 What's up everybody? My name is Makayla Flato, Unicorn Collector with Defense Unicorns. Hi, and I'm Cal Nandriaki. I'm a Cyber Defense Mission Manager at Defense Unicorns. Thanks for choosing to spend this time with us, and also for the five of you that connected to our pineapple Wi-Fi. No, I'm just kidding. Check your phone. Just making sure we're all right. It's right before lunch, so we really do appreciate you all coming in. And hopefully you're here to learn about cyber security education. If not, we're going to be closing the door soon, so we're sorry you're stuck with us until lunch. It's going to be locked, and they're getting out now. But we're going to go ahead and start with a quick video on a growing attack trend. All right, so this new trend, my queries definitely tried to fish me out of my chewy credential logins. ChatGPT is changing the game. It's lowering the barriers for cyber attacks to the point that my query almost succeeded. I almost fell for it. But I'm curious, when you think about some of the strategies that you all use when you go to look to see if you're getting fished, think about some of those strategies. For me personally, some of the quick checks that I do, right, are things spelt wrong? Or is there bad grammar? Capitalization in weird spots, right? Those are like the quick go-tos. Those are the typicals. Right? As you can see in this email that was sent to me, those don't work. And it took a little bit more effort for me to realize, like, this may not be a legitimate email. So with that in mind, it got me kind of thinking, like, dang, if they can do that with ChatGPT, what can they do with vishing and smishing? Like, when I get that phone call, are they going to have a better script than they used to? With text messages? Sometimes those can be harder if they get more advanced with their text messages. Am I going to be able to tell if it's actually like my bank talking to me or is it right? It's going to get a little bit harder. And finally is the social engineering aspect. They get you where it hurts. They do. And so with technologies like ChatGPT and things like that, it gets a little bit harder to think, all right, I love my Corgi. He got me where it hurt, right? Taking care of him, giving him his treats. But, Makayla, they're going to be calling you about things other than your extended car warranty. So, things that I actually care about. It's that social engineering and adding that emotional portion to it to hit you where, you know, you start to think maybe I should click on this because... So, all of this example, really to just kind of hit home, technologies are lowering the barriers for cyber attacks. It's changing very rapidly. It's really quick on how these things are changing. And it's expensive to keep up, right? So, it kind of leads us to the first part of our title, the pretty penny, right? Cyber security or just cyber in general is its own economy in itself. You have a cyber attack and you've run the headlines, right? Yeah. It can cost in the millions. It's getting more and more expensive. It is getting more and more expensive. To the point that a research group felt that they had enough evidence to write a report going ahead and saying that if you take all the cybersecurity damages and you put them together, that that amount is actually comparable to global economies. And it would rank third. That's crazy. This talk, luckily, is not to nitpick the validity of how they came up with their numbers or things of that, but just taking the quick acknowledgement that somebody felt that they had enough evidence to make that claim is kind of scary in and of itself. Normally, when you get attacked and things like that, you kind of think, what about insurance, right? There are insurances for cyber security attacks. That is becoming an area where some insurance companies are thinking, I don't know if I'm crunching the numbers and they're not in my favor. It's very unstable. I'm not sure that there's going to continue to be insurance for cyber attacks. That's kind of scary. On the flip side of the economy where there maybe isn't as much reporting is kind of the idea and the drive of, well, why are these cyber attacks still happening? There is a whole other side of the market, like a black market, if you will, of selling of malware, zero days, access. Stolen credentials are really hot right now. And so they're selling these things. Actually, on my way here, Michaela, you said you're a recruiter. I'm sorry. They're cutting into your talent pool. I saw an article. I didn't go in and reading it as much as I should have. But it was stating that cyber criminals are recruiting six-figure jobs, PTO. Oh. Oh, you know, so I didn't read it. So I don't know if there's like health benefits or 401K investments. But the point is the pretty penny's not going anywhere. Cyber attacks aren't going anywhere. And it's kind of scary if the insurances begin pulling away from that area. Well, then the ownership really becomes on all of us and on our companies to how are you going to prevent cyber attacks? And that's why we continue to see cyber education to be such an important part and an important topic to share, like, what we're seeing works and what doesn't work. And the challenge is kind of daunting, right? The scope of how quickly it's changing, how much technology there is, how many topics there are. That's a lot. So what we would really like to spend most of our talk with you all today is to kind of talk about what we truly believe is going to help you manage cyber security education. And that's integrating it into your workplace culture. So how do you integrate cyber security into your culture? I feel like that's easier said than done. A lot of people think that culture is kind of like a fluffy thing, but it actually takes a lot of work. One of the biggest things, the most important thing, in my opinion, is making your culture a safe place to admit mistakes. I know, I don't know about y'all, but I know that if I thought my job was on the line, you know the way I make money, a.k.a. the way I put food