Why do people attend conferences and industry-specific events? Because they’re valuable opportunities for professionals to network, develop or learn new skills, and gain valuable insights from leading experts. That’s one reason why, instead of canceling or postponing their events this year, many event organizers have opted to take them online.  We’ve rounded up the best virtual events (including webinars!) over the next several months and have highlighted why you should attend, what to expect, and the cost (if any).  Note: While, yes, a lot of these events are targeted at security vendors or leaders, non-technical executives like CEOs, CFOs, and COOs also have a lot to gain by tuning in. Keep reading to find out why.  Virtual Cybersecurity Events for 2020 The following 20 events are going ahead virtually and are listed in date order.  For the most up-to-date and/or specific event information, including registration details, be sure to visit the event’s website. All information is correct at the time of writing. 1. [Webinar] Developing and Sustaining an Effective Security Culture Date: October 6 at 11am (BST)  Over the last several months, the Security Awareness Special Interest Group (SASIG) has been live streaming a webinar every. single. day. It’s fair to say they’ve mastered it. While you can check out their full calendar of events here, we wanted to highlight this one in particular. Martin Smith, Chairman and Founder of SASIG will be joined by Gaynore Rich, the Global Director of Cybersecurity Strategy & Transformation at Unilever, Zsuzsanna Berenyi, Head of Cybersecurity Awareness and Culture at London Stock Exchange Group, Vic Djondo, Director of Cyber Targeted Training and Awareness at Standard Chartered Bank, and Imogen Verret, Senior Behavioural Insights and Security Awareness Manager at Vodafone Group. They’ll all be discussing their strategies building a strong security culture while also offering tips to their peers.  Cost to Attend: Free, but you must be a member. Cybersecurity frontliners can become members by registering (for free) here. 2. [Panel] Security 101: Back to the Basics Date: October 6 at 10 am (PST)  As a part of their Remote Session series, SecureWorld – whose mission is to connect, inform, and develop leaders in cybersecurity – is hosting a panel to remind us all that we still need to do the little things.  Speakers include Roy Wattanasin, Information Security Leader at the Association for Computing Machinery, Advait Deodhar, Solutions Architect, CISSP, at ForgeRock, and Ryan Swimm,Senior Security Analyst, at BitSight Technologies Cost to Attend: Free 3. Cyber Security Digital Summit: EMEA 2020 Date:  October 13 This summit – which is being put on by The Cyber Security Hub – is focused on educating CISOs and other security professionals about how to handle today’s threats and tomorrow’s breaches. This 2-day EMEA event is coming after a deep dive into the APAC region and will feature speakers from around the world including Lucy Payne, Security Education and Training Manager at Aviva, Mohamad Mahjoub, CISO at Veolia, and many more. Bonus: Attendees will be able to download slides after the event to reference later on. Cost to Attend: Free 4. [email protected] Date: October 20-23 [email protected] is the only security conference powered by hackers brought to you by – you guessed it! – HackerOne. The theme? The critical role of hackers in your cybersecurity strategy.  This will be the fourth consecutive year the event has been held and attendees can once again expect to hear from thoughts leaders in the public and private sectors, security industry influencers, and – of course – some of the world’s most elite hackers.  While you can access the full agenda here, here are some highlights: Engaging Hackers to Help Secure Elections Beyond the Checkbox: Leveraging Compliance Frameworks to Improve Security Postures  How a Bug Becomes a Fix Cost to Attend: Free 5. [Panel] Social Engineering, BEC Attacks, and Other ‘Fun’ Scams Date: October 20 at 10 am (PST)  Yep, that’s right. Another one of SecureWorld’s remote sessions has made our list of must-attend events. Why attend? We’ll tell you. Business Email Compromise has increased by over 100% in the last two years and – as you may have noticed – social engineering has been making headlines more and more frequently. Looking for real-world examples of both? Check out this article. While panelists haven’t yet been announced, SecureWorld has said that guest speakers will be fielding questions live and that attendees will walk away with a better idea of how to keep their organization secure.   