Cyber Awareness Training that actually works, with Mike Ouwerkerk

Posted on July 26, 2023 in Podcast


In episode 33 of REDD’s Business and Technology Podcast, get ready for an insightful interview with cyber awareness expert, Mike Ouwerkerk. Hosted by Jackson Barnes and co-host Brad Ferris, the episode explores the crucial domain of cybersecurity awareness training.

With Mike’s wealth of knowledge at the forefront, the discussion delves into the importance of creating engaging and interactive training sessions. Emphasising the value of periodic refreshers, Mike underscores the need to keep employees well-informed and vigilant against evolving cyber threats.

Unravelling the challenges of remote training, Mike highlights the transformative impact of video participation in enhancing the learning experience. He navigates the nuances of simulated phishing attacks, cautioning against reckless testing that could adversely affect employee morale.

As the conversation continues, Mike addresses the current state of cybersecurity awareness, stressing the necessity for standardisation in the industry. He adeptly sheds light on often-overlooked fundamentals, such as the art of discerning suspicious links.

Looking ahead, Mike shares his vision of extending enterprise training to foster profound cultural changes within organisations. Amidst the surging demand for cybersecurity awareness, his unwavering dedication to cultivating resilient security cultures emerges as a guiding light for businesses seeking fortification against malevolent cyber threats.

Embark on a journey into the realm of cybersecurity with Mike Ouwerkerk’s expertise and engaging insights, leaving you inspired and prepared to navigate the intricate terrain of cybersecurity in the digital age. Join the enthralling conversation and gain a deeper understanding of the ever-evolving world of cybersecurity awareness training. 

#CybersecurityAwareness #TrainingInsights #DigitalSecurity #InfosecExpert #CyberThreats

00:00 – Opener
00:20 – Intro
00:48 – Mike’s career history background
03:19 – Why is Cyber Awareness important?
04:16 – What forms of Cyber Awareness training are currently available?
07:01 – How often does Mike do workshops?
09:19 – AI keeps getting clever, how does the training adapt to this change?
11:02 – How many businesses actually undergo Cyber Awareness training?
13:36 – Employees and staff engaging in Cyber Awareness training
16:11 – Other ways to engage people in Cyber Awareness training
18:21 – Mike’s best “Cyber Awareness dad joke”
19:17 – Thoughts on Password Managers
21:13 – Mike’s thoughts on the current Cybersecurity industry in AU
23:23 – Small businesses relying on MSPs
24:20 – Mike’s opinion on the state of Cybersecurity in AU
27:29 – Thoughts regarding Phishing attacks
29:31 – USB turned into a bomb
30:34 – What’s next for Mike Ouwerkerk?
33:01 – People not turning their cameras on during remote sessions
34:57 – How to reach Mike Ouwerkerk
35:29 – Outro

If you would like to discuss any of the topics discussed in this episode further with a REDD expert or if you would like to be a guest on the show, please get in touch either via our website, [email protected] or through any of the links below.

 


Show Transcript

(00:02):
Yeah.

(00:20):
Hello and welcome to Red’s Businesses and Technology podcast. I’m your host, Jackson Barnes. I’m co-host Brad Ferris. And today we’re sitting down with Mike Ouwerkerk, who’s the director of Web Safe staff with over 20 years technology, cybersecurity experience helping mostly Australian companies massively reduce their cyber risk by empowering staff. Mike, thanks for coming in today mate.

(00:39):
Hey, thanks for having

(00:40):
Me. No problems. Did you want to start with your background before when you way back started in the tech space, what did you do then? That little transition to cybersecurity?

(00:48):
Yeah, we were kind of talking about this before. We both have a bit of background with Ton Young, me and Brad. Yeah. And I was telling him something that maybe I shouldn’t, but yeah, except that

(00:58):
Is totally up to you mate. You want to

(00:59):
Disclose that? No, I started in tech in London in 1990, geez, 96 or something. And I didn’t really get into tech. I more flogged my way into it, I guess. I borrowed my mate’s CV and put my name on it and sent it to his agency and then ended up sitting in front of the CIO of Stead Young uk. Yeah, well I hope she doesn’t listen to this. What you been doing? Yeah, it yeah, looks great. Can you start? I’m like, yeah. So I start and I’ve got no idea what I’m doing. None. Wow. But I just learnt fast and did well and I enjoyed it. So I stayed in it and then came to Australia and kept in it. Did tech stuff, desktop support, systems, admin, that sort of stuff, the IT consulting. And that was where I got into the awareness stuff because my client’s getting hacked.

