Arming the Citizens: Awareness Strategies for Cyber War

PODCAST TRANSCRIPT

Brian Selfridge: [00:00:20] Hello. Welcome to The CyberPHIx, your audio resource for information security, privacy, risk, and compliance specifically for the healthcare industry. I'm your host, Brian Selfridge. In each episode, we bring you pertinent information from thought leaders in healthcare, cybersecurity, and privacy. In this episode, we'll be speaking with Eric Bielski. Eric is the director of Information Security at Benefit Resource. This episode is titled Arming the Citizens Awareness Strategies for Cyber War. Now, candidly, the awareness strategies for cyberwar are very similar, if not the same, to the usual cybersecurity awareness objectives we pursue day in and day out in our programs. They just matter a whole heck of a lot more than they ever did before. So I'm really excited about this conversation. Let's dive right into it with another great discussion, another amazing guest, Eric Bielski. 

Brian Selfridge: [00:01:14] Hello. Welcome to The CyberPHIx, the leading podcast for cybersecurity risk and compliance, specifically for the healthcare industry. I'd like to welcome my guest, Eric Bielski. Eric is the director of Information Security at Benefit Resource Benefit Resource, provides dedicated pre-tax account administration and COBRA services nationwide to over 3500 employers, ranging from small businesses to Fortune 100 companies. Prior to his time with Benefit Resource, Eric served as the Chief Information Security Officer for the Rochester RHIO and held network and I.T. roles with EarthLink business and the United States Marine Corps. I'm excited to speak with Eric today about leading practices and emerging approaches for cybersecurity awareness. We're focusing on this topic specifically as threats have ramped up substantially for critical infrastructure organizations, including healthcare entities stemming from Russian cyberattacks and other cyberwar-type activities. So we have a lot of ground to cover today and lots to learn from Eric on this topic. So with that, Eric, thank you so much for taking the time to join us on the CyberPHIx today. 

Eric Bielski: [00:02:10] Hey, Brian, thanks for having me. 

Brian Selfridge: [00:02:12] So Eric, I mentioned in the intro here that we're focused on awareness based on all this cyberwar, and these attacks that are going on just heightens the importance of what we do every day in cybersecurity. So to that end, the President issued an alert recently that US companies need to ramp up their readiness to anticipate these types of cyberattacks from Russia in particular stemming from the conflict in Ukraine. So what role do end-users play in protecting organizations and healthcare organizations in particular during this ongoing cyberwar? 

Eric Bielski: [00:02:43] I think the biggest role that end-users play right now is, I mean, you have your endpoint security like, yes, they're reading emails all the time. They're getting they're getting phished. But the end-users actually there, the physical security barrier as well. So they're watching for that suspicious activity around the office or I mean, around the healthcare facilities especially. So I think it's the physical attacks are few and far between, like the endpoints, getting the USB devices plugged into them. But watching for that type of activity is, is a large part of the end users' responsibility. 

Brian Selfridge: [00:03:21] So I know cybersecurity is important to us as professionals in this field, right? We do this day in and day out. But how do you make cybersecurity important for the average workforce member? What are some things you might say to end-users to make security relevant and matter to them? 

Eric Bielski: [00:03:39] So I feel like there's oftentimes like a pushback against security training or if you have someone who fails a phishing test, the remedial training. But I guess the point that I would make there is if I came up to your workstation and smashed it with a hammer or dumped water over it, it's not going to work for the rest of the day. So if you take the time to follow secure practices while you're working, that will help you to be productive throughout the day and allow the organization to keep working. 

Brian Selfridge: [00:04:13] I want to talk a little bit about just deployment vehicles for cybersecurity awareness training programs. Know years ago it was always just this one-time annual training. And I have to imagine that doesn't quite cut it anymore. With the speed of threat changes and the evolution of attacks happening, I can hardly keep up with it. This is I do this for a living. I can't imagine users keeping up. So what are some different ways in which you deploy training on an ongoing basis to help end users can stay sharp on cybersecurity stuff? 

Eric Bielski: [00:04:43] Yeah, absolutely. Brian, So I like to think of it as a cybersecurity awareness campaign instead of that one time training the hour and the conference room or well now hour in front of your computer listening to some cartoon tell you about phishing emails, it's actually phishing simulations or role-based training to look to enhance the knowledge that your administrators might have when they're using their admin credentials, so, so on and so forth. 

Brian Selfridge: [00:05:15] So are you getting out to do you do physical in-person training as well? Do you get out to departments and show your face and let people know who you are? Or do they just know who you are because they know you're the security guy or whatever? 