Cost to Attend: Free 6. [Webinar] Adapting Cybersecurity For a Hybrid Workforce  Date: October 21 Security strategies changed quickly with the move from office to home and now, as many organizations around the world are adopting hybrid remote working structures, they’ll have to change again. That’s why Tessian is hosting this webinar. More information including speakers and how to register coming soon! To be the first to get updates, sign-up for our newsletter. Cost to Attend: Free 7. Open Data Science Conference West Date: October 26-30 This is one to invite your larger security team to, including engineers. Why? There are over a dozen different topics and training areas, over 200 speakers, and it’s the only applied data science conference in the world. You can also sign-up for pre-conference training and a hackathon. Cost to Attend: $129-$859 (Click here to see which pass is right for you.) 8. FutureCon – London Date: October 27 FutureCon Events brings together security leaders to discuss new approaches to managing risk. Attendees can expect panels with C-level executives who have effectively mitigated risks associated with cyber attacks and several other learning opportunities that will help you build cyber resilient organizations. Can’t make it on October 27? That’s okay! FutureCon is hosting virtual events in several different cities, all spreading the same message: “Cybersecurity is no longer just an IT problem.” Cost to Attend: $100 9. InfoSec Connect Virtual Summit  Date: October 28-29 If you’re a security leader working in Financial Services, you don’t want to miss this. While it is a virtual event, the set-up will mirror what people have come to expect from Connet’s in-person events.  That means 1:1 meetings, in-depth discussions, exclusive networking, and content that’s been created and tailored specifically for the audience.  Note: This event is invite-only, so if you’re interested in attending, make sure you request an invitation ASAP.  Cost to Attend: Free 10. CISO Healthcare Exchange Date: October 28 This is another event targeted at a specific industry and, again, is invite-only. This time, though, it’s Healthcare. Attendees will discuss some of the most critical challenges CISOs are facing and how to make sure your security strategy is evolving in tandem with the changing threat landscape. While you can view the full agenda here, below is a sneak peek. Living on the Edge: Meeting Emerging Cybersecurity Challenges in Digital Health Healthcare 2.0: Securing the Brave New World of the IoMT Championing Cybersecurity as a Critical Component of the Consumerization of Healthcare If you’re interested, make sure you register for your invitation soon. Cost to Attend: Free 11.National HealthSec eForum  Date: November 5 A perfect follow-up to the above event, this National HealthSec eFourm (which is being put on by the Cybersecurity Collaboration Forum). While the agenda hasn’t been shared yet, we do know that board members recommend and vet topics, speakers and industry partners, ensuring each event will address the industry’s most significant concerns. Bonus: Sessions are interactive, peer driven, and limited in size for maximum learning and networking. Make sure you register now; space is limited and you must qualify to attend. A member of your local leadership board will reach out once you’ve been approved to attend with a confirmation. Cost to Attend: Free 12. Global Talent: What your Workplace & Workforce of the Future will Look Like Date: November 10 As we’ve already mentioned, the workplace is changing. Many organizations are adopting flexible, hybrid, and even fully remote structures which means cybersecurity leaders need to adapt and evolve their strategies. This event in particular is for security leaders in Financial Services. Here’s what you should expect: A panel session where experts will share advice, wisdom, and best practices on the evolving workplace and workforce A closer look at how emerging collaboration paradigms may affect strategies A deep dive into data privacy across geographical boundaries Members can sign-up here. And, if you’re not a member, you can register to become one now. Cost to Attend: Free 13. Cybersecurity Digital Summit – Fall 2020 Date: November 10-12 This three-day virtual event promises to help you chart the course for 2021 with the help of expert opinions and advice. And – spoiler alert – the speaker line-up is first-class and includes Ramy Housssaini, Chief Cyber and Technology Risk Officer at BNP Parabas, Brian Robinson, Senior Director of Product Marketing at Blackberry, and many (many) more.  Check out the full agenda here and decide which of the sessions you’re going to attend.  Cost to Attend: Free 14.ISF Digital Congress 2020  Date: November 15-19 This is the Information Security Forum’s flagship event which means it’s perfectly aligned with the organization’s overall mission, which is to”….