(01:51):
What’s going on? I’m having a look and people are just clicking on random things and I’m, there’s a serious lack of knowledge here. So while I was doing that, I fired up web safe stuff, started putting together some courses and stuff and they were pretty ugly. I look back at them, I keep my versions and God, it’s embarrassing, but you were revolving there even though still made a massive difference. So I’m like, well, I might keep doing that. And eventually I just transitioned full over to Safe stuff that was about seven years ago and just focused on live training, right? Because it works quite well

(02:25):
In person, live or other video live,

(02:27):
Look on site right in front of ’em or teams zooms teams or Zoom, just whatever they want. But it just works quite well because they can ask questions, answer, ask questions, share stories, that sort of stuff. So I quite enjoy it. I get to sort of muck around, be myself, crack bad jokes, be witty, be cheeky, have fun. Hopefully don’t push the boundaries too much.

(02:53):
Yeah, sometimes you got to to keep people all interested in talking about technology or cybersecurity for a long period of time. So that is a constant battle that has been, is going to be the forever challenge, getting people to actually listen to cyber awareness training I think. So I’m keen to get some insights from you today, Mike, around Sure. What actually works and what forms there is out there and what that industry is doing. So look mate, let’s start roll it right back to why is cyber awareness important?

(03:22):
Stats 82% of breaches are three people according to a report last week, last year. So most breaches are three staff. It’s that simple. They’re just massively targeted. So if they’re not prepared, if they don’t know how to spot scams, how to deal with it, they’re going to get tricked. And that’s just what we see so much of it. And there’s so many ways they can be targeted now. So that’s why it’s important. I mean, you guys know the deal, people process technology, there’s three parts you got to deal with, you got to do them all. But really the quick wins are probably on the people’s side if you do it

(03:59):
Well. Yeah, I think you’re right there that definitely the quick wins are on the people’s side. Some of the technology controls and processes you put in place definitely help you minimize the impact when someone gets through, but they’re a lot more costly than doing an annual workshop or that kind of thing. So let’s actually go into that. So what forms of cyber awareness training is out there currently?

(04:22):
There’s quite a lot. There’s obviously the prerecorded content. So you’ve got your providers that will do stuff, you know, sign up purpose and you get to see all their videos and might get one a week. Or you can just work through the stuff at your own pace. And some of them have some good stuff. It’s quite engaging, put some metrics around stuff as well. And you’ve got phishing testing. I think there’s a fine balance for me. So when I look at some of that online content, some of them are are dead boring and you just go, oh my god. And I know I trained a company just the other day and they go, yeah, we got that and we just click next. I just go, yeah, okay. Some of it’s actually quite good, some of it’s quite entertaining. But I would just say there’s a bit of a problem in that sometimes you’ve watched a really good video on tv, like an ad on TV and you watch it and you go, oh it’s really good fun.

(05:21):
And then someone says, what was the product? You go, oh I dunno, I got no idea. So fun is good but it can’t be all fun. So striking a balance. Some companies do it quite well. And then moving into the live stuff. So some companies do live stuff, probably not many. There’s me in Brisbane, there’s a few others that do it. And that’s good because you can actually keep it quiet, engaging. You’re actually talking to people, you got their attention, you’re telling stories, it’s all current, you know, can have a mix of content and that works quite well for companies.

(05:58):
So how many people can you have in a room at once?

(06:00):
The most I’ve done is 50 50. You could look, there’s no limit. It can be a hall of 400. It’s just kind of gets hard for people to ask questions. You sort of reserve that towards the end. Generally speaking, 15, there’s a good number, but look, if you’ve got to crank through the numbers, you’re going to have more. Right.

(06:18):
So if you’re doing a company-wide type thing and it’s a bigger company where you just break it out into multiple sessions, is that how it usually works? Yeah,

(06:25):
Absolutely.

(06:25):
Over

(06:26):
The course. Yeah. Often give them options. Say look, do you want to do it in five sessions or 10 sessions and spread it out over a month or something like that or a couple of weeks. So yeah, there’s lots of options how you do things.

