Cybernews Interviews CyberHoot Co-Owner, Craig Taylor
Malicious attackers have always been a part of the cyber world. And with working from home becoming the new normal, hackers have recognized even more possibilities to exploit companies and their employees.
The lack of cybersecurity awareness for many businesses, no matter how big or small can catch up with them unexpectedly. Consisting of multiple employees, especially those working remotely, organizations cannot always monitor each of their actions. For this reason, hackers are finding more opportunities to manipulate employees to fall victim to phishing attacks.
This exposes the need for businesses of every size to make use of cybersecurity tools and measures such as VPNs and security awareness training along with policy guidance.
Craig Taylor, the Co-Founder, and CEO of CyberHoot, a company that offers security awareness training for businesses of every size, says that many businesses still see such measures as unnecessary expenses. Taylor agreed to share his views on the importance of cybersecurity, potential threats, and their outcomes.
What was the story behind CyberHoot? Can you tell us more about your journey?
CyberHoot was created because the co-founders believed there had to be an easier way to protect small to medium-sized businesses (SMBs) from all the cybersecurity mistakes they were making. The co-founders have worked in cybersecurity for 60 years combined. We have seen a great deal, especially on the enterprise side of cybersecurity. Yet, the most vulnerable companies, the SMBs of the world, were suffering far more at the hands of hackers than enterprises ever did or would. We took the best practices in the industry, boiled them down to their essence, and eliminated all the points of friction getting in the way of security awareness training. From the beginning CyberHoot was:
- Password-less. Users should not struggle with passwords to take the security awareness training. It gets in the way of high compliance. We removed this requirement.
- Open. Users tend to get bored easily. With our platform, by design, from the very beginning to curated content, we can train users on emerging threats and when they occur with the use of unique and interesting content. The gathered content is our own and from other experts in the industry. It helps to eliminate the boredom that occurs when you listen to the 5th, 10th, or 20th video produced by the same company.
- Automatic Compliance. From the beginning, we automatically escalated to management when users failed to complete their assignments. This ensures high compliance across all our deployments.
We have also eliminated other points of friction in billing and administration. We have added multiple industry disruptive capabilities like Phishing Assignments along the way. Everything combined, we have one of the simplest systems on the market with the highest compliance rates available in a tool. Our solution works better than anything else on the market.
Since cybersecurity training might sound tedious to some, how do you manage to keep your content educational, yet entertaining?
CyberHoot specializes in being one of the most liked awareness training tools on the market. We asked our users how many would miss CyberHoot’s extra work — the monthly training assignments. 60% of surveyed users said they would miss our “Hoots” a little or a lot if we stopped sending them.
The reason behind this high approval rating is three-fold:
- We keep our awareness training videos short — anywhere from 3 to 5 minutes — to avoid reduced interest due to a short attention span.
- We recommend sending them out only once a month to reduce training fatigue.
- Most importantly, we combine our own training videos with expert-curated videos from other sources to keep our content entertaining. Our assignments remain interesting, with 5+ years and hundreds of videos watched.
The content is kept educational by including a quiz after each video. The questions, answers, and explanations are sent to each user in the system following a test for additional learning opportunities. We also link to our online cybersecurity library and blog where thousands of articles and definitions can be reviewed at each user’s discretion.
What kind of threats can only be eliminated with the help of quality cybersecurity training instead of traditional safety measures?
Almost any threat can be eliminated by following the best practices outlined in our security awareness training videos. The vast majority of cyberattacks occur because of two things:
- Users falling victim to phishing attacks
- Bad password hygiene (lack of a password manager)
The industry generally believes that 90% of successful cyberattacks are caused by human error. Our training helps users learn the importance of simple protective technical measures, including two-factor authentication and adopting a password manager. More importantly, they learn why these measures and the ability to spot and avoid phishing attacks are so important and truthfully easy if you learn our methods. CyberHoot’s motto helps users learn that “Become More Aware” means “Become More Secure”. And that gives employees confidence, enhances productivity and security.
How do you think the pandemic affected public cybersecurity awareness?
The pandemic has changed the way people work on a day-to-day basis. More people are working remotely, opening them up to even more threats than they would typically face in the office. When at home, users tend to be more relaxed, not thinking about cybersecurity threat implications or what they may do, and not having the technical measures in place compared to when they’re in the office. Hackers have recognized this trend and ramped up their efforts over the past couple of years by crafting convincing phishing messages and sending millions out to unsuspecting and untrained users.