[help] members overcome the wide-running information security challenges that impact business today.” ISF is promoting this as a sort of “live broadcast”, which means members (and non-members, so long as you register now!) from a variety of timezones can tune in. To learn more about what to expect and why you should attend, watch this video featuring Steve Durbin, Managing Director at ISF, and Nicholas Witchell, renowned journalist and Master of Ceremonies for Digital 2020. Cost to Attend: Free 15. PrivSec Global (Q4) Date: November 30-December 3 While we certainly will provide a bit more context about this event, this one-liner (in many ways) tells you everything you need to know. This is the largest data protection, privacy, and security event of 2020.  Spread across four days and sponsored by Microsoft and The Wall Street Journal, attendees can choose from one of four tracks including privacy, security, industry, and region. That means that the content will be highly curated. And, with over 200 speakers and 90 sessions, it won’t be hard to find a topic that’s relevant specifically to you.  Cost to Attend: Free 16. Chief Information Security Officer Exchange Date: December 8-9 CISO’s, here’s another one just for you. At this 2-day virtual event, attendees will learn how to empower their organization to navigate through the changing landscape. How? Through a variety of topics, including: How to use strategic storytelling to provide clear benchmarks and metrics How to dissolve the gender and workforce gap on cybersecurity leadership teams How to prioritize and revise the definition of your organization’s risk appetite For a full list of speakers, click here. And make sure you register now!  Cost to Attend: Free 17. 2020 HMG Live! Financial Services CIO Executive Leadership Summit  Date: December 10 Last but not least, HMG’s live virtual event – specifically designed for security leaders in Financial Services – top technology executives will share their advice on the roles that CIOs and tech leaders can play in driving innovation and reshaping the future of work. While there will no doubt be a focus on security, many of the topics will actually cover the more human aspect of being a leader, including how to keep employees inspired and how to strengthen employee engagement and motivation.  You can view the agenda, speaker line-up, and partners here. Cost to Attend: Free 18. Accounting & Finance Show When: October 20 – October 21, 2020 Cost to Attend: Free  The Accounting & Finance Show is the USA’s largest virtual accounting and finance exhibition. With over 150 speakers and 3,000 attendees, the exhibition features online networking, virtual workshops, and CPE education. Content tracks include HCM & Payroll, Tax, Technology, and Practice Management. Why attend? If you’re a security leader in Financial Services, this is a great opportunity to connect with your peers and understand what they’re doing to overcome current challenges.  19. Futurist Virtual Conference When: November 11 – 12, 2020 Cost to Attend: Free Futurist Virtual Conference is Canada’s largest blockchain and emerging tech conference. Over 100 world-class speakers are attending this year to discuss emerging industries and their trends, and attendees have the option to sit in on over 60 panel sessions, workshops, and roundtables.  20. NewStatesman Virtual Cyber Security in Financial Services Conference When: November 24, 2020 Cost to Attend: Free for senior-level delegates from financial institutions. At this year’s virtual conference, senior figures and thought leaders will lead presentations that examine current regulations and key trends. Some of the presentations include: How the COVID-19 pandemic has changed the cybersecurity landscape Building cyber resilience in the new decade How biometric innovation is shaping the future Are there any other events you think we should add to this list? Email [email protected]

We’re back with another monthly roundup of cybersecurity news. Cybercriminals have once again been busy, with several high-profile data breaches and ransomware attacks occurring throughout September. And – rather unsurprisingly – social media platforms Twitter and TikTok have made the cut for the third month running. Here are the top cybersecurity stories from September 2020, including links to further information. Need to catch-up? Check out headlines from July and top stories from August on our blog. Researchers Predict That CEOs Will Be Personally Liable for Cyber-Physical Attacks Research and advisory firm Gartner (who recently named Tessian a Cool Vendor) predicted this month that 75% of CEOs could hold personal liability for “cyber-physical” attacks by 2024. Cyber-physical attacks aim to impact the “real world,” including critical infrastructure, internet of things devices, and healthcare equipment. Such attacks can result in physical injury and death. Gartner predicts that that cyber-physical attacks will cause up to $50 billion of damage by 2023 So what if Gartner is right? It would mean that if a company suffers a cyberattack resulting in physical harm — and it turns out that the company has not implemented appropriate cybersecurity measures — the company’s CEO could have to pay fines with their own money. 