on the table, I'm not going to go forward and say, oh, I clicked on that link, or yeah, I sent gift cards to that text message and I shared my password here. I'm not going to do it because I'm not going to put myself at risk and ruin this opportunity for myself. So I'm going to zip it. What would make me more comfortable with admitting to that mistake is having psychological safety. Are you guys all familiar with that term? I'm not going to do the whole like, raise your hands if you feel familiar with that term. If you're not familiar with that term, though, basically it means that you are providing an environment that makes people feel safe and they're not going to be humiliated and they're not going to be punished for sharing ideas, admitting mistakes, bringing up concerns or anything of that nature. So there is something that's very important to distinguish, though, is that are people genuinely making mistakes versus you do, there's a genuine, their lack of understanding, they're not following policies and procedures, and it is truly on them. So before we show you some good examples that Callan and I have put together strategies on how to integrate cybersecurity into your culture, I want to touch on what I consider a bad example. Okay. So cybersecurity should matter to everyone. It does not matter if you are a secretary or a cyber analyst or the CEO. If you're touching tech, then it matters to you. And I believe that this training didn't really do a good job of making people care enough to really invest time and energy into understanding it. I don't know how many of you have been integrated in the Department of Defense in any way, but if you have, then you have been subject to this god-awful training called Department of Defense Cyber Awareness Challenge. It was so bad that PewDiePie made a video of it. And if you want to subject yourself to that torture, you can go on YouTube and look it up. And myself and all the comments on that video agree that some of the ways that this training went wrong was that it was a yearly requirement, meaning that people were not thinking about this until the dreaded training came up and they clicked through it as fast as they possibly could because they didn't care. They just wanted to get it done and get it out of the way. I know since then the DOD has updated their training, but for years, for years, the training was always the same, even though cyber and these types of attacks were evolving, they were still teaching us like, hey, if Tina comes to you with this floppy disk and says, put it into your computer and you're still saying, no, that's a bad idea. You're like, okay, that's a little bit outdated. The point I want to touch on with this slide is the things that went wrong were that it was not frequent. It wasn't ingrained in daily habits. It was turned into this, you know, I don't want to say torture device, but people just hated doing it. They weren't thinking about it frequently. And something was that when you got that email saying, you're due for your training, there's a punishment attached. If you don't do this training, you are going to lose your access and you're not going to be able to do your job because we're cutting your access to your computer. Done. When you associate a punishment with the training, you're automatically making it not a safe environment and you're not making it fun or easily digestible or anything like that. And obviously, I mean, I feel bad saying this because clearly we're using a PowerPoint here, but any trainings that are death by PowerPoint just don't hit the mark. They just don't. So I do want to transition to a strategy that we believe works Man, what am I saying here? Strategy one, encourage open sharing. So something we do at Defense Unicorns is that most of our communication is in Slack. So let's integrate incident reporting into Slack. That's where everyone is anyways. It's easy to access. It's open. And when people report incidents, it's openly shared to all of us. This example right here might be our record holder for the quickest. Audrey has only been here for two weeks. She's a new employee. She barely started and she already received the text message from our CEO, Rob, saying, Audrey, available. And this happens so frequently to us that we consider it kind of a ride of passage. Once you get the text message, you are now an official employee of Defense Unicorns. But we are consistently updating that thread every day of, hey, I got this text message. I received this email. So Audrey was able to identify that and obviously avoid it because she knew that it was not legitimate. Now imagine you have a new employee who doesn't have access to this information and they get that text message and they're sitting there thinking themselves, oh, crap. The CEO is reaching out to me like, I just started it. I don't want to mess up this opportunity. I should respond. And then bam, of course we joke about it because it typically follows up with a, I'm stuck in a conference room and I need you to go to the store and buy me a bunch of gift cards. Because that makes sense, right? Because it totally makes sense. But clearly you can see that open sharing, putting it in a forum where we all regularly access it and kind of turning it into a humorous situation. Everybody feels comfortable posting in there. Everybody feels comfortable reporting. And honestly there have been times where people have posted and said, hey, is this suspect? And people will look at it and be like, actually, no, that's legitimate. You can click on it. All good. So good and bad examples are both in there. Now, we like to joke and have a lot of fun, but in some scenarios it calls for a more serious tone, especially when there's been a bigger breach. So next slide. Leadership setting the tone and leading by example is huge in creating this culture. And if leadership is not bought into this and they don't follow it, the culture is not going to survive. Integrating that cybersecurity into the culture is not going to work. So leadership setting the tone. I have two examples from back in the