Perry Carpenter: “Don’t be Afraid of Simulated Attacks”

Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4, one of the most popular platforms for phishing simulations and building cybersecurity awareness. Perry was previously Research Director for Security & Risk Management at Gartner, and is an expert on what can be called the “human side” of cybersecurity. We spoke with Perry about good password hygiene, conditioning ourselves to create good security habits, and the benefits of continual employee training with simulated attacks.

 What is your overall vision of the state of enterprise cybersecurity in 2017?

The thing that’s been most encouraging this year when it comes to cybersecurity is seeing some of the teamwork that has happened across the globe. So the threats, I think, will always increase — we’re always going to see new attack vectors, we’re going to see new financially motivated crimes, we’re going to see larger and larger data breaches, like the Equifax breach. I think we’re going to continue to see that, but what’s been encouraging for me is, in the wake of issues like WannaCry and NotPetya, or the GoogleDocs phishing event, we’ve seen a very strong international community of people coming together and sharing real-time research and progress on working through these problems. This seems very new to this year, whereas in past years we’ve seen people hold some of that information close and not share it, because they perhaps wanted to monetize it by building the patches, or selling the fixes to one of the major security vendors, and letting that vendor have an exclusive way for mediating the problem. But we’ve seen a lot of open-source, intelligent sharing between security researchers this year. It’s been great.

Do you believe employees are the weakest link in enterprise cybersecurity?

I believe that users in general can be the weakest link. The thing with users is that we’re all human, and we’re all vulnerable based on the way that our brains are wired. Attackers find ways to manipulate us and get us to perform actions that maybe we believe we’re not susceptible to performing, like clicking on a link or downloading an attachment, or violating a policy. And some of that happens in spite of a person’s better judgement. So we can be the weak links, and it’s because of behavior patterns and neurological factors in how we’re wired. The good news behind that, though, is that, like anything that we learn, and have that learning ingrained in us, good patterns can become habit. That’s the good news for us.

So while a user can be the weak link, we have to realize that they are the last line of defense in many organizations. But if we properly use some behavioral conditioning and some other psychological factors around how we train users, then we can channel them into the right behavior so that they can actually become a very strong part of our layered defense model. After a firewall hasn’t prevented something, or a secure email gateway hasn’t prevented something, or an Endpoint Detection and Response vendor hasn’t protected something, there is that last line of defense that is the human. And we would hope that some of the innate pattern matching abilities that humans have can be strengthened, and some of the muscle memory, and psychological habits that people can get in, can become very strong habits over time.

Do you have any employee protocol that you teach or follow to actually improve how they react to potential threats?

We do, specifically in the social engineering context. We are firm believers, and we are innovators in the market, of automated social engineering testing. And the way that works is, you can configure in the system the types of phishing emails, or voicemail phish, or even multi-pronged phish that span email and text messaging and invoice, all to try to drive somebody to take an unsecure action. By presenting those simulated situations to end users, hopefully without warning, and giving them the opportunity to see those, and giving them the training on how to detect the red flags — when you frequently expose people to that, and you tell them the best practices, and allow them to fail safely the first few times, they’re able to build the more secure reflexes that we would hope that end users have.

The key, for me, is doing that type of testing frequently. And where I see a lot of companies fail is that they will do a simulated social engineering test once a year, or once every three months, and that’s not going to train people. That’s just going to show you how bad the problem is. If you actually want to train people, then it’s like anything else in life. It’s like physical fitness, or a habit that you’re trying to create. You have to engage in that in a very deliberate routine pattern, and in frequent intervals. If you’re testing quarterly, then you’re taking a quarterly baseline. If you’re training every two weeks or every month, then you’re actually starting to develop some muscle memory. If we do that, then we’ll see the behavior improve, we’ll see what we call the person’s “phish-prone percentage” go down. Ultimately the attack surface has been lessened, because the habits are what you want them to be. The only way is to have continual testing, so that they’re continually training that muscle and not letting it atrophy.

How do you overcome cybersecurity fatigue? Even simple security steps, like using strong passwords for example, can frustrate employees. How do you communicate to them the importance of cybersecurity?

There is a behavioral researcher out of Stanford University in the US, BJ Fogg, and I love the way he phrases the behavior problem when it comes to people making healthy choices — and security is pretty much the same way. He says there are three fundamental things about humans. Number one is we’re lazy. Number two is we’re social. And number three is that we’re creatures of habit.

In your example, when it comes to creating a good password, you hit exactly on those three things that he mentions. One, we’re lazy: we want to choose the easy password. Two, we’re social: we’re going to have the same habits as the people around us, so if we’re in a group of people and we’re all complaining, then going with the group mindset is the easiest thing to do. And three, we’re creatures of habit: that definitely plays into password mentality. We’ll choose a password, and then whenever it comes time to create a new password, we’ll just put a number on the end of it. We’ll change it from “monkey1” to “monkey2”, and then “monkey3” and so on. So with passwords we see all three of those principles, and the way to effect change isn’t necessarily just to keep saying security is important. We need to reinforce the “why” behind the policy. The critical thing that we have to do is to facilitate the change we want. So that means pushing them in the right direction in friendly ways, ways that they won’t want to rebel against. You can show them that creating a new password is easy, by even looking at the new NIST password recommendations, where they’re talking about moving to passphrases that are easy to remember, rather than these huge complex passwords that nobody could ever grasp.

What are the key takeaways that an employee should get from cybersecurity training?

I’ll boil it down to the most important one, which is: think before you act. The reason why is because if we just go with our default reflex, that could be wrong. Somebody could be playing us based on emotion or urgency, and we might just react. But if we could slow down for a second and think logically, then we might have the result that the organization wants from a security perspective.

Number two would be to create and remember good passwords, and have good password hygiene. And the reason behind that is that it is one of the things that we can fix now. Even though the password management market has a bad rap, it is better than the system that we use mentally. So a product like LastPass or Dashlane or KeePass can help people have this vault for the 50-60 passwords that they have to remember.

Three would be to care as much about your customer’s data as you care about your personal data.

What advice would you give to a company that wishes to stay safe in the new cyber ecosystem, from both the technological and human side of security?

I would say that safety is relative. We live in the age of having to come to grips with the fact that everybody is compromised, every system is compromised, so when it comes to safety, the key is trying to determine how we handle compromise when we hear of it and what mitigating factors we put in place post-compromise so that the same thing doesn’t happen again. For organizations that are wanting to work on the human behavior side, my best advice is to not be afraid of simulated attacks. That’s the only way to know how your people are going to behave when the real thing comes, and it’s the only way to condition them to have the right behavior. When it comes to safety, we have to take the blinders off, know the situation that we’re in, and act accordingly.