Gartner’s research tells us what every effective business leader already knows — an effective cybersecurity program is an essential requirement for every organization. If a cyberattack occurs, the buck stops with the company’s senior executives. Argentinian Government Faces $4 Million Ransom Following Cyberattack On September 6, Argentina temporarily stopped allowing people to cross its borders after the Netwalker ransomware hit the country. The attackers encrypted government migration data and demanded 355 Bitcoins (around $4 million) to unencrypt it. This cyberattack led to chaos across border checkpoints — but the Argentinian government told domestic news website Infobae that it had no intention of negotiating with the hackers. Ransomware continues to cause havoc worldwide, and it appears the problem is only getting worse. Research by SonicWall recorded approximately 121 million ransomware attacks in the first half of 2020. Personal Information of 46,000 US Military Veterans Breached The US Veterans Association (VA) announced this month that the personal information of around 46,000 military veterans had been “accessed by unauthorized users.” The cybercriminals aimed to “divert payments” intended for healthcare providers. The VA’s financial services team wrote to the affected individuals to advise on how to mitigate the effects of the breach and offer free access to credit monitoring services. The VA serves veterans all over the US. Strict new data breach laws in several jurisdictions — including New York, Washington DC, and Oregan — mean that the VA could face huge fines given the breach’s context. Want to know more about US data security laws? Read our guidance for security leaders. Thousands of COVID-19 Patients’ Data Leaked Due to “Human Error” A massive data breach occurred in Wales this month when the personal information of 18,105 coronavirus patients was leaked following an “individual human error.” The breach affected every Welsh resident who tested positive for COVID-19 between February 27 and August 30. Public Health Wales said that the data included the “initials, date of birth, geographical area, and sex” of the affected individuals. In nearly 11% of people, though, the data also included the name of the nursing home or other healthcare setting in which the individual lived. The data was uploaded onto a public server, where it was accessible and searchable for around 20 hours. It was viewed 56 times throughout this period.  Human error is a key cause of data breaches. Statistics show that around 88% of data breaches start with human error, and almost half of all employees believe they have made an error at work leading to security repercussions. Chinese Company Holds Data About 2.4 million Influential People An academic at Fulbright University, Vietnam, has uncovered a vast Chinese database containing personal information of around 2.4 million people and their families. It looks like these individuals are “people of interest” to the Chinese Communist Party (CCP). The company responsible for maintaining this huge database “provides big data analytics as well as other functionality to support Chinese military and intelligence analysts,” according to a research paper. The research also suggests that the CCP uses the data for “intelligence, military, security, and state operations in information warfare and influence targeting.”  The database is believed to provide a way for the CCP to influence people in target sectors. It may be one of many such databases maintained by Chinese companies. Much of the information in the database has been gleaned from publicly-available sources. The Chinese database is yet another important reason you should consider limiting the amount of personal information you put online. You can learn more about how hackers are using open-source recon for deepfakes and other social engineering attacks from Elvis M. Chan, Supervisory Special Agent at the FBI and Nina Schick, Author of “Deep Fakes and the Infocalypse: What You Urgently Need to Know”, who both joined us at Tessian Human Layer Security Summit. You can access their session “Safeguarding the 2020 Elections, Disarming Deepfakes via HLS On-Demand.  