? Who’s involved, blah, blah, blah. But you’re really escalating it to bringing that from just an online training module into real life. And then secure, it was a program focused on real behavior change. Right. Hey, there, there is going to be maybe either a consequence or a reward for based on how you do.

And what I like to say is I don’t like to tie consequences to it. Hey, if you fail a phishing attempt that we put on, then you go through the training. I think that’s fine. I wouldn’t negatively associated consequences with an employee around failing a phishing attempt. I would just have them do more training and focus on it more.

I would, however, positively influence or reward a reported incident. So for instance, our employees forwards over to their IT department or their outsource provider. Hey, this looks like spam or it doesn’t look good. Right? I would be rewarding that behavior of, instead of clicking on it or doing anything they forwarded. It’s been proven out that was an issue and we want to reward that employee in front of everybody for doing that.

So that’s what I see on that third bullet point there of real behavior change. How do you influence that real change versus just here’s another training?

Jed Fearon: What a great program like this and many others too, with this computer-based training is they send different follow-ups to people based on what they’re clicking on and different training suggestions.

So it modifies the behavior that way. And the other great thing is with professional services, automation, and all the notes that are our engineers and other MSPs take about their clients. You can develop little trends and little pie charts about. If the tickets are stacking up where they’re asking for an assist, which is definitely a step in the right direction. So that’d be a way to track it.

Anthony DeGraw: Absolutely.

Sustainable security culture

Jed Fearon: So number five, we call this sustainable security culture. There’s three facets to this. It’s a program that intentionally measures, shapes, and reinforce a security culture. There’s multiple methods of behavior based encouragement and security values are woven through the fabric of the organization.

Anthony DeGraw: Yeah. So this was really taking level four and moving it up a notch, right, to level five. So similar things in place, just taking it to the next level. So you’re really, it sounds like almost you have KPIs or Key Performance Indicators around these types of solutions. And you’re really reinforcing that security culture throughout your entire organization on a regular basis.

Once again, multiple methods of behavior-based encouragement, right? I like how they use that word encouragement. You’re positively encouraging folks to make sure that they’re reporting this, that they’re paying attention to it, and that they’re not going to get penalized, that they’re going to get rewarded by reporting this types of stuff, these types of incidents. And then number three, security values woven through the fabric of the entire organization.

Where I would end this conversation is right there. This starts at the top and it works its way down. If you want people to follow you, you have to lead from the front. So starting with you know, the board to the c-suite. They have to be doing exactly what’s being educated out there. If there’s this mindset which does exist in organizations of, we don’t need to do that, they do, or I don’t want multifactor authentication because it’s a pain on my end point or my cell phone or whatever, because it’s one more step, but they all should have it.

That is a terrible mindset. And what level five is saying is that no, there is a unified security mindset across this entire organization, and that’s when you can reach the highest level of this maturity model.

Jed Fearon: Well, fantastic. I love the fact that they have a model here. Cause we talk about operating maturity when we’re assessing IT environment, and security is certainly a big part of that. But if we were to peel back the layers and have conversations with folks, I think that they really appreciate trying to figure out where they fit in and naturally motivated people that are in business to perform. I think. You know, move up the chart.

I know I would.

Anthony DeGraw: Yeah, absolutely. I’m almost that. I wish we coined this phrase to be honest with you, because I think you could take this Security Culture Maturity Model and expand it well beyond just cybersecurity awareness training. And you could assess individuals or companies based on where they sit in that overall Security Culture Maturity Model.

Great work by KnowBe4, Jed, thanks for finding this. And I’ll see you next week. Take care of yourself.

Jed Fearon: Have a great weekend.

Anthony DeGraw: See ya.

Keep reading

“Knowledge, You Can Teach”

“Knowledge, You Can Teach”

Scott sits down (in person!) with George Hall. George is the President of LINQ, a managed mobility services provider, and There Goes My Hero, a nonprofit dedicated to those impacted by blood cancer, both headquartered in Baltimore. George talks about his very eventful...

Multifactor Authentication Breakdown

Multifactor Authentication Breakdown

Nick and Susan's monthly episode is joined by Lexie Nelson, a vCISO at Integris. Today's topic is multifactor authentication. We're going through a full breakdown into MFA: how much it really protects you and your organization, the things to look out for when...

“Anything We Can Do to Make It Right Is Our Thing”

“Anything We Can Do to Make It Right Is Our Thing”

Scott sits down with Jared Nolan, CEO of Norman & Young, a full service media company serving real estate agents. Jared talks about the highs and lows the pandemic has brought the industry, the new technology and standards raising the bar in the industry, and how...