Eric Bielski: [00:05:27] Yeah. So people might think that I'm a cop at the office because I walk around checking printers for printed materials that were just left behind or looking for locked workstations. But those type of walk ups are always those are impromptu training in person. Trainings in a conference room. Haven't happened since COVID. 

Brian Selfridge: [00:05:50] What's a good point? You mentioned that sort of COVID shift, right? So we have so many people being hybrid or fully remote at this point. What's some of the guidance you might give to some of your peers out there on how to engage with a remote or hybrid workforce and helping them stay secure in their own home network environments? I suppose, apart from just your usual teaching, how to stay safe on your own network. 

Eric Bielski: [00:06:16] So for my peers, I've got to ask, do you have your acceptable use policy up to date? Does it include anything like a remote working agreement? If you're the employee at home, did you sign a remote working agreement that says your wi-fi is secure? In some industries, you may even be required to inspect remote work, remote workstations, if that's the case. Are you looking at the surroundings? Like, are there windows around the workstation who has viewing angles and such? And then I guess paying attention to who's allowed to use your workstation when you're not at it. So that's going to be in your acceptable use policy, hopefully, and it's going to say, don't let your kids play games on your computer.

Brian Selfridge: [00:07:06] I've got several kids. And that's always a line of demarcation. They get the iPads and the tablets and dad keeps the laptop. So I don't know. Have you seen incidents have you had incidents reported to you where people are abusing that policy of device usage or any of those work from home type boundaries that should be drawn? 

Eric Bielski: [00:07:27] Yeah, it's been a couple of years, but I've, I've been at an organization that, that had someone hand their computer off to their grandson and, and they went onto a gaming website and, and then got themselves into a little bit of trouble there. So. 

Brian Selfridge: [00:07:44] Now teaching moments. Teachable moment. So just in terms of resources. So everybody seems to build their own security awareness program. And I'm sure it takes in a combination of experience and understanding of their own organization and all that good stuff. But at some point, we're kind of saying the same stuff over and over again. Are there any external resources that you're aware of that security leaders can use to find security awareness, training, and content? We can certainly talk about any sort of paid partnerships and those things. Those are good. But are you aware of any, any free ones too? I always like to ask for that first and then you can tell us about the expensive stuff that really works. 

Eric Bielski: [00:08:23] So the Department of Health and Human Services, HHS, gov, that is your go-to resource for free cybersecurity training. I believe they even have HIPAA privacy and security training on there. The only hangup there is if you need to audit, you're going to be chasing users down for printed certificates or PDFs of certificates or their transcripts that say they completed it. So that's where the paid platforms come in handy. 

Brian Selfridge: [00:08:52] Do you do any kind of tailoring of your content to your organization? What are some of the things that might be specific that may be the generic content just doesn't quite cover or can make it more real for your team members, your workforce members? 

Eric Bielski: [00:09:06] I would say that the tailored content comes with your role-based training, so your administrators are taught not to enter their admin credentials just because a user asked them to. Stuff like that. And the platform, the platforms that I'm used to using for the training include that type of training. So it won't be in your baseline training. 

Brian Selfridge: [00:09:28] Now, apart from free stuff, do you outsource any sort of key capabilities around content? I think phishing might be a key one. A lot of folks use a third-party platform or something. We don't have to name names. You're welcome to. I don't mind. But do you find value in any kind of third-party partnerships that really help you get the messaging done right and delivered in the right way? 

Eric Bielski: [00:09:48] Yeah, I've, I've used a few and nothing really stands or nothing really holds any ground against. No. Before. So that's your training platform, your remediation training platform, your phishing simulation. You can do phishing you if you're that interested and really testing your users. But it's also great because you can audit who's completed what training and you can see, well, I won't get into too much detail, but also if you're looking for something that you want to just hand off to someone, maybe have a training department, or you want your HR to manage it during onboarding. You could ask them or you could ask your provider, your human resource information system. I think I got that right. If they have an LMS, you could use it. 

Brian Selfridge: [00:10:40] Excellent. I know one of the questions that I always used to get when I was a security officer many, many moons ago was around managing passwords. Right. They would sort of come to me rightfully and say, you make me have all these different passwords for all different kinds of stuff at home and here. How can I keep that safe? And of course, you would always run into the users that would be having a file on their desktop with all their passwords and his pen testers and hackers. That's always a goldmine. I'm sure it is for the bad guys, too. So how do you advise end-users to manage their passwords both at work and at home? And do you recommend any password managers or what is safe these days to use? 

