Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Why Washington’s CISO Says You’re Targeting the Wrong Risk
We discuss the evolving landscape of cybersecurity with Ralph Johnson, emphasizing the importance of collaboration, training, and the role of AI in addressing modern threats. Key topics include motivating teams, learning from past incidents, and the necessity of tailored, engaging security awareness programs.
• Ralph’s personal journey into cybersecurity
• Carrot vs. stick: motivation in teams
• Embracing AI in training and security protocols
• A real ransomware case study and its lessons
• The importance of security hygiene and basic practices
• Role-based training for diverse job functions
• Gamification techniques to engage employees
• The need for ongoing education and awareness
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another episode of Phishing for Answers. Today I'm here with Ralph Johnson, the CISO for Washington Technology Solutions. Ralph, how are you today? I'm good, joshua. How about you? Doing? Pretty good, so maybe we can start. Why don't you tell us how you got into cybersecurity? Maybe we can start. Why don't you tell us?
Ralph Johnson:how you got into cybersecurity. Well, I got into it in a very unusual way. I've been a CISO for 19 years. This is my fourth organization as CISO but I got into it just working my way up through IT. I did not go get a master's degree in information security or information assurance, although I did consider it at one point. I worked my way up from a network administrator to a desktop support supervisor, to network services manager for King County's Department of Public Health. I got interested in security when HIPAA came out. I remember reading HIPAA and saying, oh my God, this is crazy. And then I read it again and said, wait a minute. Now this is going to get me some of the things that I've been talking about, because in the 90s I was very concerned with how we were protecting our information or, in some cases, not protecting that information. I didn't realize I was talking information security at the time because we didn't even have a thing right?
Ralph Johnson:um, exactly, there was.
Ralph Johnson:They didn't have a term for it, there was no such thing as a ciso in in 1996.
Ralph Johnson:And uh, but I saw that as a way to start getting some of the things that I had been advocating for in the department of public health, and so I went and took the CISSP course, took the exam, passed the exam in, I believe, 2002, I think I'd have to look it up.
Ralph Johnson:I keep forgetting to do that. And since I was the only certified security practitioner not that I was an expert at any point at that time the county King County had just established the office of the cio it's called the office of information resource management and I was given on loan to them for nine months as the county's first security architect and I created the office of the ciso and the security program for the county at the time, which is very, very infantile, very rudimentary. And when the position was opened in 2005, I applied for it and got it and I stayed there in that role for about 14 years. Wow, that's a great story. I've been a CISO for 19 years, as I said, at four different organizations. I then moved to be the chief information security officer for Los Angeles County Short-stinted the Los Angeles Times and then I came up here and I've been with Watt Tech Office of Cybersecurity as the director of the office for two years now.
Joshua Crumbaugh:Okay, that's a great story. It's funny. I mean, you're talking back in 2002, getting the CISSP. I was still a security threat back then, didn't know much about it. Well, I mean, I knew enough to get me in trouble, but it wasn't really my career yet, because I didn't realize there was a career around this until a little bit later in my life. Joshua, you're still a security threat.
Joshua Crumbaugh:I try to be I try to be, jokes aside, though, one of the topics that I like to bring up and sort of ask everybody that I bring on the show and I think I know your answer because you know we've had an opportunity to work together but regardless, I do want to oversimplify stuff for just a second here and say you had to choose one parrot or stick and you could only use that one Would you go with carrot or would you choose?
Ralph Johnson:that is a tough, tough choice because in my view, it somewhat depends on who you're working with or, in some cases, not working with. But if I had to choose one as the primary methodology that I use, I try to go with carrot most of the time. I try to find out what's in it for them, convince them that it's the right thing to do, and cooperation goes much further than coercion.
Joshua Crumbaugh:Oh, absolutely. I couldn't agree more.
Ralph Johnson:I don't suppose you have any stories, uh, or examples of uh, of where that's played out in real life um, well, I can I, yeah, as a matter of fact, it's on a project that I'm working with right now, um, and it's it's in its early stages, but I'm starting to see a lot more cooperation based on the way I'm handling it.
