On-Demand Phishing Awareness Training - Webinar
Will Nobles: All righty, look at I see everybody joining here. We're going to give about 30 seconds to let everybody join and get their audio connected so you guys can hear command training and fishing awareness. And we're going to be explaining what fishing is. And no, it's not going out catching a bass or going out deep sea fishing. That's a different type of fishing that we're going to be talking about. But Caroline, thanks for being on today. Good to see you.
Caroline England: You too.
Will Nobles: I guess I'll be seeing you in a few hours because you're flying here, right?
Caroline England: Yep.
Will Nobles: Good deal. Good deal. All right, guys, so I see people continue joining, but we're going to go and get started again. We're going to be talking about on demand training and phishing and what are the requirements for your employees to go through this type of training from different types of compliance as well as state and federal and as your insurance requirements as well. So ones that don't know me, my name is Will Nobles. I'm the founder and CEO of Vector Choice. I have I started the company in 2008. I've been in technology and I'm showing my age now since 97. That sounds so long ago, but I have worked with companies with Fortune 100 to Fortune 500 companies doing consulting.
Will Nobles: And I wanted to bring all that knowledge of consulting for large companies down to the mid and small businesses to help elevate you and your marketplace and your market there. I do have a special guest on the call, caroline England. Caroline is my senior client relationship manager. She's going to be helping me explain all this because she helps champion this for our clients. But Caroline, again, thank you so much for being on today.
Caroline England: Yep, I'm excited. It's one of my favorite topics.
Will Nobles: I think you got some of your clients on the call with you, so we're going to see how much knowledge you have on educating people that are not our customers. So guys, our company is Vector Choice, where we believe in response and reliable It solutions. That just works for you. Our executive team. Sarah Sawyer is in newburn, north Carolina in a small little town in New Burn, north Carolina. She's our COO. John DePerro is our chief compliance officer. Great background. I forgot Sarah's the smartest person in the company because she's the only one with the PhD. The rest of us, not so smart. But John DePerro is our chief compliance officer. He comes from being a warrant officer for the army, also worked for the NSA and was on the first cybersecurity task force for NATO. Bo Dickey is our chief security officer.
Will Nobles: He's done everything from law enforcement into as, physical security and cybersecurity as well. And Mike Bazaar is our CTO and his background is large industrial businesses, oil businesses in the state of Texas. Our management team, we have a great team all the way from finance. Yes, people don't like to deal with finance, but even Gabby and our finance, Troy and his team on the marketing side of things, Jon DeDerro and Jake and Daniel, we've got a great middle management team there as well. What vector choice does we can do anything from being your help desk all the way up to being your C level suite from a technology standpoint, and all in between. So if you just want us for cybersecurity, you just want us for it. You want us for projects, we can do all and everything in between there as well.
Will Nobles: We focus heavily on cybersecurity and compliance because we know the need of both of those, which is why we're doing this webinar today is just one little portion of cybersecurity and compliance that you actually need in place for your business. We've had the honor to make the Ink 5000, I think three or four years in a row now. I think we just got confirmation today that we made the MSP 501 for the fourth time, which is the top 501 fastest growing managed services providers in the world. Not just locally here in the United States, not in Georgia, not in any of the states we're in, but in the world. And we've got a lot of other different awards as well.
Will Nobles: And it comes from having a great team like Caroline and the other ones here in the background, my marketing team monitoring all efforts here. And by the way, if you guys have any questions at all for us, please put in the Q and A, put in the chat. We'll definitely answer those questions for you. So, our locations, we are continuing expand. We've officially as of July 1, so you guys are hearing this 1st July 1. We will have the Texas market, which is coming this weekend. We will have the Texas market as well. And matter of fact, another one that we'll need to add on here is Ohio as well by the end of July. So we are growing like crazy. We've got clients, we can service you.