Twitter Provides Enhanced Security For US Election Following its spear phishing incident this July, Twitter has announced enhanced account security for certain “high-profile accounts” throughout the US election. Twitter said that various types of accounts, including those belonging to US politicians, campaign officials, and political journalists, would receive the security enhancements from September 17. So what’s changing? First, affected users must create “strong passwords,” of at least ten characters in length. They will need to confirm password reset requests via email. The affected users will also be “strongly encouraged” to enable two-factor authentication (2FA). But that’s not all. Recall that the July spear phishing incident involved “internal support tools” — it wasn’t primarily an issue with users’ account passwords. To address this, Twitter also states that it will improve internal monitoring of the affected accounts, including by using “more sophisticated detections and alerts,” “increased login defenses,” and “expedited account recovery” processes. Want to know how to avoid the issues Twitter faced this July? Read our guidance on “vishing” attacks. Energy Companies Advised to Create Cyberattack Response Plans The US Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) have released a report advising energy providers on creating an Incident Response and Recovery (IRR) plan for cyberattacks. The report is based around an existing cybersecurity framework: the National Institute of Standards and Technology (NIST) Special Publication 800-61, also known as the Computer Security Incident Handling Guide.  Governments appear to be increasingly concerned about the cybersecurity of critical infrastructure. This concern is well-founded — in 2019, 90% of security professionals surveyed across the utilities, energy, health, and transport sectors reported that their organizations had faced at least one successful cyberattack. Much of the advice to energy providers is good practice across all sectors. FERC and NERC recommend a four-part framework, consisting of security controls relating to preparation, detection and analysis, containment and eradication, and post-incident activity.

UK Agency Warns Schools and Universities About Ransomware Attacks As students worldwide return to schools, colleges, and universities, education providers are most concerned with defending against a COVID-19 outbreak. But the UK’s National Cyber Security Centre (NCSC) gave a stark warning about a different type of threat: ransomware. The NCSC’s alert describes “recent trends observed in ransomware attacks” targeting the education sector, which the agency says are increasingly common. The guidance follows a series of ransomware attacks against universities in the UK, US, and Canada this July. The agency warns that cybercriminals are exploiting out-of-date software and are accessing remote desktop protocol (RDP) software using credentials stolen via phishing attacks. It also warns that phishing emails are being used to deploy ransomware. So how does the NCSC recommend education providers protect themselves? The same ways all cyber-secure organizations protect themselves — including ”disrupting ransomware attack vectors” by implementing phishing defenses, and “enabling effective recovery” by keeping backups of data. Implementing DMARC is also essential to prevent brand impersonation and successful spear phishing attacks. And, according to Tessian research, 40% of the top 20 US universities aren’t using DMARC records.  TikTok Ban Delayed Following ByteDance Sale On September 21, US President Trump said he had approved the sale of part of ByteDance, the parent company of video-sharing platform TikTok, to Oracle and Wal-Mart. The deal temporarily averts harsh restrictions on TikTok set out by the US Department of Commerce three days earlier. The sale results from an executive order issued by President Trump in August, stating that the TikTok app “captures vast swaths of information from its users, including… location data and browsing and search histories.” TikTok maintains that this activity is standard industry practice. The US companies could take a collective 20% stake in ByteDance, with Oracle hosting TikTok user data in Oracle Cloud. Some analyses suggest that security-conscious nations and businesses are increasingly likely to implement these sorts of “data localization” measures. Trump had previously assured the public that TikTok would be “totally controlled” by the US firms. However, the president assured a press conference that the companies would be using “separate clouds and very, very powerful security.” That’s all for this month. If we missed anything, please email [email protected] and stay tuned for the next roundup. Don’t forget: You can easily share this on social media via the buttons at the top right of this post. 

Tessian’s CEO and co-founder Tim Sadler joined Dave Bittner from the CyberWire and Joe Carrigan from the Johns Hopkins University Information Security Institute to talk about why people make mistakes and the importance of developing a strong security culture. While you can listen to the episode here, you can read a full transcript below. And, for more insights about The Psychology of Human Nature, read our report.

