Arguably, one of the biggest threats to security is the people who wish to do no harm. These are the people in the hallway, your employees, your managers, who think they’re just doing their jobs. One wrong click and they’ve opened something they shouldn’t have, and it’s almost always not their fault. It’s for this reason that Michael Crandall views training and education as paramount in improving cyber risk management in companies. The good news is that people are starting to listen. At Digital Beachhead, Michael works mostly with small to mid-size companies in the defense industrial base. In this conversation, he talks about the value of gamification strategies in training employees to be hypervigilant of phishing and other cyber threats.
—
Watch the episode here
Listen to the podcast here
Improving Cyber Risk Management Through Education, Training, And Gamification With Michael Crandall
In this episode, our guest is Mike Crandall, President of Digital Beachhead and recognized keynote speaker, CISSP, MBA and many other acronyms that we’ll get to talk about here in the next few minutes. Mike, we like pizza and cybersecurity. Assume that the crust is a cybersecurity framework and the toppings are the company’s specific flavors, what’s the riskiest topping you’ve seen? What would you equate it to?
The riskiest topping is anchovies because you never know what you’re going to get. To me, that’s your users. That is the people at the end of the line who don’t want to do bad. I’ll have some kittens and I got to click on this beautiful kitten meme that came in from my mom, even though it came to my work mail.
Either that or PayPal, “You’ve got money.”
The biggest one is Amazon. “Your Amazon package is not going to be delivered today like expected.” Such first-world problems. I have to click this right away and solve this issue.
Being an anchovy, does that mean it’s salty? There are people that love anchovies. That’s why we’ve got Pineapple on Pizzas as the name of our show. Pineapple is one of those items that some people have strong feelings about. Anchovies are right there with it. The topic you brought up is much more like pepperoni. Everybody’s seeing that problem.
It’s the ever debate between technology and human resource. A lot of your IT folks like to put in the devices and the software. “I found this new gadget. This new widget will do this.” They forget that the stinky topping on top of their pizza is the person sitting down the hall.
The tools and automation are part of it. As engineers, a lot of engineers love to automate. They don’t think about human factors much anymore. That becomes part of the movement forward there. How many companies have you worked with that had some systems? What was the best way that you saw a company deal with that problem?
We like to say training. We’re always talking about training. The key is trying to make the training fun so that it isn’t that laborer’s chore like, “Here comes that email again.” Trying to gamify it and make it interesting amongst the company. As well as that little thing like, “You have to do the phishing tests.” We got to be testing out and seeing if that training is slumping in exactly.
We worked with a client. The first time through, they said, “We don’t necessarily want to send them and redirect them right to training. If they fail the phishing test, we’d rather see who fails, take the knowledge for ourselves and then we’ll move into the training afterward.” They had one poor individual who wanted their $25 off coupon for Starbucks. When they got the 404 page not available when they clicked the link file, they came back every day that week to try that link again to make sure they could get that coupon. I was like, “Your employees are dedicated to their tasks. Once they get their mind on something, they will work to completion.”
What’s the best way that you found to have that sink in? Any special tricks that you want to share with us?
The gamification and the phishing test to where instead of doing the go to 404 and we don’t know and we realize that you’re after that blank is to make it interesting so that people know the phishing tests are coming. I don’t want to say on edge but is hyper-aware. Advertising out like, “This training you’ve been doing for 2 to 3 months and this cute little gamification, we’re going to try to phish you. We will be this adversary so we want to see what you’ve learned.” Creating a phishing button or something that they can click. Offering something like, “If you get 75% of the phish we send out by clicking the phishing button, you can get that $25 gift card to Starbucks.”
Notify them that you’re going to send out the notification every month. That way, they’re hypervigilant for that entire month looking for your test.
We have clients that come through and say they’re clicking the phishing button and a lot of it is phishing. They don’t even realize that it’s not us. They’re like, “I hit at least 90 of those. I want my $25 gift card.” We’re like, “Yeah, but only three were the ones we sent.” Great job catching all the phish.
Humans are good at processing certain things.
You have to have that momentum or drive.
What’s the most challenging training that you’ve had to do where you’re like, “How’s this going to work?”