Eric Bielski: [00:11:19] I would use password managers. I obviously don't recommend files or writing them down, putting them under a keyboard. Some of the key things that I'd look for in a password manager is how do you share records and be like, does it help your helpdesk issue new passwords? What I mean, that's more of an administrative point. But is it is no reverse encryption? Like if an attacker compromises your password manager, are they going to be able to crack eventually the vault of your hundreds of passwords to get into your banks and such? And I think I think an important thing is to write it into your policies at your organization, because if you don't policy it, then people, I think people are inclined to do what they want, what's easiest. But also if you teach the users how to use it, it may actually streamline what they do because a lot of people, open a browser window and they search for the URL that they're going to go to. But if you open your password manager, you can just search for that URL and there click on a link inside of that password manager. It opens it up, logs you in, and all of a sudden you're more efficient. 

Brian Selfridge: [00:12:36] Yeah, that's always the key. If we can convince folks that we're helping and there's some value beyond just securing things. And I think that's a great recommendation to have that sort of launching off point for your apps and those types of things. So but what you're saying is we shouldn't use the password booklets. One of my team members one time brought me from Wal Mart alike write your passwords down a little booklet that's like $2 that they had so regularly. It's like, I guess we should avoid that one, huh? 

Eric Bielski: [00:13:06] Yeah. My mom actually had one of those and I burned it for, and then I taught her how to use the password manager that I use. 

Brian Selfridge: [00:13:14] So that's excellent. I hope she was I hope she was able to transfer her passwords before you made that move. 

Eric Bielski: [00:13:22] I didn't verify at the end. 

Brian Selfridge: [00:13:23] But now I know you said earlier that annual security awareness training may not be the answer anymore, but we still have to do it right. So I want to dig into that a little bit. What does an effective annual training program look like? What kinds of content, how, how long and wide and deep should it be? Sometimes that's a pushback from the business, too, is it's too many slides. Can you tell us a little bit about what you think an optimal annual training looks like? 

Eric Bielski: [00:13:50] Yeah, so I think that the most amount of training that a user should have to go through per year when it comes to your baseline, training is about 2 hours. That's I mean, 2 hours is HIPAA privacy and security. So if you don't have to do it, but with privacy and security, then I've cut it down to just one hour, which is your cybersecurity awareness training that should include how to spot phishing emails, and how to spot suspicious activity around the office. Details on the insider threat. And I guess that's just about it. I mean, you don't want to bore them to death and make them like you click through it so they just check another box and they can move on to their job that you ought to make sure that it's meaningful to them and doesn't bore them. 

Brian Selfridge: [00:14:41] I was thinking that too. There's always this fine line. I think the spectrum is boring and scary, like you don't want to be super, super boring and you also don't want to be overly scary at the point where you want to get the message home, but you don't want to have everybody panicking. Maybe there's a happy place somewhere in between. 

Eric Bielski: [00:14:55] Yeah, I like to find training that has something interesting in it. For the like maybe have a hacker, show you how to how they crack into something and how easy it is, such as the calendar hijacking. So someone sends you an invite, but your calendar is set to accept auto-accept invites. You go and click on a link like, oh, I guess I'm supposed to be in a meeting right now and you go and click on the downloader and next thing you know, you've got the ransomware screen in front of you. 

Brian Selfridge: [00:15:26] I saw a thing last week where Microsoft Teams was is now a new vector for that type of thing, where there's they're sort of jumping into random Microsoft teams meetings. I think they have to compromise an end-user account first. I'm not sure, but they're dropping like an executable in the chat to like the whole group. And if somebody clicks on it, it sort of massively deploys the malware elsewhere. I don't know if you've seen that, but that one sounds kind of scary. 

Eric Bielski: [00:15:49] Yeah, all the different meeting platforms are scary for me. I mean, if, if you if you're not able to block the install, if you're not doing that from an administrative standpoint, then most of these are they don't even require admin credentials to install them. So tricking a user to download from a malicious website instead of the actual Zoom website or Google or for teams, etc., etc.. 

Brian Selfridge: [00:16:17] Let's get specific a little bit. We've been talking about the program a lot, but I just at this moment in time, 2022, maybe this guide will change two weeks from now or whatever. But are there what are the top maybe top three most important security awareness points that you think all workforce members, regardless of their position and stature, need to be aware of today to protect the organization. If you had three takeaways what are the must-haves? 