Will Nobles: I don't care if you're a small company in one of these small towns, in one of these states that we're in, or if you're in a large company that international, that we understand how to deal with Japanese companies, EU companies and all in between. We can help you with the services that you need from it. If you guys are interested in a very boring read no, I'm just kidding. If you want to learn more about compliance and the compliance formula, I coauthored a book with a bunch of other very smart individuals understanding the CMMC and being successful strategies to become CMMC compliant. This might not apply to all of you guys, but the concept is still the same with all different types of compliances out there. You can scan the QR code, order the book, and we'd love your support.
Will Nobles: If you guys can order that as well. So let's talk about what we're here to talk about. Caroline, there's all kinds of different types of training out there, right? I can go train my dog, I can go shoot a gun and learn how to shoot a gun, and training that I can train for baseball or some kind of sport. But when we talk about training and technology and on demand training, what does that really mean to our customers and their employees?
Caroline England: Sure. So from the perspective of being the MSP, a lot of times we set up the infrastructure to help know with a firewall, we put things in place. But there's that human component always of you're only as good as your weakest link, they say. And so training your employees on what to look for in emails and as the world becomes more remote and is growing faster, that's really prevalent. And how can I look at emails safely on my phone or how do I know if I'm actually being phished or kind of what that looks like and what the detriment of clicking on something like that would be?
Caroline England: So this is really for those employees to have continuous learning as threats grow and as they become more intelligent on, hey, how can I look at something in the moment and know whether it's safe or not?
Will Nobles: Yeah. And I think training is a very inexpensive tool to add into your business to help educate your employees. Because by far the number one cybersecurity threat there is actually your employees, unfortunately. Right. And we're going to talk a little bit about clicking on things and spreading viruses here in a second. But one of the things I really want to point out here is on demand training is not just something that the It companies of the world says, hey, give it to your customers, need to have it. It's actually your insurance companies. It's actually compliance. If you have to meet any kind of compliance or demanding that, this is what you have to have. And it actually on a lot of insurance documents for cybersecurity insurance says, do you have a training or on demand training program in place for your employees? Checkbox.
Will Nobles: You've got to check that checkbox and don't check it to say that I do training. Right. You actually have to prove that the training is being done. People are going through the modules, they're signing off on security type documents in your business. So that's where this type of training module really comes in place. Also, you have to prove from the phishing side of things as well. And we'll get in the definition of what is phishing here in a second. But the phishing emails, the simulation of those, you have to prove that how many are you sending per year, who's clicking on it, who's opening up the links, and so forth. So it's definitely something that this is not us being your It provider or maybe you're just on this call and you're just trying to figure out what is on demand training.
Will Nobles: You need this for your business, hands down. It doesn't matter what industry you're in, you should have this for your business. But especially if you have cybersecurity insurance, if you have to meet PCI, HIPAA, CMMC, ITAR, and Sox, I can go on with this compliance. That's just number one thing that's on the list of all the compliance out there is on demand training. So we talked a little bit about fishing. Caroline, what is you know, I'm a country boy and I think fishing, I'm going to go bats fishing. Right? And I'm joking, guys, I am a little bit smarter than that in technology. I do know what phishing is, but I want Caroline to explain it a lot less technical than I can.
Caroline England: Sure. So in layman's term, I use phishing as emails that are meant to hook you to kind of play on the phishing word. So phishing can be anything from hey, I'm going to pretend that I'm will nobles asking Caroline to do me a favor to hey, I'm going to send out a bunch of emails just to see if somebody will click. It's meant to catch your eye. It's meant to be something that maybe you would see every day or something to entice you to try to click a link, download an attachment. So like the one that you're seeing on the screen now, they're meant to be something that you would catch your eye enough to where you want to click it, but not so out of the norm that you would automatically say, hey, that can't be real.
Will Nobles: And some of the things to point out here for everyone is if you're used if you're a customer of ours, right, when we're sending support emails, they're coming from firstname.lastname@example.org. In some cases, they might come from email@example.com. But if you, for the first time ever see an It@vectorchoice.com, by the way, which is not a real email address for us, that should be a red flag for you. Okay. So if you see something abnormal from anybody, not just Vectorchoice, but anybody that doesn't look like how they normally sound in email, their signature, the email hover over the email. So there's a lot of things that you want to be looking for. But Carolyn, when you're walking through customers on this, what are the things you're pointing out be aware of in this type of email?