Ralph Johnson:Um, I don't want to go too deep into, you know, the dirty laundry of washington state, but historically, agencies have not wanted to work together very closely. They like to maintain their autonomy, their independence, and I'm sure that that's the case with many other states. I know it's the case with the two counties that I worked for. But I've got a project that is massive and I'm addressing it by reaching out to the different agencies and inviting them to participate in that project, and so far I have 43 subject matter experts across 22 different agencies that are poised to participate in this particular project and they're very excited about it because it could change the paradigm of the way we do certain things here at the state, and I'm very excited about the fact that I've got that many people across that number of agencies that are willing to work with us, that number of agencies that are willing to work with us.
Ralph Johnson:It's going to be hard to corral all 43 of them, you know, because normally when you have a committee you try to limit the membership to 10, 15 people at the most, but I think we're going to be able to handle it here. And you know many of these. Some of them are detractors, some of them are. And you know many of these. Some of them are detractors, some of them are. Their opinion is we don't want to do this, we don't want you to do this, but my point to them is well, if you don't participate, you won't have any input into what we're doing. So isn't it better for you to participate, then sit on the sidelines and then then, once the decision is made, if you don't like the decision, you fighting us about it.
Joshua Crumbaugh:And, from a psychology standpoint, the more time they put into helping to shape it, the more they'll come around to it and like the idea too. Yes, I believe so. Sunken cost fallacy, I believe, is the actual cognitive bias. Ok, so one of the topics that I think is required for buzzword bingo, but regardless of that, that I always like to talk about is AI. Regardless of that, that I always like to talk about is AI, and I like to start from the security awareness perspective. Artificial intelligence is really changing things, and very quickly. So what do you think that you know people or organizations really should be focusing on when it comes to training their team about AI?
Ralph Johnson:Well, first of all, organizations need to embrace artificial intelligence. It's been here for a long time. We just haven't been so enmeshed in it as we are now. Since ChatGPT4 was publicly announced, it has taken on a whole new meaning in the industry. But artificial intelligence in some form or another has been around, I believe, since the 1980s, yeah, and 50s, since the 50s, okay, I'll take your word for that. I haven't.
Ralph Johnson:I haven't done a great deal of research into the, to the, to the extensive history of it, but everything from assisted decision models to generative AI that can create unique original content, and we talk about artificial intelligence as a block, and there are a number of people, not just in IT, but most, most of your common citizens. They don't really know the difference between the different levels of artificial intelligence. They see, they see AI and they think about Terminator. Right, they think about Terminator, we're not there yet. We're. We're not there yet. Um, although I did watch a really great movie called subservience, I believe it was called the other day about a similar to similar to terminator, about a robot that a guy buys and he takes over. It's kind of a melding of terminator and the hand that rocks the cradle. You should check it out. Joshua, it was it was pretty good.
Joshua Crumbaugh:I have to watch it.
Ralph Johnson:So the ai tries to kill him yep ultimately she does yep, yep, um, anyway, um, so it organ, as I started to say, organizations have to embrace ai. It's here, it's, it's here to stay. They need to have, they need to have some level of training in artificial intelligence, not just at the IT level, but at the employee level, everywhere, everything from the janitor on up, anybody who touches a computer. And we need to start bringing artificial intelligence training into our citizens awareness programs, because ai is changing the world.
Ralph Johnson:Ai and joshua, I know you know this ai is is making big inroads into making it easier for the threat actors to do their job, which makes it harder for us to do their job, which makes it harder for us to do our jobs. We have to now change the way we teach people to recognize phishing campaigns. For example, I was talking with somebody just the other day and they were talking about how they got this phishing email. They recognize this as phishing for various reasons, but they said the grammar in it was so good that one of the things that I've always looked for is poor English and it wasn't there.
Joshua Crumbaugh:If now I mean it's, it's really, it's reversed, if anything, because poor grammar almost indicates that it's a legitimate phish, or I mean, sorry, legitimate email.
Joshua Crumbaugh:Yeah, perfect grammar almost indicates it's a phish, or at least the news chat. Gpt yeah, but yeah, no, you're absolutely right. It's really changing the threat landscape and I think you know for us people in technology we may see that a lot more than I think the average, you know more non-technical person does. I think for them they probably don't realize just how much it's changed. I mean, heck, just in the last week. Look at how much it's changed. I can't imagine that the average person is staying on top of it either.
Ralph Johnson:Yeah, exactly. On the other hand, artificial intelligence is not necessarily a threat. I can see the future of AI being able to help us in many ways in order to improve our security controls. Yeah, in order to capture, to better capture, and this is one form of AI that has existed for some time in some of our detection systems. Ai looks for those anomalies that are crossing our network, those anomalous traffic packets that are crossing our network, and it says wait a minute.