A lot of times the most challenging are those folks that think they may know more than they really know. It tends to be your C-Suite and/or engineers. Not to knock on either of those but I’ve had CEOs tell me, “I can’t believe my employees would click on this.” Their assistants will come up and go, “I read through all his emails because I know he clicks.” These things happen and it’s because phishing is more sophisticated. A lot of people still believe it’s the Nigerian prince offering you $4 million if you can only help him get it out of the bank. When they receive very well-crafted and well-designed phishing emails, they’re like, “That can’t possibly be a phish.”
There’s the craziest almost insurmountable training. There was an event that I went to where Dr. Christine Izuakor was presenting on how she did security awareness training. She was for United Airlines and all the pilots that are in the air. Not only do you have pilots who need rest but how do you figure out how to get all of them trained? That was the function and the focus of her challenge. It was an interesting journey to hear about it and how she dealt with it. She had to get on the road and go to their hubs and catch them when they were idle and work around their schedules.
Around their downtime too because you can’t task them when they’re on crew rest.
There’s collective bargaining. Getting them trained in the schedules, the work and the rest. I can’t even imagine but it’s been done. I don’t think there’s any excuse if you can train pilots in the air.
I immediately think of a heads-up display while they’re flying on autopilot and doing the training.
She was like, “We were not taking the course while we were flying the plane.”
That’s when I would put it in. I’ve also joked that the easiest way to train users is to be able to send an electrical shock to the chair or mouse should they click.
It’s always the chair keyboard interface.
It’s sad because the users are our greatest sensor. When we talk about deploying sensors on a network, to me, your users are your number one sensor. Making them feel that way is the key, through training, education and straight-up talking about cyber so that they know, “I’m not doing this to task you. I’m doing this because you are the most valuable resource when it comes to protecting our company.”
Cyber Risk Management: Your users are your number one sensors. Making them feel that way is the key, through training, education and straight-up talking about cybersecurity.
As a CEO or leader, you’re always concerned about what keeps you up at night. Making sure people are doing the right thing, especially when nobody’s watching is on the list when it comes to cyber awareness.
I like to walk the walk. I would never task anyone with something I wouldn’t do myself. I’ll take the training too. I’ll be on that leaderboard.
With that keeping you up at night concept, what keeps you up at night in your role as the leader?
We have a diversity of clients doing cyber risk management. As our clientele, we work a lot with the defense industrial base. We have a lot of threat actors that we worry about beyond the user and the poor person being clicked. It’s the, “What happens next?” Typically, if you can see an intrusion, they’re clumsy. A good intruder, you won’t know they’re there until long after they decide to take action on that intrusion. That’s what keeps me up at night. Coming from the military and the DOD background, we’ve seen some of that in my past life. If I see you, that means you aren’t that great. It’s the ones we don’t see that cause me to worry.
I’m with you on that one. Even more so working back at the things that have happened can make you step back and go, “This problem is bigger.” We want to admit to, even acknowledge or fathom.
It’s scary because we deal mostly with small to mid-size who aren’t expecting a nation-state hacker to come after them. My first response is, “Whom do you work with?” Almost always, they’re providing something to somebody. If that somebody is someone you think the nation-state would be interested in, do they want to pound on Fort Knox to try to get in or come into your little 7-Eleven and see if it can go through the back door to get in?
Jiggle the locks and try. Your IP address looks like their IP address. Your emails look like their emails. Welcome to the world.
If they have 100,000 employees and a major defense contractor, they probably have some defenses up. When it’s 50 people and your cousin Jim is the IT director because he spelled IT in a meeting, that makes it a little more interesting of a target for them to approach.
Organizations at scale are tricky, that’s for sure. There is scale happening there.
I like to refer everything to as the analogy of a house. If your doors and windows are wide open, they’re going to come through. If you’ve got an ADT sign, some lights and cameras, they may pass by.
At least from the perspective of the deterrents, there are a lot of interesting things happening in deterrence. Would we argue they’re effective? I would imagine no. There’s no question that our lawmakers, as well as industries, have figured out that they’ve got to do something. That’s tied to the issue of generally what we would describe as statutory, legal and regulatory requirements. What do you think is the biggest challenge in meeting the regulatory or statutory requirements?