Dave Bittner: Joe, I recently had the pleasure of speaking with Tim Sadler. He’s been on our show before. He’s from an organization called Tessian, and they recently published a report called “The Psychology of Human Error.” Here’s my conversation with Tim Sadler. Tim Sadler: We commissioned this report because we believe that it’s human nature to make mistakes. The people control more sensitive data than ever before in the enterprise. So there’s customer data, financial information, employee information. And what this means is that even the smallest mistakes – like accidentally sending an email to the wrong person, clicking on a link in a phishing email – can cause significant damage to a company’s reputation and also cause major security issues for them. So we felt that businesses first need to understand why people make mistakes so that, in the future, they can prevent them from happening before these errors turn into things like data breaches. Dave Bittner: Well, let’s go through some of the findings together. I mean, it’s interesting to me that, you know, right out of the gate, the first thing that you emphasize here is that people do make mistakes. Tim Sadler: Absolutely, they do make mistakes, and I think that is human nature. We think about our daily lives and the things that we do; we factor in human error, and we factor in that we will make mistakes. And something I always come back to is if we think about something we do, you know, many of us do on a daily basis, which is, you know, driving a car, and we think about all of the assistive technology that we have in that car to protect us in the event that we do make a mistake because, of course, mistakes are expected. It’s kind of in our human nature. Dave Bittner: Well, let’s dig into some of the details here because there are some fascinating things that you all have presented. One of the things you dig into is the age factor. Now, this was interesting to me because I think we probably have some biases about who we think would be more likely to make mistakes, but you all uncovered some interesting numbers here. Tim Sadler: Yeah, completely. And, you know, just sharing some of those statistics that we found from this report, 65% of 18- to 30-year-olds admit to sending a misdirected email comparing to 34% who are over the age of 51. And we also found that younger workers were five times more likely to admit to errors that compromised their company’s cybersecurity than older generations, with 60% of 18- to 30-year-olds saying they’ve made such mistakes versus 10% of workers who are over 51. Dave Bittner: Now, what do you suppose is the disparity there? Do you have any insights as to what’s causing the spread? Tim Sadler: I think it is just speculation that I think there’s something interesting in just maybe thinking about the comfort level that younger workers might have with actually admitting mistakes or sharing that with others in the enterprise. You know, I think there’s something encouraging here, which is actually we’re seeing that if you were running a security team, you want your employees to come forward and tell you something has gone wrong, whether that’s a mistake that’s led to a bad thing or it’s a near miss. And I think that you also might find that, generally, younger people may tend to be less senior in the organization and, you know, may not have the same sense of stigma that maybe the older generations, who are more senior, may think there is. So if I tell my boss that, you know, I’ve just done something and there was a potentially bad outcome, they might feel like they may be in danger of compromising their position in the organization. Dave Bittner: Yeah, it’s a really interesting insight. I mean, that whole notion of the benefits of having a company culture that encourages the reporting of these sorts of things.

