Why Do I Care About Cyber Security Awareness?
In this episode of Gone Phishing, Connor Swalm, CEO of Phin Security, shares his personal journey from house flipping to cybersecurity entrepreneurship, emphasizing the importance of human vulnerability in social engineering and explaining why he is passionate about raising security awareness through understanding unique individual risks and engaging directly with business owners to address real-world cybersecurity challenges.
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals. I'm Connor Swalm, CEO of Phin Security, and welcome to Gone Phishing.
Hey, everyone. Welcome back to another episode of Gone Phishing. I'm your host, Connor, the CEO at Phin Security. And today we're going to talk about why I care about security awareness.
This will include a bit of my background, Phin's background, and my thoughts on cybersecurity and why we decided to try and solve this problem.
My Background
In college, I was actually a house flipper. I flipped a bunch of homes in college to pay for my loans. Most people had jobs in college to pay for their loans. I taught myself to do that and learned how to flip houses and paid for most of my loans that way. After graduating, I lost all of my money buying a house I shouldn't have. That's a story for another day. I learned a lot from listening to advisors versus knowing when you're right, not letting your ego get in the way, and so on.
After losing everything, I moved back into my parents' house and lived in their basement. I had nothing to lose, so I started building security tools and coding, something I really enjoyed. I did that for quite a while without talking to anyone. If you ever talk to an entrepreneur and they say, "If I build this, people will come buy it," run the other direction. That's just not how the real world works. "Build it, and they will come" is a lie that only people who have not done it understand.
After getting frustrated with nobody wanting to buy anything I was working on, I decided to go talk with business owners. I ran across one MSP (Managed Service Provider) in that process and asked them a series of questions:
- What do you hate?
- Why do you hate it?
- What tool do you buy you wish you didn't have to buy?
- Which tool do you have budget for that you wish you could pull elsewhere?
- How much did you pay for that?
- How much did you want to pay for that?
- What tools do you buy and not use?
I wanted to know what problems they were already committed to paying for that I could help them with. One MSP mentioned security awareness. They said, "I have to educate my clients, but my clients don't like what's going on. A lot of them just ignore this. Then they keep making mistakes that cause problems." They also mentioned their own internal companies: "My employees also don't like this. My technicians don't like this."
As I asked more questions about how security awareness should work and what the end goal is, it became clear that MSPs wanted two things:
- 1.For people to understand their behavior and change it when it wasn't safe and secure.
- 2.To not spend any time managing dashboards—"stop babysitting a dashboard" is a statement a lot of MSPs make.
The MSP said, "If you just made me a tool that was easier to use, I know 100 people that will work with you tomorrow." That felt like an opportunity.
Understanding the Problem
I talked with many people in the industry: practitioners, people running security awareness training programs, owners of other companies, MSPs delivering it, and employees who had to be the recipients of the training programs. In college, I studied math and enjoyed talking about it. But whenever I talked to anyone about math, the conversation would be over before it started. The same thing happened when employees talked about their experience learning cybersecurity. They would say:
- I don't like this.
- It makes me feel unintelligent.
- It makes me feel uneducated.
- It makes me feel unprepared.
- I don't like the way security folks treat me.
- I don't feel like this is really valuable.
- I don't know why I have to do this.
- This takes a ton of time.
I started hearing it all. These are the people who need to understand basic definitions and examples of implementation, but they're completely turned off to the idea of learning cybersecurity because of the way they've been treated in the past—or feel they've been treated. This leads to them disengaging from the learning process and training altogether.
Changing the Approach
We need to change the way we're talking to people. We need to talk to people in such a way that they understand and don't feel like we're talking down to them. Don't use acronyms. Don't use industry-specific words. Just teach them basic principles and ways they can relate examples from their daily life, such as multifactor authentication and losing access to personal emails.
We also need to educate practitioners and people running these programs: if your end goal is to create additional security, the thing that creates additional security is not the program—it's the change in someone's understanding of their behavior and the actual change in their behavior. They need to know what risky behavior looks like from a personal point of view and recognize it when it happens in their business and around them.
For example, tailgating (following someone into a place of business): people who do this recognize that most people are more willing to be nice than to enforce boundaries. The gap is just explaining why it's important for people to understand why tailgating is a security risk and what their role is in preventing it.
The Bigger Picture
I believe cybercrime is just an inefficiency in capitalism. If someone can spend a dollar to steal ten versus spend a dollar to make two via traditional means, many will choose to steal. If we can shrink that gap, more people will realize the risk isn't worth the reward and will choose legitimate work instead.
Verizon releases a major security report every year—the Data Breach and Investigation Report (DBIR). A big section is dedicated to humans: what are people doing, how secure or insecure are they, and in which ways? In 2020, the report said something like 88% of breaches involved the human element. Some say 100% of breaches involve the human element, since even zero-day vulnerabilities are ultimately human errors in code.
If we got rid of all theft of credentials, loss of access, or clicking on phishing emails, most breaches would be gone. If we educate people to understand what theft of information, access, and money looks like before it gets to them, we'd be closer to reducing cybercrime.
The Goal of Cybersecurity Education
I want people to not feel judged for trying to understand cybersecurity. The two fastest growing industries in the world are healthcare and cybersecurity. Technology is becoming more integrated into our lives. People would find it incredibly hard to operate without a smartphone. Since technology is here to stay, we need to teach people who haven't grown up with it to understand and implement it properly—without feeling dumb, judged, or misunderstood, but instead feeling properly communicated to and supported.
I want to make a world where that happens, because technology and humans will always be here in some form, and they'll have to work together.
That's a bit of the background of Phin, a bit about me, and why we chose to solve this problem. If you have any thoughts or questions, feel free to reach out to me on LinkedIn. I'm very active there and would love to chat with you.
Thank you for listening to me talk about security and education. It was a blast, and I'll see you next time.