Eric Bielski: [00:16:43] If someone's pressing you to take an action you have to really consider what that action is? So one of the mantras I learned in the Marines was slow is smooth and smooth is fast. If you make a mistake and it allows an attacker in, you're going to ruin the day for yourself and potentially hundreds or thousands of users, depending on the size of your organization and how the security and how the security team has implemented protections against that. So really pay attention to what someone is asking you to do, asking you to do. And then it's all that slow is smooth and smooth is fast. Like, look at the cover over the links. If you weren't expecting a link from someone, just call and ask them. So if an external user sends email inbound to like into your organization, their email has been compromised. You don't know that. Right? So but they have a list like if you look at an email quarantine, you might see dozens of emails show up that are from a single trusted person, but they've been flagged because they have that malicious URL that Microsoft or whoever your email quarantine is ran through. 

Brian Selfridge: [00:18:02] And I just had my I got a text yesterday from it looked like it came from my boss actually and I only have one boss and he's close friend, but I still got me thinking. It was like, hey, I need, I need your help. Showing this meeting is important thing. Just text me back real quick. And it wasn't. It was. And it said it said his name and I was like, wow, that's that is really good. I'm like, I'm 98% sure this is bogus, but I still texted him anyway. I was like, Man, did you send me this? And of course, he didn't. But it's funny how they can the right timing and the right sort of generic context can really kind of get you to scratch your head, even if you're as paranoid as I am. 

Eric Bielski: [00:18:39] Yeah. I got a message from myself the other day telling me that my cell phone bill was paid and I just got a reward for it. So I got to click a link if I wanted to, but I ignore messages from myself because I don't consider myself trustworthy. 

Brian Selfridge: [00:18:57] I think that's why so. So we've been talking about security awareness points and messages to get across. Are there any specific messages that pertain to this recent cyberwar and the attacks and the alerts that have been coming out from the federal government? Any sort of changes that you've made to your security awareness program or messaging to end-users that would be specific to this cyberwar stuff. 

Eric Bielski: [00:19:19] Without getting into too much detail? I would say that reiterating the basics, like ensuring users know that you won't ask for their passwords over the phone or any other way. They're in control of their passwords. They don't need to share those things and then making sure they know that that MFA should only be prompted by them. So when if they get that notice that someone's asking for a pin, they should report that to their organization. If they didn't ask for that, that MFA pin or MFA token. So and also that no administrator will ever ask for their MFA token, I should say, should never ask. 

Brian Selfridge: [00:19:57] Yeah. There's some training we need to do for the staff sometimes, right? Like, Hey, stop, don't ask people for passwords, don't ask them for MFA. I've done that, you know, over the course of the years as well. Like guys, just remember, we tell everybody that this is never going to happen. If you do that, you undermine everything that we've said all along. So we've talked a lot about some of the programmatic things that we do the behaviors, the activity, the messaging. So that's all great. We're doing stuff and we're getting messages out there. How do we know if it's working? How do we measure success of a security awareness program? And is there any way that you can tangibly sort of validate those investments are doing what they're supposed to? 

Eric Bielski: [00:20:37] Yeah, so I think that a KPI-driven cybersecurity program is important. So watching like your fish failure rates and then aligning those with how many, like how scared your users are, I say scared, how aware your users are that they're reporting the emails that they think are suspicious instead of just deleting them. So that way, you know, that you've taught them how to report those emails and now you're your infosec analyst. They're seeing those emails and able to identify real threats versus like just spam. 

Brian Selfridge: [00:21:17] I want to talk a little bit about phishing specifically. We've mentioned it a few times and phishing, and we should probably define phishing. And I'll leave that up to you as we go here. But, you know, can you tell us your approach to sort of phishing training and testing at a high level? How frequent, how do you engage, and what types of messaging to use those types of things? 

Eric Bielski: [00:21:36] Well, you start off with a baseline test to see where your users are at. This is if you don't have a program started and then you like I said before, your KPI driven. So you want to improve the failure rate from your baseline. So maybe you start out with a monthly test and then if you're monthly, it gets down to a good rate, your monthly failure rate gets down to a good number, you might decrease it to quarterly, but any less than that and I feel like you're not testing your users enough. And then you asked about phishing. That's just doing the same thing. Phishing is. But you're using a phone. I think it's much more difficult unless you have some automated system that can voice generate. 

Brian Selfridge: [00:22:20] Do you rotate? What kind of content and fake emails are you putting out there? Do you have a standard set of them or do you change them with the times? 

Eric Bielski: [00:22:28] So the first time I saw a phishing simulation happen, the same email went to every person in the organization and, at the exact same time. So it was a different, smaller organization. And, and someone just stood up and said, hey, don't click that. But now it's much more tricky because you're right, we have current events. We have it trying to or someone spoofing it, trying to get passwords. I think the current events ones are the trickiest because I think the users don't expect me to put those emails into play so quickly. But, but the platform we use really, really keeps up. 