CyberHoot has extensively written about the evolution of online attacks during the pandemic. There have been more phishing attacks to be certain. However, there are many more elaborate schemes, including hackers creating fake contact tracing apps, romance website scams (catfishing, for example), fake remote job opportunities, and other things of that nature that have only worsened cybersecurity threats. With employees working remotely, the lack of colleagues sitting in the cube next to you means you’re more likely to fall victim.
Why do you think certain companies push employee cybersecurity training to the background?
Many companies think that they can buy all the technology needed to protect their company but what they fail to recognize is that human error accounts for nearly 90% of company breaches. Another reason is that they don’t think users want to do the training and that it wouldn’t be done effectively. Lastly, companies running security training programs for their employees don’t see the monetary benefit, they just see the costs. Security Awareness Training (SAT) is like insurance but it just costs money and companies don’t believe they’ll fall victim to cyber threats. Alternatively, companies can feel hopeless and think that you can’t stop cyberattacks, so why bother trying?
The truth is that SAT can help companies easily become more productive, confident, and secure for a very small cost. Just one incident at an SMB is expected to cost over $88,000 in 2022. These are numbers for SMB, not large enterprises where a breach can easily cost millions. One incident at an SMB would easily fund 10+ years of SAT.
In your opinion, what other security issues are often overlooked but could cause serious damage to organizations?
There are a number of critical measures we always look for when providing our virtual Chief Information Security Officer services to companies. These are simple measures that are often missed and poorly understood. They can provide a great deal of benefits and, in some instances, protect companies from compromise.
First, enabling multi-factor authentication on all critical accounts is key.
Second, having a risk assessment performed to prioritize the risks that you can face in your industry and business goes a long way to spending your time and money wisely.
Third, most companies lack a security culture which is gained in two ways. The first one is security awareness training, and the second — establishing cybersecurity policies to guide employee behaviors when technology cannot. Policies sound boring, but they guide users on how to properly use their computers, accounts, information, etc. For example, password policies ensure that users are using unique, 14+ character passwords/passphrases for every account and that credentials are stored in a password manager. If users don’t comply, they can be penalized or fired by their company. It keeps users accountable with something in writing (that they’ve signed), so that the IT staff don’t have to look over all employees every day hoping they don’t do the wrong thing.
With more companies adopting the work from home model, what are the most prominent security threats that affect the remote workforce?
This may seem like an obvious answer from us, but due to the lack of security awareness training and policy guidance for most remote workers, phishing, poor cybersecurity hygiene, and outdated software are the most prominent threats. The mentioned security measures go hand in hand, making employees more secure and aware of cyber threats.
Outdated software happens because some users are on their own personal devices and aren’t getting the software patches automatically installed on their devices to address emerging vulnerabilities. Then there are the employees who log in to any Wi-Fi network they find to work remotely from coffee shops, sports venues, or shopping malls. These employees who haven’t learned the risks of rogue or free wireless access put themselves and their systems in grave danger.
What security tools do you believe are essential to combat these threats?
I believe that to effectively fight such threats, security awareness training, policy governance, phish testing, two-factor authentication, password managers, and a risk assessment are crucial.
And finally, what’s next for CyberHoot?
CyberHoot has found a great deal of friction in traditional phish testing. From time-consuming and error-prone allow lists, junk, and spam folders, the inability to use convincing phishing attacks because of vendors suing companies over the use of their image and logos in phishing simulations to browsers that interject warnings that an email is an obvious phishing attack and preventing the user from learning, phish testing the traditional way is fraught with challenges and headaches.
CyberHoot is going to eliminate many of these points of friction in the near future with an assignment-based phishing module. It eliminates every point of friction, improves the ability to effectively test employees with increasingly difficult phishing tests over time, and ensures that all of them have been tested through compliance reporting. That’s not possible in the traditional phish test where an employee is ignoring their email and misses the phishing test altogether. In this new module, a manager will know with automated reporting whether all employees took and passed their phishing test.
That’s our goal for Q1 of 2022. Beyond that, we’re branching out into fully managed solutions for MSPs (managed service providers) to roll out to all their clients with minimal effort on their part. Our talks with MSP have taught us that they often don’t have the time to roll out SAT to their clients, so CyberHoot will do it for them.