(06:36):
So you do more like the in-person workshops. And how often would you recommend a business does the one per year cyber workshop or how often?

(06:45):
It depends on how good the training is, honestly. So if you’re doing really crappy training, you probably want to be doing it more, but then really what’s going to happen, people are just going to next through it anyway. So what’s the point?

(07:00):
What about live workshops that you would do? How often

(07:02):
Do you go back? Yeah, look, generally speaking once a year, but there’s more to it than that. So in my space there’s the ABCs, right? Awareness, behavior, culture. You do awareness training and you want to change behaviors. And then you strive for a culture around cybersecurity awareness and that takes a bit of effort. So you can do awareness training, but what I find is companies that engage me, they might do awareness training, but they dunno this stuff. I come back a year later and they’ve forgotten stuff. So you’ve got to keep things going in the middle. And that’s where you keep doing these initiatives. And there are ways for companies to do that themselves.

(07:41):
Do you have a combination in person and then follow up with one of the one It’s an online type course?

(07:47):
Yeah, look, it’s whatever they want for me I can do in person. And then my refresher might be online a year later. And we’re currently putting together packages for big corporates around cultural change. So it’s quite structured. Generally speaking, you can go in and assess their current state. So look what do your people know? What are you worried about? How are you targeted? And then you can start thinking about putting together some branding around your campaign and build ambassador programs internally and say we’re going to use your people as the central point of questioning and they can stand up at meetings and things like that. And then you get into training and then you get into reminders and you want to measure it and it wants to be repeatable and you want to improve it. So it’s quite a structured thing. So I’m currently looking at that for a bigger company, it’s next few weeks, but that’s really, that’s where the big companies get to. They want to build this culture around this stuff. Generally speaking, the smaller companies, no they won’t do that stuff, but they should.

(08:46):
Yeah, there’s definitely, there’s a lot more to it these days. And to be honest, I’d argue that if you do cyber awareness training once per year in 12 months time, threat actors are so different to they were 12 months ago. The threat are getting smarter and smarter and they’re doing scripts with AI these days and that kind of stuff for getting other people to call and the way they get in they getting and the way that social engineering has changed over the last 12 months. Right? Yeah. You know, having mfa, you were fairly secure I feel like a couple years ago. That’s just getting more and more clever with social engineering. So the weight training you do would have to be continually evolving as well to keep up with that, run

(09:23):
Some of it with good trading, it should be based on simple rules. So the rules that I teach, so the examples I show, absolutely that changes and they’re doing different things every year and it is evolving, but it should come back to simple rules that cater for no matter what the crims are doing. And if you can get that across, that’s the key thing. And you show different examples and then you follow up with a rule going, just do this. Right? Simple thing. An example, not giving out confidential information unless it’s in person and you see the person, you go, cool, I can see you, I know you, I trust you, I can give you confidential info. But now with deep bakes, right? Deep bakes are turning up and that’s a real problem. Someone’s going to ring you, they forge you the phone number and you say, Hey, it’s my partner and I stuck in a checkout and they need the credit card. Well the rule is don’t give out confidential information unless and trust them and it’s not in person what you don’t because it’s deep fakes. So you’re going to have to get into prove they are who they say they are or even doing things these days like having a password, which kind of like spy stuff. What’s the password? Okay, cool. Hey, so if you can keep the rules focused on the rules but get there with examples, lead into it, then often you don’t need to change the rules, you just need to change the examples.

(10:46):
Really does feel like the world went when covid hit just looks everywhere and now spread information everywhere. Now that cyber security is getting more and more important. It’s kind of get face to face with someone and deal with local businesses more and that kind of thing. So that’s an interesting change. But in your experience, how many percentage of businesses actually do cyber awareness training?