day, previous workplaces, I won't name, but one bad example and one good example. Bad example being there was a breach handled behind closed doors, swept under the rug. Leadership was not transparent about it. And then when employees finally did find out about it, they were like, well, nobody told me. How can I trust my leadership when they're keeping these things from us, especially when it's leaking our personal data? So you're saying that you found out and it wasn't even anyone in your company that told you all. It was in the news. It was in the news. That's how employees found out about it. That's not a good feeling when you figure out something about your company through the news. Whereas a good example from prior work experiences is same scenario, breach happened, and leadership was upfront about it. They immediately came forward. They owned it. They said, we made a mistake here. We are owning it. And here is what we're doing to fix this problem. And here are paid resources to help you mitigate any risk associated with what happened. Another important part of the good example is that there's a two-way street on communication, meaning leadership didn't just go up there and say, we made a mistake. Okay, now nobody asked any questions about it. Like, we're not going to respond. Employees could ask whatever they needed to to feel comfortable with the situation that happened. Now, I thought that was an amazing response. They were transparent. They were upfront. They provided solutions. There was no scapegoat. Like, oh, unnamed employee did it. I mean, we're solving it, but pointing fingers. Now, no pointing fingers. Let's just get to solutioning, because that's what's most important, right? So, wrapping it up, going to takeaways. These are the biggest things that we hope that you learned from our session is that, number one, cybersecurity should matter to everybody. And what is really important about that is making sure that you're putting it into a format that everybody can understand. Easy access to reporting. Easy access to show what has been reported so people know what examples to look for so that if it happens to them, they already know. And, you know, that yearly requirement, that yearly reminder, no. It just doesn't work. We want cybersecurity to be so ingrained in your culture that it's not a second thought. It's like looking both ways to cross the street. People automatically know. When I get that text message or when I get an e-mail, I'm going to screenshot it. I'm going to go drop it in the Slack channel, and then within 10 minutes, unicorns are going to answer my question and say, yeah, don't answer that. Or they're going to say, no, that's a legitimate one, and you're good to go proceed. Keeping it simple, too. If you put too many barriers in that procedure to report, it makes people not want to do it, because they're like, God, I don't have time for that. I don't have time to do all those steps, so I'm just going to let the simmer, and then a week later they're going to forget, and then, you know, it goes from there. Second step, I feel like it just honestly just incorporated into what I was just saying. I feel like I didn't do a good job of like separating those two. That open sharing is so important, and everybody needs to be on the same page. Whether whatever role you play in the company, if you're touching tech, it matters to you, too. And then the last one, and honestly one of the most important ones, is that leadership needs, needs, needs to be there, and it applies to them, too. They admit mistakes, they own it, they report, and that provides a safe environment for employees to do the same, because they realize they're not going to be humiliated, or, you know, something happened to their job because of it. Yeah, and it's important to note, because some of these things you may be sitting and thinking, like, if I were sitting there, I'd be like, well, I'm not a leader, so I guess, like, you know, I'm not the CEO, or I'm not the CTO, right? You know, fancy C, and then letters, right? So, like, some of these don't apply to me, but that's, that's not the case. Right, that it should matter to everybody, because we're all touching things, but you have a personal investment, right, because if they're going through you, you know, your own personal data is important as well, right? Some of the breaches that Makayla talked about, right, that's your data. Identity theft does affect us all, and so, right, we're all touching technology. But the encouraging open sharing can be as simple as, even if you don't have a Slack channel, or you're a much larger organization, it can be as simple as asking your, your teammate, hey, I got this message, did you get one too, or do you know if this is something, like, is this legitimate or not? It can be as simple as having those conversations. Like Makayla said, we want it to be second nature, the reflux of crossing the street. You don't even think about it, it's just a simple double check that you do, right? You can do that today, you know, no extra effort, really, when you do things like that. But by doing that, it spreads, right? That idea that it spreads, and you can begin talking about it. Well, if you're talking about it, chances are then other people are going to be feeling okay that they can come and they can begin asking those questions. And it's like, well, you know, Makayla's super smart on these things, and if Makayla's asking it, like, shoot, I can ask it, right? But that's how it starts, just little simple things like that that anybody can do. And then the setting the tone, when we think leaderships, there's a vast difference and there's been a lot of articles, gosh, LinkedIn's full of them, right? Leadership isn't a title, right? It also goes down to the role you're playing on your team. It doesn't require a title, right? There are those influential people that I'm sure everybody's worked with that you're like, dang, this person really leads the team and they make a difference and they do these things. And people just naturally kind of follow that person. You