Ralph Johnson:I've never seen you try to do this before and I'm gonna. I'm gonna look into this and and wonder if, if, if you are a threat or if somebody's really, and then it can alert your security practitioners who can actually look into it, contact the person to find out, you know, if there is actually a person on the other end of it to find out if it is something that they're doing. That's new right. It can pick up an attempt to encrypt via ransomware a whole lot faster than we as a person can. We have to wait until those files start getting encrypted. Ai can watch that traffic and start seeing the patterns to attempt to encrypt and stop it to attempt to encrypt and stop it.
Joshua Crumbaugh:You know, another thing that I'm excited about and I think there's a lot of opportunity is around DLP Getting a hand on your unstructured data. In and of itself could use AI, but beyond that, in my experience it's always been so lousy with false positives that it makes it very noisy.
Ralph Johnson:And that's where.
Joshua Crumbaugh:I feel like an AI could come in and really help out is by, you know, helping to differentiate between just the noise and the actual threats.
Ralph Johnson:So yeah, I totally agree, and traditionally DLP is. You know, if you want to look for social security numbers, well, there are other numbers that might have a similar pattern to social security numbers, so you had to build other parameters around it that says if this data pattern looks like this and these other things surround that data pattern, that's likely to be social security right or a bank account number or something like that. With AI, it can do that more intuitively and I think you're absolutely right. I think it'll cut down on the false positives or the negatives.
Joshua Crumbaugh:I completely agree, and I heard about a Blue Team co-pilot recently too. But you know we've already sort of I would say built. We didn't build anything. There's this tool out there called Open Interpreter, but we plugged it into Kali Linux and we started testing to see if GPP could actually hack, and our findings were really interesting. You had to know a thing or two about what you were doing to guide it. But if you knew how to guide it, it would take like a modest hacker and turn them into almost a genius or upgrade their skill level just significantly.
Joshua Crumbaugh:And what I found interesting is that it knew how to use all the tools. The other interesting part was that it was all about that first prompt where if in that first prompt we gave it instructions that would provide the foundation for it bypassing all of its security restraints later on, then it would continue to do that. But if we didn't tell it that in the very first prompt, it was almost impossible to convince it to do things later. Absolutely it was interesting, and that even recently bypasses and generative AI, where all you have to do is tell chat GPT to replace one word with another one and so you know, like I don't know, what word might get censored? But we'll just say, you know, say it's trying to censor the word cat, tell it to replace it with orange. And all of a sudden the censorship's gone.
Ralph Johnson:Exactly, and you're absolutely right.
Joshua Crumbaugh:It's how you craft that first prompt yeah, so around ai there have been some really. I mean, it's not necessarily directly ai related or it can be, uh, but everything from quantum computing with willow over to like photon-based processors, there's been some pretty crazy news lately. Anything that you've heard or seen about that has you saying wow.
Ralph Johnson:I haven't run across anything yet. The topics you just mentioned I have not seen any articles on those. Don't know whether they've showed up in my inbox or I just have missed them, but I haven't seen anything on that. I just keep getting impressed with what I'm able to do in just chat, gpt and co-pilot. It has improved my ability.
Ralph Johnson:I'm not a bad writer, to start with, I've been doing it a long time, but I'm not an English major either. As a matter of fact, I hated English when I was in school, but you know I can draft something, and technology professional is that my writing is technical, very technical. When I was in college I was trained as a scientist, so I'm very scientific about my writing as well. So I include all this technical stuff, I include all the data, and so I can take my document and I can give it to chat, gpt and I can ask it how to make it better, how to craft the writing so that it's written at an eighth grade level so that most people can read it. And it gives me sometimes it'll totally rewrite it for me and I can accept those changes. Sometimes it just gives me recommendations of how to do it and then I have to figure out how to incorporate that, but either way, I have become a much better writer than I was before and, as I said, people tell me I wasn't bad to begin with.
Joshua Crumbaugh:Same, and one of the things I like is their enhanced ability to understand what I say. So I can just turn on the voice recorder and just sort of do a stream of consciousness to it for a minute or two or three or 10. And uh, and when I get done, I've got a perfectly formatted document ready to go.
Joshua Crumbaugh:So uh yeah, it's, it's really. It's exciting to me. It's changing things quickly. Um, they say that it's going to allow us to potentially live forever. Sometime in the 2030s, our medicine is supposed to get to that point, thanks to AI.