(11:09):
Look, the bigger they are, the more likely they’re to do it. A lot of them are mandated because they’re doing frameworks, they’ve got their ISOs and lists and stuff like that. And it’s either mandatory, either they suggested so they do it, they got funds, they’ll get an awareness person maybe if they can or outsource it. But generally speaking, the smaller the company you go less chance you’ve got of them actually doing it if they’re going to do it. My stuff comes from referrals because I deal with companies and you guys and they go, well chuck ’em at it or you doing this, you’re iso, you know, got to do it. So they’ll throw my way. Otherwise they probably wouldn’t do it. Sometimes they train companies after they’ve been hacked, which is like a funeral and I’m sitting there, I’m training them because normally the session’s a lot of fun. That’s the key thing. If you can make it fun, people are actually engaging and I’m doing these sessions with, I’ve been acting, I’m just going, they’re kicking themselves, right? They’re just going, oh God, I wish we knew that. I’m just

(12:09):
Going, yeah,

(12:10):
That’s horrible. Yeah, still good because that learning stuff and it won’t happen again hopefully. But yeah,

(12:16):
Probably listening more though after being hack

(12:18):
Hack. Oh yeah, yeah. They were into it. Especially the people that got tracked. I had that recently. I trained a company, they were reasonable size, they had to split it up into couple of sessions across their offices and yeah, a few people missed the training. They ring me back a few weeks later and go, oh, can we get one more session? Yeah, it’s cool. There’s three people. Okay and why just three people? They missed the training. I go, okay. And they go, yeah they, that’s the finance team. And I go, no, there’s more to this, isn’t there? Yeah, yeah. Well they got the old invoice from a hacked account and the payment details were changed and it’s kind of frustrating because I taught them that

(13:05):
And you mean you taught everyone else except the account team?

(13:07):
Except the people. Except the people that missed the session but i’s still given them the stuff I give them post install stuff I’ve done post-training steps, do this, get these procedures in place so you can lead a horse to water sometimes. And that’s why I got to keep it going because when I do keep it going, I go out there and go, how you guys going on this? Yeah, did you do that last time? If you didn’t, why?

(13:30):
Well that’s a good segue to the next question, which I’m sure we’ve got a lot of answers for this one, but how do you actually get employees and staff engaged in cyber awareness training,

(13:40):
Home use, make it about their money, make it about their kids, make it about their information. So it is kind of weird, but when I teach it’s pretty much all about home use. So all the examples, the stories, Hey this person got their bank account ripped off, this person’s identity got stolen, your kid’s photo online and they’re turning it into a deep fake porn image and blackmailing them and all that sort of stuff. You’re still backing up with solid rules and I’m still throwing company stuff in there, but the whole time they’re thinking about me, right?

(14:16):
So

(14:16):
There’s a personal impact. If you want people to change, you’re making ’em dissatisfied. If you want to make ’em dissatisfied about their work getting hacked, they don’t care. It’s got us. That’s your problem. When you take it home now it’s their problem. They’re dissatisfied. So you relate everything to home use or as much as you can and it’s all relevant to work. They’re not going to forget that stuff. And I’m going to come to work and go, now I’ve forgotten how to read links, right? Doesn’t happen. So for me, oh yes, it’s massive.

(14:47):
And how long is a typical session?

(14:49):
About an hour and a

(14:50):
Quarter. Okay. It’s not too much, it’s

(14:51):
Not too long. I used to have ’em quite a bit longer when I first started this cause I had so much content I was like oh my god. But over time with feedback, I’ve managed to just get it really concise and you deliver it enough and you get your wording good too, right? I mean I just wrapped up 300 sessions for Queensland Councils and they’ve got their own course but it’s close to what I deliver anyway. And I tell you just get so refined with how you deliver it.

(15:16):
Yeah,

(15:17):
You just script it in your head exactly what to say. Just to minimize the delivery time but avoid confusion, just yep, really plain English, simple.

(15:27):
So yeah, it’s interesting you say that home use, cause we almost talk the opposite when we talk about cyber security, right? Cause we like business and IT managed security services. We usually talk to the business impact of being breached. We don’t really go ever into business. Well

(15:42):
It depends on the audience, right? You are probably talking that way to the people who are going to engage you. But when you get the people in the room, you’ll be talking about the home use component when you’re actually delivering, I’d imagine,

(15:54):
I mean I have to get people caring about cybersecurity, you guys tech and processes. That is the business that that’s a business thing and the people aren’t engaged in that really. But yeah, I just want them not getting tricked.