The biggest one is the confusion about what is compliance. I jokingly talk when I’m with clients, at briefings or places like this, two-factor authentication. My wife comes in and says it’s me and then I log in. There was one factor and there was another factor. Did I secure anything any better by doing that two-factor authentication? No. What I did, according to a compliance standard where I can check a box that says, “Do I have two-factor,” yes. It’s that marrying together security and compliance so that your compliance provides you with what it’s intended to do, which is a higher level of security.
The biggest challenge always is making it relatable, regulatory or statutory. Let’s face it. There are very few considerably technical people out there. Globally, there are seven billion people in the world and so is the percentage of people that know in depth what to do. I do wonder often about that challenge of understanding what the comparison is. One thing that we’ve heard in the past is that compliance is like a seatbelt but instead of 1 harness and 1 click, there are 100 of them because there are 100 different controls for the user. Passing the seatbelt law and getting people to wear seatbelts was hard.
It’s the lack of understanding of small to mid-size businesses with their cousin Jim that’s the IT person. I often say the IT department is so busy keeping the lights on. The printer’s printing, the email flying. It’s not that they’re unaware of cybersecurity but do they have time to go, sit down and come up with a strategic plan for how they want to implement cybersecurity? When you’re saying, “How come I can’t get to this file every twenty minutes,” they’re never going to get around to, “How do I protect that file?”
The most aware person in terms of protection and security is not of the digital variety. It’s my wife and our child. I put the kid in the seatbelt in the back of the car. “It needs to be up on his shoulders. No, this is too tight. It’s supposed to be like this.” She’s the most compliant when it comes to how it’s supposed to be. Sometimes what you get with people and personalities is that some are going to be more diligent and others are not. That’s just people.
I find that our rule sets, compliance and regs are going at a snail’s pace when technology’s going at the speed of light. How do you keep up?
How have you found to keep up? Is there a way that you’ve found it works?
You can never get ahead of the curve, which is a blessing that we dream up new and better ways to fix things. The bad guys are dreaming up new and inventive ways to break things. I like to talk about the myth of cybersecurity. If you feel you’re going to get secure one day, you’re already behind the boat. It is about risk management, coming in and saying, “What steps can I take? What things can I afford? What things can I program for down the line?” You have to do the best you can with what you have but never think that’s it. You’re always progressing, growing and looking.
I do a lot of briefings on that where I talk about the myth. Everyone’s like, “I want to be cyber secure.” I’m like, “If our US government spends hundreds of millions on cybersecurity and they get breached, a small business that makes $10,000 a week is never going to be able to spend hundreds of millions on cybersecurity. What do they do? Give up? No.”
That takes us to the next question which is, what excites you about the future? What do you see happening in compliance, cybersecurity and cyber risk management?
For me, because it’s ever-growing, what’s exciting the most to me is that people are beginning to care and listen. A lot of the small businesses used to be like, “I’m too small. Who wants my data anyway?” I relate it to them. There’s the Ocean’s Eleven movie and The Big Heist. Everything has to move exactly right. If that happens, you’re going to get a big score.
That’s what you see on the news. Those are the big breaches. How many convenience stores were robbed? Hundreds of thousands across the world. That’s your small-time hack. That’s you, the small business owner that’s going to be breached. They’re not going to get the big score but they get enough of you. They’re going to be able to collect pieces of information together to do something with it. For me, the excitement is those small businesses finally going, “We need a little help here. Can we do anything,” instead of ignoring it because they feel it’s a bridge too far.
Tell us a little bit about yourself.
I’m an Air Force retiree. I did 20 years in the Air Force, 12 of that overseas. I designed with a team back in the early ’90s something called the Air Force Barrier Reef Project. The whole idea was to create a DMZ and have boundary, defense and depth. It later became utilized under a different name across the entire Department of Defense.
I was fortunate enough to be a kid in a room playing with computers. That was a great start. After I retired, I didn’t know what I wanted to do. I went to work with a big government contracting company. I learned how to do contracts and run a business on my own by trying to listen to everyone around me. When they got bought and I got let go, I said, “I’m going to jump in and figure this out on my own.”
I started Digital Beachhead to see if I can work for myself and be my own boss. I hadn’t been my own boss since I joined the military. It’s been an adventure. I like to joke that I came in with the retirement so my mortgage was covered. My overhead was depending on Starbucks in the morning. I could have a low overhead or a higher overhead depending on what I was drinking.
How long have you been a CEO at Digital Beachhead?