Brian Selfridge: [00:23:13] So I've seen, I've, I know a friend which always means I'm talking about myself. That has gotten criticism for making the phishing tests a little too hard and too tricky. And so is a perception that, hey, we're tricking users rather than educating them. I didn't agree with that. I still kind of don't. But how do you know, how what's the degree of difficulty you go into? Do you want to put obvious errors into your phishing messages? So it's not quite a template of the Nigerian Prince email from years ago, but is it how hard do you make it for folks to be able to spot this is bogus. 

Eric Bielski: [00:23:52] And it depends on how difficult you want it to be for an attacker to fish your team or your team. So if you're filtering out those level five difficulties, then then you're saying, well, an attacker will never try that. Hard to get in to get into my infrastructure to get or compromise one of my accounts. But so that's how I would justify it. I've got to keep up with the attackers. 

Brian Selfridge: [00:24:19] Makes sense for sure. Now, we've talked a lot about what are best practices. You know, security awareness training, though, is not a new concept. We've been doing it for years. Are there any approaches that you've seen that just simply don't work well and not to? Maybe it's just we had to learn that as an industry. Or are there any mistakes or pitfalls that folks that may be standing up a new program, let's say, should avoid with their awareness program that you can think of? 

Eric Bielski: [00:24:45] Don't borrow your users with hours of nonsense repetitive training. Keep it real, keep it short and keep it interesting. And then if you have things like June is Internet Safety Month and October is Cybersecurity Awareness Month, have had little trainings or competitions or where you can make it fun for people. 

Brian Selfridge: [00:25:14] That's a great point. I always like stories too, or just relating it to their job and sort of taking a very academic idea of phishing or other types of attacks and saying This is how it plays out. This help could play out. You're sitting at your desk. Here's what goes on a little more conversational sometimes can help us get ourselves out of the techno weeds that we dig ourselves into occasionally. 

Eric Bielski: [00:25:36] I think one of the one of the most, one of the most I guess it hit home the hardest was I had a training video once where they were talking about insider threat and they had three people from this organization that were in tears in their interview because they thought this person was their best friend, but he was actually a spy. And I mean, the person got caught and went to jail. But that kind of deceit, it's interesting. And I guess it really hit home knowing that, yeah, Jim sits next to me. But do I trust Jim? How how much do I trust Jim? And I really took that too far. 

Brian Selfridge: [00:26:20] No, it's good. Actually, I am a spy. And this whole thing, we've been running the podcast for several years now and just stealing ideas from really smart people like yourself. So in that sense, you've been duped, you've been had, but. 

Eric Bielski: [00:26:33] Now you really sound like an attacker because you said I'm smart. 

Brian Selfridge: [00:26:35] So. Yeah, that's right. That's how you know. Well, so is there any other we've covered a lot of ground today, Eric. Anything that you'd like to sort of leave with some closing thoughts or any sort of summary takeaways that you'd like to share with our listeners on this topic before we wrap things up? 

Eric Bielski: [00:26:55] Yep. So if you're an administrator of an information security program or cybersecurity awareness training program, keep your users engaged with fun content competitions, stuff like that. And if you're an end-user, remember the mantra slow is smooth and smooth is fast. You might complain that the or you might be concerned that the training is going to take 2 hours out of your Monday. But it's better than taking two days out of your workweek because your workstation was locked down and your organization had to stop its business to fix whatever was broken by an attacker. 

Brian Selfridge: [00:27:32] Well, I am in full disclosure, going to steal and use that phrase slow is smooth and smooth is fast, if that's okay. And then actually it's not okay. I'll cite you and end or the Marine Corps if that's a Marine Corps thing. But I think that's excellent, excellent guidance. All right. Why don't we thank my guest, Eric Bielski, who is the director of information security at Benefit Resource. Eric, thank you so much for taking the time to share your insights with us. Has been a great, great conversation. I learned a ton and I'm sure our listeners to it as well. 

Eric Bielski: [00:27:58] Yeah, no problem. Brian, thanks for having me again. 

Brian Selfridge: [00:28:09] Again, I would like to thank my guest, Eric Bielski, who's the Director of Information Security at Benefit Resource. I really appreciated Eric's perspective on security awareness programs, and I will certainly steal his phrase about that slow and steady approach to help keep everyone secure. I also appreciated Eric's focus on nailing the basics of your awareness program and making the content as interactive, interesting, and relevant as possible to your workforce. Now, as always, we'd like to hear from you and hear your feedback. So feel free to drop us a note about any topic you'd like to hear about or a thought leader you'd like to hear from. Our email address is [email protected]. Thanks again for joining us for this episode of the CyberPHIx and we look forward to having you join us for another session coming up soon.