(16:10):
What are some of the other ways you’ve got people engaged in cyber awareness training? Cause you’ve done hundreds and hundreds of workshops, so surely you’ve got a lot of tips and tricks on how to get people engaged. Are puff speaking to the person or home kind of use what else works

(16:23):
Before I start a session and a lot of my stuff is online now, so just being the first person in the room and then telling bad jokes. So I’ve got a whole repertoire of dad jokes and you’re just chatting to people and you’re getting them comfortable with yourself. So you’re the first person that you’re having a chat, keeping it cash, making sure you get people’s video on and then as other people turn up or turn their video on and making it feel like a real in-person meeting, dad jokes are good because either people love them and they feel relaxed or they hate them and they want to get started. So by the way, you’re going to win, right? And then yeah look when you’re actually doing the training, just keeping it fun. It can’t all be fun. You got to mix it. Yep. There’s a variety of content videos and stories and I put it back on, people say right, have a go do this.

(17:14):
What did you get? You cool? No, let’s reiterate. Going through stuff, reinforcing learnings, got stupid videos. I talk about Trojan horses software that might be a Trojan horse. Gee that looks great. Turns out it’s not a show, a video of a lady feeding her daughter a pizza, a piece of pizza and she sneaks in a spoon of baby fit. I’m like, oh that’s a Trojan horse. And it’s ridiculous but people laugh and you intersperse the content with stuff like that so that people just get that little boost each time. And like I said, you can’t have it all like that. You got to have messaging in there. But yeah and just being fun. I do like to have fun. I dunno if it’s coming across in this interview. No, it’s naturally a pretty cheeky person. I’ll crack jokes on the fly and where I’m actually pretty good at that. So would

(18:14):
Be fine with a couple of dad jokes if you think of any along the way. If you want to drop here.

(18:19):
Oh, I’ve got quite a lot. Yeah.

(18:22):
What’s the best one mate? What’s, what’s had the most laughs in the room?

(18:26):
Oh,

(18:26):
Cyber awareness Dad joke. Look,

(18:28):
The best cyber awareness joke like this, I’ve only actually got about two that relate to cybersecurity awareness. One of ’em is pretty lame. How did the cyber criminal get away from police? They ran somewhere, which is

(18:38):
Actually, that’s terrible.

(18:40):
The one that I really liked. That’s pretty good. I thought it was an easy crap. The one that I really like and I can tell this my password section is beef stew. A good password after I show them, look let’s go long, complex, unique and this is how you can put together a good password and I’ll talk about password managers and all that sort of stuff. And then I go, so that’s good password. What about beef stu? And they go, no, I go, why not? And I go, why blah blah blah. I go. So it’s starts tro off, is that what you’re saying?

(19:10):
Okay. That’s pretty

(19:11):
Good. That’s pretty good, right?

(19:12):
That’s pretty good. What are your thoughts on password managers? I mean it’s been weird space recently cause I feel like it was very much, you know, need to pass the management solution, you need to pass the management solution and then it’s kind of like, ooh, hang on, last passcode done multiple times. Yeah, what do we do here? What’s your thoughts?

(19:33):
Yeah, look, we still have passwords, right? It’d be nice if they went away but they’re not. We got pass keys now and that’s probably a bit too confusing for most people. And you’ve got your emfa or your UB keys and you could just plug it in there and do your fingerprint with that. That’s pretty hard. Most places aren’t doing that. So yes, we have passwords, password management. Yeah, you got to do it. I have a password manager. I think the key question for people is trust factor. So you want to put it on Google and Apple and they got their own stuff for me. Do I like our technical overlords? And I’m not a big fan of them so I’m kind of like, well I keep my data to myself as much as I can. And you’ve got your websites last pass. Geez. They have different versions too. They have I think the federated services or something and if you were in that didn’t get breached. Me personally and some of them are good, some of them are well-structured with cybersecurity. From what I hear from others in the community, they go, I use this one because even if you get hacked, they’re doing their own thing on top of your password to encrypt the passwords and they’ll never get it. So that’s, I use my own password manager on my home

(20:48):
System. Yeah, well my thoughts are you can’t remember all of them and they go in Excel or are they going a notepad or you writing down physically or they a password manager I guess

(20:58):
I use Pass, which is actually free software. So if you want to do it on your own computer you can download that. There was an issue with it recently so there’s a patch for that. But there’s always issues with software. That’s why patching is a thing.