Ralph Johnson:Well, I don't know that I'll make it there, because by 2030, let's see, I'll be in my well, I'll only be 70. So maybe I'll make it See.
Joshua Crumbaugh:I mean, you just got to make it long enough and then they can print new organs. That's what I'm saying.
Ralph Johnson:There you go well, you know I I love using chat gpt to craft emails for me. Oh yeah, because you know I'm not one of these touchy-feely kind of guys. You know I don't. I don't like to start out with emails that say, hey, how are you? You know, I hope you're having a great day, kind of thing.
Ralph Johnson:So, and especially when it's a complicated email the other day I had, I had a very complicated email to write and I gave chat GPT some parameters about it. I said, you know, I'm writing this to this group of people that I want to say this, and it gave me a. It gave me a draft email. I looked at it, I made a couple of changes to it and then I said, okay, now take this with the changes I've just made, and I forgot to add this item, so incorporate that into the email. And then I thought, okay, I read that one and I said, okay, there's something else now I want to say. And it just became iterative and at the end, in five minutes, I had an email that would have taken me about an hour to write.
Joshua Crumbaugh:Yeah, yeah, and that's, I think, why we've got to embrace AI. I mean, it's a force multiplier that helps each and every one of us be more efficient, do more, and I see it being particularly useful in cybersecurity, because no team is ever big enough. They never have enough people, they never have enough hands to do the job. So the more you can help make them more efficient, the more they can do with the same amount of people. Absolutely Okay, so let's jump over. We've talked about AI for a little bit. What's the scariest phishing attack you've seen recently, or just in general, recently?
Ralph Johnson:It doesn't have to be that recent. Well, um, when I was at los angeles county. Um, I have a. I have a story, a ransomware story from los angeles county and it's all. It all comes down to one misconfigured workstation that received a phishing email. So we had a policy that a lot of other organizations do, that when you transfer a workstation from person A to person B, you must reimage it. Now, that didn't happen in this particular case, and so the workstation had been assigned to an administrator who had extra rights to that machine. It was configured in such a way that he or she was able to do their job, and when that person left, the machine was simply transferred to another employee who was less savvy about cybersecurity, less able to identify a phishing email, and so when one came in, they clicked on it. They got a dropper download. That download then attempted to go outside of the county to pick up the rest of its payload.
Ralph Johnson:I don't remember which variant of ransomware this was. I could probably find out if I wanted to, but I don't recall now and fortunately we had outbound controls that prevented it from reaching that command and control server to get the remainder of its payload. So we didn't end up having any ransomware issues because nothing got encrypted, because it couldn't get the part that said go out and encrypt. But what it was able to do is it then infected another server, which was also I wouldn't say misconfigured, because it was configured in order to do what it needed to do, but that configuration made it vulnerable to this particular malware. Now again, the ransomware could not go out to command and control and get its payload, but both of these machines kept trying to infect other machines and fortunately, in the end those were the only two machines that got infected.
Ralph Johnson:But it still cost us tens of thousands of dollars, maybe even hundreds of thousands of dollars, and hundreds of hours of man hours to clean up the mess and make sure that that malware was no longer in our systems. We had three vendors on site. We had an entire team of IT professionals from across the county, multiple agencies, multiple departments, multiple groups, our central IT, my office was involved and it took weeks of man hours, a lot of dollars, to clean up. So that's the story that I tell a lot when I'm advising organizations to make sure they pay attention to the basics, because your prevention techniques they're great, you got to have them, but they're not always going to be successful. This had that workstation been re-imaged, it would not have been susceptible to that particular malware. Our, our malware detection would have caught, it would have stopped it and only that machine would have had an impact and it wouldn't have gone anywhere else. Yeah, so pay attention to your policies. Pay attention to the basics, simple hygiene.
Joshua Crumbaugh:Security hygiene will help you every day. I couldn't agree more. I mean and it's free Things like hardening that system, I mean maybe not free, you still have the resources or your people that have to do it that you have to pay for, but it's not some added subscription or something like that to harden your systems and to reimage the machine and to follow that policy and to follow that procedure. And when I was a penetration tester, more often than not it was things like that that we exploited. I mean, we would go look for computers on the network that had domain users in the local admins group, which is that exact misconfiguration. And when we would get that, we would dump all of the credentials and once we had those, we could always spread to other systems. And so, yeah, no, having seen that from that red team perspective, that's exactly what we would have done, and it was always those little mistakes. I remember this one time it was this New York City retailer.