Tim Sadler: I think it’s so important. You know, I think – somebody, you know, correctly advised me, you almost need an everything’s-OK alarm in your business when you’re thinking about security. You know, if you have a risk register or if you are responsible for taking care of these incident reports, if you don’t see people reporting anything, it’s usually a more concerning sign than you have people coming forward who are openly admitting to the errors they’ve made that could lead to these security issues. It’s highly unlikely that you’ve got nothing on your risk register. That you’ve completely eliminated risk from your business. It’s more likely that actually you haven’t created the right culture that feels like it’s suitable or acceptable to actually come forward and admit mistakes. Tim Sadler: And I think this is really, really important. I think now more than ever, during this time where, you know, we have a global pandemic, a lot of people are working from home, and they’re kind of juggling the demands of their jobs with their personal lives – maybe they’re having to figure out childcare – there are lots of other things weighing in to an employee’s life right now. It’s really important to actually, I think, extend empathy and create an environment where your employees do feel comfortable actually sharing things, mistakes they’ve made or things that could pose security incidents. I think that’s how you make a stronger company, through that security culture. Dave Bittner: But let’s move on and talk about phishing, which your report digs into here. And then this was surprising to me as well. You found that 1 in 4 employees say that they’ve clicked on phishing emails. But interesting to me, there was a gap between men and women and, again, older folks and younger folks.  Tim Sadler: Yes, so we found in the report that men are twice as likely as women to click on links in a phishing email, which again I think is – I think we were as surprised as you are that that was something that came from the research that we conducted. Dave Bittner: And a much lower percentage of folks over 51 say that they’d clicked on phishing links. Tim Sadler: Yes. And, again, you know, because of the research, of course, we’re relying on people’s honesty about these kinds of things. Dave Bittner: Right. Tim Sadler: But it does seem that there are clear kind of demographic splits in terms of things like age and also gender in terms of, actually, the security outcomes that took place. Dave Bittner: I mean, that in particular seems counterintuitive to me, but when I read your report, I suppose it makes sense that, you know, people who have more life experience, they may be more wary than some of the folks who are just out of the gate. Tim Sadler: I think that does play into things. I think that younger generations who are coming into the workplace, who are maybe even used to – you know, they’ve had an email account maybe for most of their lives. In fact, I would say that they’re probably less used to using email because they’ve advanced to other communication platforms before they enter the workplace. But I do think that, you know, if you think about people who have had email accounts, you know, at school or at college, they’re going to be used to being faced with potential scams, potential phishing. They’ve maybe already been through many kind of forms of education training awareness, those kinds of things, before they’ve actually entered the world of work. Dave Bittner: Yeah, another thing that caught my eye here was that you found that tech companies were most fallible. And it seemed to be that the pace at which those companies run had something to do with it. Tim Sadler: Yeah, I think there’s something interesting here. And, again, just would say that this is speculation because we don’t have the specific data to dig further into this. But I think there’s something interesting with the concept that technology companies, as you say, if they’re, you know, high-growth startups, they tend to be maybe moving faster, where these kinds of things can slip off the radar in terms of the security focus or the security awareness culture they create. Tim Sadler: But the other thing – and I think something to be aware of – is sometimes technology companies have that kind of false sense of security that it’s all in check, right? ‘Cause they – you know, this is kind of their domain. They feel that it’s within their comfort zone, and then maybe they neglect, actually, how serious something like this could be, where they feel that, OK, we’ve actually – even if we’ve got an email system in place, in the instance of phishing – we’ve got an email system in place. We feel like it has the appropriate security controls. But then we miss out the elements of actually making sure that the person is aware or is trained, is provided with the assistive technology around them and then also feels that they’re part of a security culture where they can report these things. So I think that’s also an important factor, too. Dave Bittner: So one of the interesting results that came through your research here is the impact that stress and fatigue have on workers’ ability to kind of detect these things. Tim Sadler: Yeah, and this is a really, really important point. So 47% of employees cited distraction as the top reason for falling for a phishing scam. And 41% said that they sent an email to the wrong person because they were distracted. The interesting thing, I think, there is that – another stat that came out from this – 57% of people admitted that they were more distracted when working from home, which is, of course, a huge part of the population now. So this point about distraction seems to play a really important factor in actually the fallibility of people with regard to phishing. Tim Sadler: And then a further 93% of employees said that they were either tired or stressed at some point during the week. And 1 in 10 actually said that they feel tired every day. And then the sort of partner stat to that, which is important, is that 52% of employees said that they make more mistakes when they’re stressed. And of course, tiredness and being stressed play hand-in-hand. So these are really, really important things for companies to take note of, which is, you have to also think about the well-being of your employees with regard to how that impacts your security posture and your ability to actually prevent these kinds of human errors and mistakes from taking place. Dave Bittner: Right. Giving the employees the time they need to recharge and making sure that they’re properly tasked with things where they can meet those requirements that you have for them – I mean, that’s an investment in security as well. Tim Sadler: Completely. And I think what’s really difficult is that security is serious business. No one would doubt or question its importance. It is literally mission critical for companies to get right. Some companies take a draconian approach when it comes to security, and they penalize or they’re very heavy-handed with employees when they get things wrong. I think, again, it is really important to consider the security culture of an organization. And actually, creating a safe space for people to share their vulnerability from a security perspective – things that they may have done wrong – and actually then having a security team or security culture that helps that person with the error or the issue that may arise versus just creating a environment where if you do the wrong thing, then, you know, your job, your role might be in jeopardy. Tim Sadler: And again, it is a balance because you need to make sure that people are never being careless, and there is a responsibility that we all have in terms of the security posture of our organization. But what this report shows is that those elements are really important. You know, we don’t want to contribute to the distraction. We don’t want to contribute to the stress and tiredness of our employees. And even outside the security domain, if you do have an environment that doesn’t create a balance for your employees, you are at a higher risk of suffering from a security breach because of the likelihood of human error with your employees. Dave Bittner: All right, Joe, what do you think?