(21:12):
What are your thoughts on the cybersecurity industry in Australia right now? Do you think businesses are getting the right advice or is there enough cybersecurity professionals in Australia? Yeah,

(21:22):
That’s an interesting question. I think what we are seeing now is that the industry, the way the services are provided is changing. So it’s coming back more to yourself, the MSPs because it has to, because there’s also a bit of a turf war. You’ve got your cybersecurity companies and then you’ve got IT companies and then the clients need both. And then what happens? The cybersecurity companies trying to get the client and they’re like, well we’ve got it. So I talk to them and maybe IT company’s going, we look after that. So I think there’s probably a transition to MSPs becoming a lot better at cybersecurity, which is what I’m seeing. Some MSPs are kicking the stuff out of the park. They’re doing a really good job. As long as you can get good stuff, that’s probably the challenge. Yep, it’s getting good stuff. We’re all struggling with that to a certain degree. If you can get good stuff and you can cover the bases, that’s great. I have no issue with it. Coming back to the msp, I think it probably needs to in many cases, but cybersecurity is very specialist too, so sometimes you just need to go and see those specialist companies because they know this stuff. So probably getting rid of the turf would be a good thing.

(22:36):
It’s tricky though. So we speak to a lot of businesses, review their cyber security state, that kind of thing. And some of them are getting horrible advice from their MSP around cybersecurity and some are doing the right thing or there’s some internal IT teams who are actually really struggle when it comes to cyber security because they’re just fighting for more tools internally when it comes to actual cybersecurity, it’s more about making it harder and putting more padlocks on the doors and that kind of thing. So the actual supporting becomes more of a burden. If you’ve got two internal IT staff and you’re proper cybersecurity, it’s not going to work. Not going to work or you’re going to make your own life an I man to be honest with you. Yeah, but interested to get your feedback on that because I guess you’d probably see that from small businesses all around.

(23:22):
Oh look, small businesses just are relying on their MSP and quite often they don’t do a great job, they really don’t. I will put a fire and we’ll give you antivirus and there you go. And they don’t really have much around detection or response and probably don’t even have plans around response. And there’s a lot to it as you guys know, when you’re not doing things, you’re at risk.

(23:47):
I come across an MSP contract and they were trying to present advanced managed security services that said MFA and we’ll patch your systems faster. And I was like, oh my god. So there’s so many. It’s hard for businesses these days out there at the moment where they’re getting this advice and they trust in mine. They can’t afford to have pay for an actual cyber professional and they’ve got MSPs. Some are, don’t get me wrong, some are goods and some are not for sure.

(24:14):
Some are doing a great

(24:14):
Job and unfortunately there’s a couple cowboys out there, so it was a weird state right now. What’s your opinion, Mike, on the state of the cyber awareness industry in Australia?

(24:25):
I’d just go on the results that I see. So there’s companies doing it, there’s plenty of offerings, you know can sign up online and 30 bucks a year or whatever per person and do your training and hope people earn some stuff. And then there’s companies that do what I do and there’s companies that do the big cultural piece and they just focus on that getting in there and working with them and building internal capacity. But look, what I see is when I train people, they dunno the stuff they need to know. I do have an assessment tool that I use. It’s a quiz based thing. Get a percentage score. How well did you do? Generally people don’t do that good. I’m training company people that have done training and I, I’ve trained people that and companies and they have awareness people,

(25:17):
Staff internally that are aware,

(25:19):
Internal staff and they turn up to my training, I do my training and I go, how’d you going? And they go, oh my god, everyone needs to do this. I’m like, what? You guys are doing this stuff though? But we didn’t know that stuff. I’m like okay. There’s a lot of basic knowledge that people don’t have. And also there’s no standards around awareness. I don’t have to comply with any standards with what I teach. I’m just going off what I know and what I research.

(25:42):
There’s barely any standards around cybersecurity as a whole loan awareness, right?

(25:46):
So look, it’s quite interesting. I just know that when people come into my training, I show them stuff that they’ve never seen before and I do teach things that are very specific. Some of the things I teach, I drill into detail links. People need to know what to do with the links. You can’t just go, Hey does that look weird? Don’t click on it. Links are everywhere. So I tell them how to work it out, tell ’em how to do research, that sort of stuff. It’s like 15 minutes of that stuff. No one knows that stuff. Do you know if there’s an ad sign in a link? No one knows that. Well not many people know that and look to the end of the link and tell ’em that. They go, I didn’t know that there’s stuff like this. These are basics that people should know but they don’t and they’re at risk.