Joshua Crumbaugh:They knew we were coming to do a penetration test. Uh, a couple of days before we actually can do it, the day before we started the penetration test, their head of IE decides to try out this self-pass and reset and he leaves default credentials on it, he exposes it to the admin, he connects it to their domain controller and so we are able to log in using self-populating admin credentials or default credentials. We didn't even have to look them up, they just self populated weekly and and instantly when. When we get logged in, it asks whether or not we want to think with the third party database. So we spin up a, an Amazon Oracle database, pump all the credentials over there and within I don't know 15 minutes of starting the assessment, we had full control of everything.
Ralph Johnson:Oh, my goodness.
Joshua Crumbaugh:Because of a simple mistake.
Ralph Johnson:Yeah, human error. I mean, it is the one thing that we don't have a technological control for. Maybe, not a technological control.
Joshua Crumbaugh:but I do believe in what I like to call human virus definitions, and I believe that's why we fish more than anything else is to implant those virus definitions or train the person's subconscious on how to better detect phishing attacks.
Ralph Johnson:Oh, I can't agree more.
Joshua Crumbaugh:There's a behavioral science principle called identical elements theory that talks about this, and it explains about how, when you buy a new car, you start to see it everywhere on the road. But that exact same principle applies, and so, to me, our subconscious is the body's built-in defense mechanism. It's trained by out of the gate to do some basic things like blocking your face if something's flying at it. But we also have to train it to get better at detecting some more newer threats, like threats. But I truly believe the more we simulate and do it in a healthy, positive way for our users, the more we create those definitions and the more resilient that user becomes. Resilient, that user, okay. So role-based training everyone's talking about it, nobody's doing it, not a joke. What areas do you think are the most important? I know it's. You know that's one of those things where you've got limited bandwidth and maybe ability to dive deep. So what are the most critical roles that should be getting trained uniquely for the threats that they face in their job?
Ralph Johnson:Well, obviously, IT. You know, Seriously, all IT practitioners, whether they understand it or not, have an extensive responsibility to maintain security and privacy.
Joshua Crumbaugh:They do. You know how often I ask that question and I almost never hear IT. So thank you for bringing up IT. They are one of the most critical departments, Absolutely Continue continue.
Ralph Johnson:You then need to start looking at your workforce base, and everyone has to have, in my view, a minimum baseline. They need to understand how and why we want them to create long and strong passwords and why we change it on a regular basis or allow it not to be changed on such a regular basis. You know I keep telling people that, hey, if you let me increase your minimum password length to 20 characters, I will, like I, I I'll, I'll prevent, I will. I will say I will extend the the expiration period to a year. You only have to change it once a year. But they don't want to come up with those characters. I remember once, when I first became a cso, we only had six character passwords I wanted to create. I wanted to increase them to eight. I could have sworn these people were going to come after me with pitch, pitchforks and torches like I was frankenstein monster for two extra characters we so they need to. They need to understand that. They need to understand that threat actors are out there, not necessarily everything that they're doing, but that they're there and they're trying to get to our information. They need to understand how to recognize phishing, a number of other things. So that's the baseline for all of your workforce.
Ralph Johnson:Moving up from that, you need to start developing personas. If you will characteristics about different work roles and your people who work in finance. They probably need to learn about the security around PCI and why PCI exists. Your people in law enforcement obviously have to know about criminal justice information systems, cegis. They need to understand that because that's an additional set of requirements that they, as law enforcement, have to follow. They need to know why and that's a key to people participating and following the rules If they understand why we're doing it, they're more likely to follow it.
Ralph Johnson:If you simply say, ah, we're gonna require you to use MFA, but we don't tell them why, they get really annoyed with the MFA controls. You need to look at your management, because management, especially upper management, are particularly, uh, prime targets for, especially spear fishing and whaling. Yeah, I don't know, I don't know if we still call it that in the industry, but that's what I call it because that's what's been called for a long time. But I don't know if the the terminology's changed has changed, because it's always done, inventing a new term and trying, of course, yeah, on everyone's throat, um, and and I love the one called pig butchering.