may be one of those people. And so everybody can set that tone where there can be leadership in different areas as well. Maybe you're going to be the leader in making the environment feel safe, right? You're openly admitting, hey, I made this mistake. I want to learn from it and making that environment okay to do those things. Those are other things where you can today be a leader without that title. So these are things that can apply to everybody that you can begin doing to slowly ingrading it into your culture. Doing a little bit is much better than doing nothing. And that's one of the big things and the idea of the hit home of integrating it into your culture. Do a little bit at a time versus it being something that you do. You think that you're eating all at once, taking it bite by bite. We realize that there are going to be people in your organization that are going to click on every link just because this one might be the one that's real. And creating that environment where they can come to and admit those mistakes is so important. Back to our title, The Pretty Penny. We understand that the first thing that people think about in cybersecurity attacks is that's going to cost a company a lot of money. But here's the deal. And I'm just going to read it straight off of here because the courier is saying it and I want it to solidify with all of you. Cyber security is more than just the pretty penny. Providing your employees the knowledge to identify cyber threats are going to save you millions on the back end. And that's a fact. All right. We are done. So we purposely kept it a little bit shorter. We are right before lunch. We wanted to be aware and empathetic of that. We'd love to hear if you guys have any questions or anybody has strategies that you guys have been seeing that do or don't work in the environments that I'm sure we all can think of good and bad examples. But we're here to talk. The QR code is legit to our website. It's legit. We should have Rick rolled you with it but we decided just it links to the defense unicorns website if you want to know more about like where we're from. Yeah. That's it. Y'all have any questions. OK. You can clap. Josh. Where are you guys going to go to lunch? Yeah. That's probably. OK. Yeah. No please. Yeah. Yeah. How do we deal with the fear of doing work and collaborating with external parties? We have collaborated and being able to reach out. No. That's really sad and I have seen that as a common tactic. Unfortunately of the to the point that you get so paranoid that you don't want to even there. There's a joke that with some of my colleagues that the more and more I learned about cybersecurity and breaches and attacks the less and less I want to be on my technology like that is that is a hundred percent real. But it's so ingrained in everything that you do today. The successes that I've seen in that area and if others have seen other strategies please feel free to share and I'll open it up in a second. But it does go with that safety of the idea of that you're going to make a mistake. It's not a matter of if you're going to get breached if there's going to be a cyber compromise. It's a matter of when and then understanding and feeling comfortable that you will have resources you know what to do afterwards you know that you have a support network it's hard when the culture unfortunately has been set into a fear mentality but that's where I've seen successes of you take care of your fellow coworkers right and you started on a very small scale of let's talk about it making it regular you know and just because that's the message coming up there can be a lot of goodness that's happening at the lower levels of just being a good teammate for each other and having those conversations openly and that slowly starts to make it feel safer and then it slowly makes it and it gets contagious and it kind of grows so. There no matter what like one of the biggest risks in cybersecurity is going to be humans and if your leadership does not understand that and prepare for that then they're failing their employees and they're failing their culture. That's like why we put this together and why we feel so passionate about this topic is because it doesn't it doesn't matter how much training how much money you soak into training if you're coming at it from a fear perspective and like I said if I think my job is on the line or I'm going to be humiliated or feel stupid I'm not going to say anything. I'm not sure what your role is at the company of you have influence on that I do believe that leadership has a huge part to play in that and if you can have any influence on leadership or providing that feedback like hey this needs to be different whether it be this annual training needs to be broken out or we need to start this forum where we can all come together even if it's if it's physical and it's on a bulletin board if that's where you know your office is and you're posting things like hey this is the most recent one this is what the text message looks like this is what the email looks like make sure but having having that information in heavily trafficked areas is extremely important and being able to share that I mean it should if people are having to share it anonymously to feel safe whatever but so long as it's being shared and the information is out there for others to you know identify and say okay if that happens to me now I know yeah has anyone else seen success with that I mean awesome I love it absolutely absolutely treating it as a learning opportunity as well not only for the person who made the mistake but for everybody in a non humiliating way you know it's not like everybody look at Mikaela she made the mistake learn from her because clearly she's not doing it any other questions and you guys might be going to lunch early well thank you all so much we'll be roaming around and we are in our unicorn shirts if you guys want to come up and talk later we're happy to talk to you thank you so much for spending time with us we we do really appreciate it hopefully you guys took something away