I started up in late November 2015. I started in federal contracts because that’s what I knew and then slowly branched out into small to mid-size businesses. The name comes from a performance report. We get annual performance reports from the military. I said, “I secured the Digital Beachhead for the Department of Defense.” To which my commander said, “I was full of it. How dare you write something so grandiose? “I’m like, “Who’s protecting this, that and the other?” I described what I thought the Digital Beachhead was, which was not a frontline but all around, anywhere there’s an IP.
That immediately went to, “You’re right. We are securing the Digital Beachhead.” It went from “I was securing it,” to, “We were securing it.” Two years after it was on my report, it made it to a speech by one of the undersecretaries of defense. He included Digital Beachhead. I bought the LLC even when I was in the military and said, “I need to own that one day and do something with it.” That was me. I decided one day to grow up. I don’t know.
Speaking of growing up, if you go back in time and give your younger self some advice, what would that be?
There was a quote I learned when I was training with the British, “Who dares win.” I wish I knew that when I was younger. I wish to not be afraid. If you’re not willing to stick it out there and put it all on the line, you’re never going to know what can be achieved. Failure isn’t a failure. Failure is a lesson to success. What I would’ve told myself is, “Don’t be afraid.” That would’ve been with dating, business, and life in general. Dare.
The famous cliché is from Thomas Edison. He found 1,000 ways not to build a light bulb.
Until it works, it doesn’t. You got to fail before you succeed.
What do you do outside of work?
I started a nonprofit. I’m an Afghan veteran, so I started Afghan Promise. We’re trying to get those at-risk Afghans out of the country that we made promises to. I’m feeding. We’re sending food to those Afghans while they wait for our government to do the paperwork to get them out. That takes up a bit of time. I like to golf, photograph, watch movies and hang out with my wife. If she’s reading, that’s the most important one.
How do we find you and this nonprofit?
You can always reach out via our website, www.DigitalBeachhead.com. I’m on LinkedIn, as well as Digital Beachhead on LinkedIn. Afghan Promise is AfghanPromise.com. It’s a 501(c)(3) so it’s tax-deductible. I’m always happy to have people give what they can or at least spread the word. I keep joking that all I need is one tweet from Kim Kardashian to say, “Give me $1,” to all of her followers and I’m good.
Also, Elon. Let’s see who gets first.
Anyone who’s got hundreds of millions of followers who are willing to say, “Just give $1.” That’s all I need. Just one tweet requesting $1. I am small.
It’s in your nature. I can tell by talking to you. Mike, thank you very much for being on our show. We appreciate it. It’s great to get to know you and hear some of these great ideas that you’ve got. We look forward to sharing those. Readers, thank you for reading. We hope you’ve learned something, laughed or told some jokes either about us or with us, and enjoyed the show. That’s it. This has been another great episode. We’ll see you next time. Thank you, everybody.
Important Links
- Digital Beachhead
- Afghan Promise
- LinkedIn – Mike Crandall
- Digital Beachhead – LinkedIn
About Michael Crandall
Mike is an internationally recognized cyber expert, speaker, consultant, and business owner. Mike is the founder and current CEO of Digital Beachhead, a Veterans Administration-certified Service-Disabled Veteran-Owned Small Business (SDVOSB) that provides Cyber Risk Management, Information Technology, Program Management, and Professional Services Headquartered in Colorado Springs, Colorado with offices in Virginia, Nevada, and London Ontario Canada.
Mike began his career in the United States Air Force (USAF) serving 12 years in Europe where he was a leader in designing, securing, and managing the emerging technology of networks. His ground-breaking team developed the USAF “Barrier Reef” defence-in-depth concept introducing the idea of creating Demilitarized Zones (DMZs) within a network.
Was named the 50th Space Wing Information Assurance Professional of the Year for a record 6 years in a row from 2005 until 2010 when he retired. He was the Air Force Space Command Information Assurance Professional of the Year for 2005 and the 14th Air Force Outstanding Information Assurance Program Manager of the Year for 2010.
The term Digital Beachhead was coined by Mike in 2005 on a Military Performance Report and later used in 2008 by United States Deputy Secretary of Defence William J. Lynn III in reference to an intrusion into the Department of Defence Information Systems.
(Education)
Western Governors University
Master of Business Administration (MBA), Information Technology
Western Governors University<
BS, Information Technology Security