Caroline England: Yeah, so that's the best part about the on demand training and the platforms that we use. As I send these out to clients, everybody's going to make mistakes. Nobody's perfect. So if you do click on something, you get this pop up, like this screenshot that you're seeing where it says, hey, wait a second. You should have looked at this, and this, and it highlights those red flags and says if you actually hover over it at Vector Choice, that's not what the actual email is. Or if you hover over that link that says Caroline England: Change password, it's not taking you where you think it's going. So it really stops you in the moment and teaches you exactly in that email what you missed as continuous learning.
Will Nobles: And this is where I think your employees are your number one security risk for your company, because this can get through all kinds of systems right now. We do our best, all of the tools that we have out there to blocking spam, to preventing things, but a lot of people still think that having antivirus, having a firewall and a backup is all they need. I'm telling you, it has to be layers of security, and this is just one layer of security. And so this email and I want to tell you a quick story, and I've got so many I can actually share with this, but one story that stands out that I think hits home for you guys, and hopefully it does, and why you need something like this and additional security as well.
Will Nobles: We had a client, it was a golf course up in our DC market. The accounting person got an email, and it was for a wire transfer, $85,000. And it was from the bank that they normally bank with because it looked very close. And they said that they changed the wiring information for wiring the money for payroll. And so she wired all the money for payroll to this hacker, pretty much. Guess what? There's no getting that money back. Your insurance company is not going to pay for that. Even if you have cybersecurity insurance, most likely, if you don't have a lot of these parameters of security measures in place, they're not going to pay for it. It's crazy. I was talking to our insurance agent. Only 34% of businesses out there actually have cybersecurity insurance. That's scary, guys.
Will Nobles: And I know we've got a whole nother webinar that's on insurance and why you should have cybersecurity insurance. I want you to watch that. But I'm telling you, this is one key thing of getting that cybersecurity. So you can check the checkbox that you have so you can bring that premium down more. But please, guys, go get cybersecurity insurance. You have car insurance just in case you get in a car wreck. You have house insurance just in case something your house burns down or gets flooded, right? You want to protect your business, because if you want to destroy your business, it's one click of a mouse to destroy your business with this. So that's one of many stories I hear about things. Some of you might have gotten text messages.
Will Nobles: Things are changing now where people are texting you, hey, this is Will noble's new employee. Starts at vector choice, and they get a text message from a text and, oh, I need you to go and get ten gift cards of $100 apiece. Right? Well, I've got new marketing people on my staff, if they got that, they might actually think it was me. Right. Because they don't know my cell phone number right off the bat when they first start. And so you've got to make sure that checks and balances are in place. One last story before we move here is had a customer, it was the day before Thanksgiving, they got an email supposedly from a vendor. Well, it actually came from the CEO to the CFO. That was an invoice from the vendor saying, hey, can you pay this before you leave today?
Will Nobles: Well, the CFO was about to leave to go for Thanksgiving with his family, and he said, hey, I've moved the money over to the account. Can you take the wire information to the bank for me? And told this to the CEO. Well, the CEO is busy not paying attention. What does he say? Yeah, sure I'll do that. Not a problem. Go ahead and enjoy your Thanksgiving. Well, the CEO then takes and stands up and he's looking at it. He doesn't recognize the vendor, so he asked another person in the company if they recognize the vendor. So the first call he made actually was to me, and he said, Will, I've got this and what should I do? I'm like, well, don't pay it number. Know in no rush to pay it call Mark, which was the CFO.
Will Nobles: And I said, talk to him why he asked you to do this? And come to find out, the CEO's email was compromised. It was spoofed. He didn't look at the email address correctly because it looked like, let's say it came from Willnobles@vectorchoice.com, but it was just one little misspelling of the domain name, which he didn't hover over. And see, I think that was about a $65,000 mistake that was saved right, by just being curious. Right. So Caroline, any stories that you've heard when it comes to this type of stuff?