Ralph Johnson:I didn't know that it actually had a name until recently. Um, but I only learned pig butchering as a term. I knew the concept. I didn't know it had a name of pig butchering until about six months ago. That is something that everybody needs to know about, because that is a particularly insidious form of social engineering that bad guys are using that is robbing people of millions of dollars, not just millions of dollars, but their dignity.
Joshua Crumbaugh:That too, yeah, that too. To me all of these are bad, but that is one of the most sickening that there is out there. They use romance to hook the person, more often than not in the first place, and then they steal every penny, all while that you know, and I guess, all the while that person's not even real. The person that they fell in love with, that they have even had a video call with, is not real. It's uh, it's a made-up fictional person designed to steal their money.
Ralph Johnson:But yeah, I'm on the board of directors for the cyber crime support Network and there's a video on our website about an individual. This wasn't a romance game.
Ralph Johnson:It was more out of a, more of a finance scheme, um, and because the individual was interested in a particular topic. Uh, as I recall the story, he he was interested in learning about cryptocurrency and they took him for thousands of dollars. And they took him for thousands of dollars by directing him to a crypto site, and he even did some research to find out that this crypto site actually existed but didn't realize that the bad guy was sending him to a cloned site.
Joshua Crumbaugh:You know one that I saw just the other day and it's been hitting our youtube videos just constantly the comment sections, um, and it's this scam where they go and they say, hey, listen, I'm trying to move from this wallet to another wallet. Could you help? By the way, here's my wallet password and uh, and so you log in. It's a legitimate uh wouldn't say legitimate shady, but real uh currency exchange. And uh, and so you log in there and you get access the wallet and there's like eight. The scam is that if you try and move it, it'll tell you you have to have a minimum of $10,000 to move the money and as soon as they put in that extra money to put it up to $10,000, they move the money out and it's gone. But I just thought that one was just.
Joshua Crumbaugh:Oh my gosh, I don't know. I mean, I'm almost a little impressed because they're convincing the target that they're stealing money from them All the while when the target thinks they're stealing the money, they're getting the money stolen. Wow, I don't know, it's some evil genius stuff there, I guess. But I mean, that is social engineering. It's the offensive use of our own psychology against us.
Ralph Johnson:So we're all in it, yeah, and not just phishing, but smishing and vishing all of those. Everybody needs to learn about those. I've been getting interesting SMS texts on my phone offering me opportunities for part-time work where I can earn up to $5,000 a day and I'm like, yeah right, sure.
Joshua Crumbaugh:One I heard about today is they're actually shipping packages to people's houses and on that package there's a big qr code it says scan to learn more. Um, and so when they scan it it will hijack their computer, their phone and start, you know, stealing their their personal information off of the device, but they're actually mailing packages to people to get them to install this malware.
Joshua Crumbaugh:Wow, it's just. I mean the level of sophistication and effort that they put into it. I mean it's just, I don't know, it's insane, it is. So. That was really really great information about role-based training. One of the other topics that I always like to cover is making it fun. How do we make all of our efforts across security awareness a little bit more entertaining? I know it's a dry subject matter, but at the end of the day, the more entertaining we can make it, the more the users tend to appreciate it, as long as we don't go too far, to the point where it feels like we're wasting their time.
Ralph Johnson:Yeah, well, we try to do that here at Washington State in a number of ways. We have a set of video modules that we've contracted with the company for, and so so we put them together as our annual training campaign, and we've interspersed them with one serious video of a guy standing there talking to you about something, and then the next one is a bunch of characters, and it makes it kind of fun, because they're, you know, there's a vampire, there's a zombie, there's a witch, and they're talking about the same concept, and they're making it fun, making little jokes about it, and it just turns it into fun. The one about tailgating the guy trying to tailgate is an axe murderer. He's holding a hatchet, but he's really nice. He's very, very congenial, you know, and he's just like come on, I left my key card at home, can you just let me in? But he's standing there with a hatchet, you know, and it's just totally fun. So that's one.
Ralph Johnson:During Cybersecurity Awareness Month in October, though, we have an escape room, a cybersecurity escape room, where teams compete to see who can get through the escape room the fastest. We have cybersecurity-focused quizzes that, every Friday, one of my security engineers or actually she's a threat hunter is what she does. She puts together a quiz and after each question and we see the responses that come up and you know how many got it right, so on and so forth she gives she'll give them a little explanation of the proper answer and why that's the proper answer, why some of the other stuff is not a proper answer, and she allows back and forth, uh, with the participants. Um, we had a another game similar to clue. You remember the, the old clue game, you know, um, colonel mustard in the library. Well, you had to figure out who stole the data and how they stole it and what they stole it on. And it was all these things were a big hit. Not only did we have presentations and workshops and things like that, but we had these games involved with it and a lot of folks in you know enjoyed those.