(26:31):
So the state is that they’re not getting good enough training for me and even when I give them training, you still got to do it again. I just did a refresher for a company this week, start of the week, I’ve forgotten stuff when I’m there. They’re going, oh my god, that’s amazing. This is great. I get great feedback, I come back a year later, I’ve forgotten stuff. So you’ve got to keep doing it and it’s got to be good and you’ve got to keep people engaged. And I think it’s not just an Australia thing. No, every country around the world is going to have problem with this. Yep.

(27:08):
Yeah, there’s a lot of Americanized cyber awareness programs out there that I’ve seen. There’s a couple in Australia. So your advice for businesses is to do an annual in-person, ideally workshop around cybersecurity and then what’s still to get those awareness kind of email based kind of programs rolling out and oh

(27:25):
They can absolutely be as complimentary as they can be.

(27:28):
What’s your thoughts on those simulated phishing attacks, that kind of thing? How often would you recommend that gets done?

(27:33):
It? It’s going to depend on the company. It’s entirely and dependent. If you’ve got a company of gurus on this stuff, why bother? You know can alienate people and you do have to be careful doing it as well. If you’re going to do a, and I’ve seen some shockers, you do a fishing testing and go, how are you going to get a pay raise? Click on this link and then they find out it’s a phishing test and now you’ve got every employee that just hates you. So stuff like that. And you’ve got an unfair advantage. So you’ve got access to all the people, you’ve got access to internal knowledge about how you’re structured and how you could target them. So it’s got to be careful and look, I don’t think there’s any simple answer, it just depends on the company what what’s suitable for you. It can be useful too. It’s just got to be done quite carefully and equally if you teach people and phishing testing really was it going to be links? It’s always link based. Come to this dodgy website now where you got tracked and now you might be hacked if you teach them links and do it properly. It really negates that.

(28:38):
I did a retrain and a company company a few years back and they did my initial training. I turned up and when I turned up at company as I got the old USB key and I go, damn it, I forgot to print this thing off. Could you print that out for me please? And invariably every single company I’ve ever trained or who haven’t done training before, they plug it in. So then when we get up to the USB section, I go remember this thing?

(29:03):
And

(29:03):
I go, well let’s talk about that. Right? Because it could be like a keyboard, it starts typing and I show them examples. So like the companies that I do train, no, I’ve totally forgotten where I was. Sorry, let’s just go into something else. It’s a Friday, right?

(29:23):
It’s pretty harsh showing up with the USB key as the instructor. Can you print this for

(29:27):
Me? It does work. Did you know that? That’s good. Actually there was an article, a news article I saw in a criminal actually turned one into a bomb leak bomb. So they put little C4 explosive into it and a person plugged it in and exploded in their face really? And the other thing they can do is put capacitors in there. So you plug it in and the capacitors will charge up and then it throws the current back into the motherboard and it throws blows up. Motherboard blows up, yeah, blows it up.

(29:53):
Yep. That’s probably one of the lesser cyber threats these days. Blowing it. One computer, no one really cares, take a bit of data and then run around screaming. But

(30:01):
If it starts typing, I managed to fire up a PowerShell or something and download dodgy software, suddenly things change.

(30:08):
Yeah, that’s definitely true. So in terms of what you do, do you also offer pen testing and cyber advice or alignment to frameworks, that kind of stuff for your clients or you strictly No,

(30:18):
No. I just do awareness training. I just focus on that. If I need to give that sort of stuff out, I just refer on,

(30:26):
Right?

(30:26):
So I need good partners for that. But no, I just want to do awareness. Yeah, I’m mindful of doing too much.

(30:33):
So what’s next for Mike and your business? What are you trying to expand? Hire more people, go into different areas or countries to provide Cause to be honest with you, no doubt in what you are doing, you’re getting a fair amount of demand right now with all the big people being breached late last year and then this year and pretty high profile names have been done and they’re probably businesses want more training. I could imagine. What, what’s next for you man?