Caroline England: Yeah, for one, a couple of years ago, obviously I used to live in Denver, so big oil and gas market out there. I had a client who they were on the go, they're constantly in the sites, clicked on an email, put in all the information, and basically what happened is it allowed a keylogger to install. So for months they had put in their information and this person was seeing everything that they were typing, everything that they were doing, and was able to basically infiltrate. Not everything because we had security in place, but enough to be dangerous. And that was back when people first started mining Bitcoin. I mean, were trying to basically have the Ukrainian hacker cooperate with us to give back the credentials that they ended up getting. And basically it's a dartboard you're throwing.
Caroline England: Hey, I'll give you $10,000 and maybe you'll give me the password. Maybe it'll unlock my files, maybe it won't. And it ended up being a pretty expensive couple of months for them. To get everything back. That was a nightmare. And that was all just based off of one email on a phone where it started. The other question that I get asked all the time is, hey, if I have antivirus or I have spam filtering, how am I even getting these emails? And I always tell people, anybody can spin up an email, right? I can say, hey, I'm a hacker. Ha firstname.lastname@example.org. And if I just start sending out emails, enough people have to say, hey, this is spam before places like Google Mail and some of those other places will then have enough flags to market out as spam.
Caroline England: So really, that's a question that I get all the time, is how am I still getting these? Because these people are smart. They have a lot of time on their hands, they'll make it look like anything, but anyone really can make an email address. And so that's why this part is so important.
Will Nobles: Yeah, absolutely. And that's why the different layers are there. And even if the email gets in right, the training that we're talking about is educating the user to be aware of what could happen. Right. The next measure behind that is, say, if they do click on something, right. The whole idea is that you have antivirus or EDR protecting the computer, but you also have what's called application control. Application control is a different another layer of security. And what it does, it prevents just an install of an application out of nowhere by just because you clicked on something. And the biggest one, I have two impacts that I can tell you that was huge impact.
Will Nobles: So I actually was asked to come to Baton Rouge to be on Fox 44, Baton Rouge, talking about the cyberattack that happened a few years ago with the city of New Orleans. 6000 computers got ransomware because of one person clicked one file and it deployed a ransomware across the whole city of New Orleans network. Same thing happened to the City of Atlanta. That's just two big ones. It happens multiple times daily to companies and to city organizations, healthcare and all the above. So you want those layers of security in place, but educating your employees is definitely number one that you want to know. I think we're talking already about the importance of phishing awareness, but how does it impact the organization? You go through this a lot doing what we call our strategic business reviews.
Will Nobles: Caroline, how does this impact the organization and how they function?
Caroline England: Yeah, so, I mean, to me, it's like of the utmost importance because it's a difference in potentially losing your business and not right. So the two pronged approach is when I'm doing quarterly business reviews, I'm constantly testing our clients to see how prone they are to clicking. So everybody has that one person who's like, I'm never going to click that email. They're always the one that clicks it. So it allows us to see where are your weak points, where are we struggling? What are we not understanding on some of these? And then the other piece is, hey, if I click something, what do I do? Because a lot of times people think, oh, I'm not going to say anything. Like, I just clicked something, but it's fine. It'll just go away.
Caroline England: The importance or the impact on organizations of doing that clicking something sometimes means there's a difference in the timeline of how long do they have access to your systems, what do they have? And so it's really looking at monetarily the risk that you're willing to take on for not having people trained appropriately. And then here's almost like disaster recovery. And we talk about that a lot. Hey, if somebody clicks something, what are we going to do about it? Or what do we have in place to make sure that we're protected? Like you mentioned, application control and some of those other things.
Will Nobles: Yeah. And I encourage everybody that's listening, that's our customer. Or if you're using another It company that's providing this type of service to you, let your It know and tell your employees. Let It know immediately if you clicked on something by mistake, you're not going to lose your job. Reinsure them. That right. But we rather know from an It perspective so we can see the risk before it spreads. Too bad. If it is going to be a spreading type virus, we want to know. So let us know ASAP, especially if you're our clients. It will help us out tremendously and to help so here's prime one. How many of you guys got gift cards? And I've done actually a few TV segments during the holidays. Caroline, when shopping online. Right.