Ralph Johnson:I get a lot of feedback on how fun our cyber security awareness month was, and you know we give away prizes. Uh, each week there was a, there was a drawing for participants to win a gift card and, as a matter, uh, there was a drawing for someone to have lunch with me, um, uh, which I'm not sure that that's a real valuable prize, although he seemed to enjoy himself. He had a steak for lunch. So there you are.
Ralph Johnson:And then tomorrow is where I'm going to conclude it, and that is we are granting there's one agency that has the highest per employee participation. We track all participants in this stuff. We calculate which agencies' employees participated the most, and we do it on a per employee basis, because the agency that won only has 30 employees. So if we did it on how many employees alone participated, those smaller agencies would never get to win. So it's on a per employee participation basis and in the amongst these 30 employees, on average each one of them participated two and in two and a half events during the month. So I'm going tomorrow to their staff meeting to give them a trophy, okay.
Joshua Crumbaugh:And on top of that we have these.
Ralph Johnson:We created challenge coins that we're giving to people, people who participated, our presenters. As a matter of fact, joshua, next time I see you, and Crystal, I got to give you one of these.
Joshua Crumbaugh:You know I was going to gonna ask you now did those challenge coins get them anything like? You know? I've got a bunch of challenge coins that if I I you know throw them down, get the bar does. Does it have anything like that?
Ralph Johnson:yeah, we could talk about we, we can. We can talk about that.
Joshua Crumbaugh:Next next time you come to town we'll talk about it, I got your drinks next time, OK, well, so that actually is a really great segue into gamification. You know it's one of those things that, again, a lot of people are talking about. Some are implementing, but you know what You're doing. Quite a bit around gamification Sounds like it's going pretty well. Do you have any thoughts or opinions around gamification and maybe some tactics that you might recommend?
Ralph Johnson:Not other than I've already mentioned. See, I'm I'm not the one who comes up with these great ideas. You know, I've got, I've got a great group of people working with me and they're the ones who come up with these wonderful ideas. It's, this is not my, this is not my baby. I'm just the head of the division. I'm not. I personally am not one for games. I don't do video games. I don't play board games. It's not something that I personally think of. I'm probably a little too pragmatic and a little too serious. But I see the results of what my teams are putting together and how they're putting it together, and I can see how effective it is. So I don't really have any recommendations because, like I say, I'm not the one who conceives of these things. I know I've talked to a lot of companies, such as yours, joshua, and some others that are doing that gamification and seems to be pretty popular.
Joshua Crumbaugh:Well, I know we get thank yous every day from your user base just as a result of it. Mostly it's around the kudos and stuff like that. But yeah, I mean and it sounds like you're doing quite a bit on gamification uh, that goes well beyond that. I mean going and giving a department a trophy, having leaderboards. To me, all of that is really built into that. That same gamification it's. It's making it more fun and a little bit less of that. You know advers approach that we started phishing with way back in the day, where when all these IT teams first got the tools, it was all let's trick the users, and it ended up with a lot of users almost feeling like they were abused, if you will. And so I know, from my perspective, that's what I like the most about. Gamification is just the ability to reframe why we're doing fishing and you know, in the process, actually tell them why, which you've hit on a couple of times and I think it's incredibly important to start with why on everything.
Joshua Crumbaugh:But then make a game out of it. I think it helps to just take or get rid of that negative connotation that can sometimes be associated with it.
Ralph Johnson:Well, absolutely. And you know, when someone does fall to a phishing campaign, don't treat them as if they were bad. Okay, they made a mistake. I don't know if I've told you this, but laura caught me once did she she did her email.
Ralph Johnson:What it it? It did all the things that you talk about. It related to a system that I actually use. I read it and it said that your password to this system has been compromised. And it was such a system I'm not going to tell you which one it was, but it was such a system that I knew if my password had been compromised. I was in deep doo-doo.
Joshua Crumbaugh:That might've been the same one that I made to get people like me. That almost got me a month later. I don't know if it was, but I had one that I literally created myself almost get me.
