 Welcome to another special episode of Door Hardware Nerds. Today, we have a very special guest in celebration of Cyber Security Awareness Month. We have our Director of Cyber and Information Security on with us. Okay, next one. Yeah. I think there's this thought process that because corporations are big and their budgets are big, they can create these strong, incredible cyber programs that can't be defeated. And what we know from reality is our human beings are going to be the reason that all comes crumbling down, right? The human element is the most critical. And to be honest, if I was an attacker, I'm probably not going to try to defeat your firewalls. I'm probably going to send a phishing email or make a phone call and try to be really nice and persuasive and ask someone for their password, and they'll probably give it to me, which is frightening and what keeps me up at night. Because that's really what happens in real life. And there's so many YouTube videos of people calling an IT admin and actually getting them to fall for, oh yeah, sure, I'll give you that information. You're just like, oh no, please don't do that. But yeah, it's why user cyber security awareness training is so critical. The human beings everywhere in your organization are critical to your success in trying to actually defend your environment. Your corporation is only as strong as its weakest link, right? Absolutely. It's scary what these professional social engineer hackers can do. With just a limited information, they can really warm up and build rapport really quickly or have enough urgency in those moments to make you want to give them the information or a very well-worded or crafted email goes along to making people do things that they probably shouldn't do. So yes, that education is key, I think, Fred there. Yeah, it's funny to think about this because we don't think about ourselves as computer systems, right? And we think about Microsoft or some of the other popular operating systems and they have vulnerabilities. And so an attacker tries to take advantage of those vulnerabilities. Well, human psyche has some vulnerabilities too. And social engineers are just taking advantage of that particular weakness in how we're wired to make us take actions that just don't help us. Exactly. Okay, be careful out there. Be careful out there. Absolutely. Okay, the next one. That's just cruel. This particular one is just really, really cruel. It's like I already included a report fishing button, right? So you're going to click report fishing because, hey, your CISO told you to do that. You know, we've been training you guys and here you are trying to do the right thing and you click on it in the wrong section and then this happens. Goodness gracious, that is insidious. Funny but insidious, very, very alarming. If this is out there for real, that would be tough. Yeah, so just for clarification for people out there, the report fishing button is probably not in the email that it gets sent out with, right? Like it's the extra icon on your Outlook appointment or there's the flag button. Yeah, it's not inside the email. That's kind of a way to make sure that you never fall for this. It just isn't in the email itself. It will be in the mail browser that you're using to read the email. That's where you'll get that report fishing button. There is a report fishing button inside the email. It's probably alarming in and of itself. That probably is an indicator that you got something going on there that's not right. There's a red flag there, right? Indeed, there is, yes, absolutely. Okay, next one. That is one way to defeat fishing emails, right? By just not opening any emails at all. It's the greatest challenge in IT and security, right? Where perfect security is not a system that's completely not usable at all, right? No one has access to it. They can't do any business at all. And perfect business agility is no security at all. No passwords, no nothing, right? So you can get in and do whatever you want. So we're always trying to figure that out. And it's kind of funny to think about, well, if we just didn't read emails at all, then we'd never fall for a fishing email. But she probably wouldn't get a whole lot of work done either, so that's that incredible marriage between business and security there. It all played out though, that's really funny. I mean, what are some common fishing attacks, maybe that you could just like give a high level overview or I don't know, we've all gone through the cybersecurity trainings, right? But maybe there's some little tips that you can throw out there to like see fishing emails. Like what's the number one thing you look for, I guess? Yeah, and I think the first thing is the sender, right? In most cases, what I'm looking at is where did the email come from, right? And sometimes hovering over that button, you know, that name allows you to see the actual address. It's not really coming from Amazon, even though it says amazon.com, it's coming from a bad guy at mail.com or something, right? And you're just like, yeah, oh, that's not Amazon for the 500th time I've received this email saying that my Amazon account is frozen. Boy, if it's been frozen, it's been frozen for a while. The other thing I think that's really critical is just kind of assessing the body of the email, right? What are they asking for, right? And in many cases, a fishing email is going to always create this sense of urgency and they're always gonna want you to open something, write a payload of some sort, provide some information. Hey, there's this document you need to get access to. You just need to put in your username and password. Yeah, why is that, right? That username and password, they're just trying to steal it. I think the other thing to remember is tech support companies don't reach out to you. They just don't hire enough people. For them, they proactively call you or send you an email. It just does not happen ever. So Apple is not gonna email you and say, hey, FYI, I always noticed that your system's going slow and we want to come help. They do not. They certainly have call centers. You have to call into them. That's how you get the help that you need. So anything that's a tech support kind of reaching out to you, if you have not initiated that contact, that is almost 100% fishing. You can go ahead and delete that. Yeah, because nobody's got time for that, right? Who's got the mail? Yeah, nobody's got time for that. Yeah, there's just no scenario where Apple or Microsoft is reaching out even by phone. They're just not doing that. That service actually costs money. I mean, having an actual phone call with Microsoft costs money, so there's no scenario where they're calling you out of the goodness of their heart to fix your tech support problem. I wish it was that way, it just is not. There you go, that's helpful, thank you. Yeah, no worries. All right, next one. Yeah, I love these things. So on Facebook and on these other social media platforms, it's everything except for them saying, so what's your mother's maiden name? I mean, it is so crazy, the amount of information people put into these. Oh yeah, I'm going to share all of the places I travel everywhere, what my high school was and they're not making that connection between, hey, I'm sharing information that typically shows up in questions for password resets. That's not a great scenario, right? So be very cautious about what you share online. I know you're like, but I'm only sharing it with my friends, but your friends have friends and your friends, friends have friends and before you know it, it gets passed around and then an attacker has access to the information. I love sharing information with people that are close to me, especially in person. So just be very mindful of what you put on social media because attackers use social media through a process called OCN or open source intelligence and that's how they start their attacks. They really do search your social media in hopes of finding out information that they can use to do an attack. For example, if they know you're traveling at a particular time, they might call a loved one and say, hey, so-and-so's in Bermuda and they've been in an accident, you've got to send us money now, right? That kind of scenario. Well, how do they know that you were in Bermuda? Well, they were on your social media, right? So by sharing information, we could potentially give attackers the kind of things they need to take advantage of a loved one. So always be mindful of those kinds of things and keep your loved ones aware of things in person, not necessarily through social media. Yes, share all the information in the world with the people that you love in person. Yeah, that's right. Love them in person as much as possible. It is a great thing that we have social media so we can stay connected across great geographical boundaries and distances, but at the same time, personal information, things that could potentially be used for attackers, always share that information over the phone or talk to people that you love in person. That's kind of the best scenario to keep yourself cyber-secured. Yes, I agree. And that's coming from someone that does a lot of work on social media. So I have to be careful about what I post. Absolutely, right? Yeah, I love it. It's like, yeah, have you gone to a hospital and you're like, I don't think I should share that information with you. Have you had surgery? How many tattoos do you have? None of your business. Actually, I'm not going to share that with anyone. Yeah, so that's fair, right? There you go, appreciate your time. And I don't know, maybe we'll have to do another one of these. If people like them, comment below and give us your top takeaway or something like that. Sounds good. And thank you so much for inviting me. And this is a pleasure and I'd be happy to do it again.