Joe Carrigan: I really liked that interview. Tim makes some really great points. The first thing he says is at Tessian, they believe that people are prone to mistakes, right? Of course we are, right? But why, in the real world, do we act like we’re not? That is what struck out to me immediately – the fact that Tim even needs to say this or that somebody needs to say this, that people are prone to mistakes. We act as if we’re not prone to mistakes. And then the driving analogy is a great analogy, right? If everybody does everything right in a car, nobody would ever have an accident. But as we all know, that is not the case. Dave Bittner: Accidents happen (laughter). Yeah. I think in public health, too – you know, I often use the example of, you can do everything right. You can wash your hands. You can, you know, be careful when you sneeze and clean surfaces and all that stuff. But still, no matter what, every now and then, you’re still going to get a cold. Joe Carrigan: Younger people are more likely to say that they’ve made mistakes than older people, and I agree with Tim’s speculation on the disparity of responses across age groups. Younger people have less to lose than an older person who might be more senior in the organization. I also think that an older person might be more experienced with what happens when you admit your mistakes. Joe Carrigan: And that comes to my next point, which is culture. And that is probably the single-most important thing in a company. And this is my opinion, of course – but this is so much more important when we get to security. It needs to be open and honest, and people need to absolutely not fear coming forward about their mistakes in security. This is something that I’ve dealt with throughout my career, even before I was doing security, with people making mistakes. If somebody tries to cover up a mistake, that makes the cleanup effort a lot more difficult. And it’s totally natural to try to do that. You’re like, oh, I made the mistake. I better correct it. If you don’t have the technical expertise to correct it, you’re actually making more work for the people who have to actually correct it. Dave Bittner: Yeah. I also – I think there’s that impulse to sort of try to ignore it and hope it goes away. Joe Carrigan: Right (laughter). That happens, too. I find this is interesting. Men are twice as likely to click on a link than women. Older users are less likely to click on a link. I think that comes from nothing but experience. You and I are older. We’ve had email addresses for years and years and years. I’ve been on the Internet longer than a lot of people have been alive. I know how this works. And younger people may not have that level of experience. Plus, I think younger people are just more trusting of other people. And as we get older, we, of course, become more jaded. Joe Carrigan: Tech companies have a false sense of security because this is their domain. That’s one of the things Tim said. I think that’s right. You know, that’s not going to happen to us; we’re a tech company. Things are still going to happen to you because, like Tim says very early in the interview, people make mistakes. Dave Bittner: All right. Well, again, our thanks to Tim Sadler from Tessian for joining us this week. We appreciate him taking the time. Again, the report is titled “The Psychology of Human Error.” And that is our show. Of course, we want to thank all of you for listening. Dave Bittner: We want to thank the Johns Hopkins University Information Security Institute for their participation. You can learn more at isi.jhu.edu. The “Hacking Humans” podcast is proudly produced in Maryland at the startup studios of DataTribe, where they’re co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I’m Dave Bittner. Joe Carrigan: And I’m Joe Carrigan. Dave Bittner: Thanks for listening.