Ralph Johnson:So I get it. Yeah, and because it just grabbed me so viscerally, I forgot to look at the rest of the signs because I should have known that that system is not likely to have been compromised. But it just grabbed. So I clicked the link and Laura said I got you. So for that month I was considered a moderate risk of falling to a phishing campaign.
Joshua Crumbaugh:Yeah, my wife swore I would never get her. And we got her a couple of times. My favorite one was right after she had got bought a new car. Uh, the, the system sent her the uh, hey, you've got a check engine light on and these three things wrong with your car. And uh, and she just got mad before she had a chance to think and click on it and then immediately realized, and uh, she's like, okay, you got me. But uh, wow, I.
Joshua Crumbaugh:I do think it's important to make it, uh, very okay to admit that you clicked on a fish.
Joshua Crumbaugh:And, and part of the reason is that so many times when people fall for scams or uh, even you know from the lightest, like they just clicked and nothing really happened over to, they actually lost a lot of money or caused a ransomware attack.
Joshua Crumbaugh:When these things happen, people are always embarrassed and there's, you know, this almost instinct to hide it. But the more we talk about it, the more we can share that knowledge and prevent other people from falling for these exact same scams. I think the one that that stuck out to me was a student that her and all of her friend group had fallen for the same scam from the same person. Oh my, any one of them had told each other, they would have maybe avoided it. And ever since I've remembered that as a really great reason why particularly us people in cybersecurity need to admit it If we've clicked on it, we're not all perfect and admit that because it makes it a little bit more, I think, easier for the the average user to be like okay, I made a mistake accidentally absolutely well not only that if you do click on that link, that does put malware onto your machine.
Ralph Johnson:Somebody's got to look at that machine and clean it up so that that malware does not continue to impact your organization.
Joshua Crumbaugh:The longer it's on there.
Ralph Johnson:The worse, that breach gets Exactly, and that's one of the things that I constantly tell my team. And my wife, as you know, is also a cybersecurity practitioner and that's one of the things she actually has to deal with, and her job is dealing with those users who actually did click on the link, and I'm constantly reminding her don't treat them as if they're stupid. They made a mistake. You're there to help them recover from that mistake. Potentially, if, if, that recovery is necessary, and that's that's the really important piece is we're all human. We make mistakes. I make mistakes on a daily basis. Just ask her, she'll tell you same same.
Joshua Crumbaugh:I swear I'd forget my head if it wasn't tied on sometimes. Well, I I just realized we are out of time are we before we end yeah, we're. We're down to just four minutes, but before we do end, do you have any last words of wisdom to leave with the guests?
Ralph Johnson:Words of wisdom. Well, at my age you'd probably think I was a wise man, but some days I'm not so sure about that. But again, don't forget the basics. Again, don't forget the basics. We in cybersecurity for those of you in the audience that are cybersecurity practitioners we get so caught up in the latest trends, the latest technology, the latest tools. You know all those blinky lights on the pretty servers and that kind of thing. Those aren't going to help you if you forget the basics. Forget to establish proper password rules, forget to re-image machines when they go from one person to another, forget to wipe your drives before you surplus your equipment. You can lose so much data that way, even in today's can lose so much data that way. Even in today's world, where so much information is actually stored in the cloud or on your servers, you never know what a person, what a user, has left on that drive. Yeah to the complexities of getting physical access to your data center and educating your workforce in at least the basics in cybersecurity, and continue to educate them.
Ralph Johnson:This once a year program of putting out a bunch of videos all once a year, or a long video once a year. They sit down, they take it in January and then they don't see you get see it again until January. One of the things I like about fish firewall is that, yeah, we do that too. We. We put out this set of videos and we expect people to take it, at least you know year. It takes them about an hour to go through them, but Laura sends them little 30-second vignettes reminding them about little pieces that they probably learned in those videos and reminding them about tailgating, reminding them about making sure that when you get an email from somebody asking you to change their EFT, if you're a payroll clerk, you call the person, don't just do it. I can tell you stories about that too Some real horror stories there. I've heard a few. Yeah, I can tell you a story about when it happened to a judge in Superior Court once, but that's another time, another place, josh.
Joshua Crumbaugh:Right, I'll have to make a note to ask you about that. All right, thank you so much for joining us today. It's been an absolute pleasure and for everyone viewing remotely. Thank you for joining us for another episode of Fishing for Answers. Thanks, josh.