(30:59):
So just seems to be moving into enterprise more. So I have been doing some government stuff like the Queensland Councils, that was good. But getting into more sort of the cultural change stuff. So not just doing the, hey I’m going to come and ski your staff, I’m actually going to work with you. Build internal capacity around you doing reminders and stuff like that and come back, do refresh your training and work on let’s brand this thing and what sort of metrics can we capture here and how do we keep improving it? So that sort of stuff, which is nice. But yeah, staffing wise got to need people, which is the challenge. And that we were chatting about this before we started this, but it’s hard. It’s hard to get people and then you think about what I do and I ended up in this because it’s just the way it is. I mean I naturally moved into this, but how many sort of it people are good at training and cracking jokes and that sort of stuff. Probably not a heap and no cybersecurity as well because when I do training I get questions and some of them are hairy.

(32:13):
I could imagine actually

(32:14):
Some of them are core tech questions and you have to be able to answer them. And I do have a reasonable good knowledge around cybersecurity tech processes so I can usually answer it. But yeah, I’m going to have to probably get a few extra people. Jeez. It’d be nice just to sit back and just relax and let everyone else do the work eventually. Because you can only do the training so many times and it is my job to keep it fun and engaging. I give the same performance every time. But internally you’re dying a little bit. Yeah, because you’re forcing it. Sessions can be a lot of fun. But with the Queensland Council 300 and bang, bang, bang, bang, it’s like whew.

(32:56):
It’s a

(32:56):
Lot of it’s,

(32:57):
It’s quite hard. Were they remote?

(32:59):
Yeah, they were remote. Yeah. Okay. And then when people don’t turn their video on, that’s hard. You know, do have some sessions

(33:06):
Where people still do that.

(33:07):
Yeah, yeah. It’s hard if it’s a private company. I’m saying look, turn your video on, get the most out of this. Make sure and get management on the sessions. So make sure people know you care and you ask the questions, you’re the boss, you ask the questions, right? So people go, oh wow, the boss is in this. Right? Yeah.

(33:22):
It’s pretty rude in 2023, did not have your camera on.

(33:25):
Yeah, it does happen occasionally and it’s, it’s just really, have you guys ever presented with no cameras on it. Run a, it is hard.

(33:34):
I think when Covid first hit, there was a fair amount of businesses who were like, oh I dunno, work this thing done at webcam, yada yada yada. Now these, one of

(33:41):
The best things come out of, I remember before Covid, it was one of my biggest pet peeves when people wouldn’t put the camera on and I’d made, well not made, but yeah mate, everyone on our team do it. You’re not walk into a meeting with a paper bag over your head.

(33:54):
No. Right. No. And what are the challenges if you’re doing a training session, are you multitasking?

(34:01):
A lot of people will, I imagine everyone’s done that, jumped on a webinar or a video where they’re not

(34:07):
Webinars, but when it’s an interactive supposed replace, a face

(34:12):
To face training, training, someone’s paying for you to be on a training session. You should be. And that’s why my refresher course and the assessment, same thing. I can assist with it or do a refresher and that’s the quiz based thing. You can be remote but you’re doing a quiz. Yeah, you’re doing it. So if you’re not paying attention, you don’t get your score at the end and maybe the bosses go, where’s your score? Right. Chuck you back on it. Yeah.

(34:36):
Alright Mike, thanks for coming in mate. Conscious of time. I really appreciate you sharing some insights around cyber awareness training. And look, this probably going to be busy over the next coming years and hopefully you can find a little junior you and you can just write the jokes and sit back. We’ll see how you go. That’ll be my son. Yeah.

(34:50):
Hurry up, grow up.

(34:53):
If anyone wants to reach out to you or wants to learn more about the kind of workshops you do, how can they reach you?

(34:57):
Well, I’ve got my website, so that’s web safe staff.com au. I’m on LinkedIn. I’m like a rash on LinkedIn actually. So yeah. Mike Aki, am I Mike or Mike or on, I don’t even know what I call myself on LinkedIn.

(35:13):
I think it was Mike. Well

(35:14):
We, I already Mike, so lets probably

(35:16):
Put Mike. But yeah, might need the website and that’s got contact details in there. Very cool. And I’m always up for a chat and see how I can help companies out.

(35:25):
Beauty. Thanks Mike, appreciate

(35:27):
Sweet. Thank you for thanks.

 

Reach out!

If anything in this post interests you, or you'd like to have a chat with someone about your technology challenges, we would love to hear from you!