Will Nobles: And this is sort of the same concept, and people think about they separate business and personal so much, but a lot of times it intertwines together. And so you might get an invoice or you might get a gift card like this. This is prime example. This is actual a email that comes out of our system that looks like Starbucks. It's got the Starbucks logo. It's got from Starbucks, right. And no reply at Starbucks promotion. Now, are you really going to know if Starbucks uses that for their email? Probably not. Right? So this is a tricky one that you can easily click on, like, oh, I've got a star. I go to Starbucks all the time, every day. Every morning I go to Starbucks. Let me do this. Right? Because they're sending me a $10 was it $10 gift card. Yeah.
Will Nobles: Caroline, I know you've told me stories at times of customers, even sometimes our employees. Right. We're not even perfect either. We even test this on our employees, how tricky these can be.
Caroline England: Yeah. And I think that's why, being part of the selection process and part of my role, I really try to tailor it to whether if you're in healthcare, making sure that you're getting emails that I know that would be pertinent to your organization. Or say, I'm in accounting, make sure that you get accounting ones for us. Internally, we have a system where we can reward people for doing a really great job. And sometimes you can send gift cards or whatever. And so I personally know that I send gift cards to my direct reports if they've done something awesome. And the thing about these is, who doesn't want that, right? So of course you're like, oh my gosh, my boss thinks I'm doing a great job. They sent me a gift card.
Caroline England: In reality, if you hover over where that says, hey, log in with your credentials here, it's not taking you there. And unfortunately, you did not get a gift card or a free Frappuccino.
Will Nobles: It's better off. And I'll take this on the personal side. As know, during the holidays, you get all the know Macy's and all know, shopping places and stuff. And I don't, because I don't shop that much. But I know what Logan gets Carolina, her email gets flooded. And I always tell everybody, don't even click on those emails, right? Go to their website. Their specials, their coupons and stuff are going to be on their actual website. Log in there, click on the website. Don't just click on links that just came from you because you don't know. So unless you hover over and it says Starbucks.com, right, and it's actually a Starbucks domain, then that's key. Also, it's very important that domain names, if you've ever seen Https and some are Http. If you only see Http, it means it's not a secure website.
Will Nobles: So you definitely wouldn't even hesitate clicking on that. You definitely want to see that s behind Http and everything. So just little things to look out for, hover over things, get familiar with what things should look like. Here's another one. I think we've all got this. Especially if you're an employee of a company, it could say CEO or it could say Will at Vector Choice and hey Will, are you available? I need a gift card selected. If I send this to my marketing, some of my marketing staff that just started a couple of weeks ago, they might think it's legit. And so I always encourage your employees trust, but verify, right, if it's abnormal or if you are just starting at a company and your CEO or someone in a C level suite sends you an email, call them.
Will Nobles: Call them, send them a team's message. Don't email them because their email might be compromised, right? So you want to make that physical voice communication or a video that they are verifying it is them. Now, even with AI these days, even voice verification is getting scary. So be very careful about make sure for my employees on this call. If you get something like this from me, call my cell phone, right? No one has my cell phone number besides me. I control that. And so that's what you have to look out for. You don't want to just go get gift cards. You don't want to go get something just because the CEO because you're new and you want to jump because the CEO says jump. You want to make that person happy. Ask first. Definitely ask.
Will Nobles: Make sure that when you send emails as well, is that you have a standard format, like your text, your signature, right? Because if someone gets an email from me that does not have my signature on it, most likely it's not coming from me. Right. So that's one thing, but that's not the telltale, because someone can copy my signature and put in their own email. But that's some of the things you want to verify. How does the person talk? Are they being all proper? And you're normally not proper in an email, then you're probably a red flag, right? So pay attention. I travel a lot, so my employees could get an email saying, hey, I'm traveling. Can you go get gift cards for this for me? Right. They would actually believe that because I do travel a lot. So always trust but verify.
Will Nobles: All right, so, Carolyn, go ahead. I'm sorry.
Caroline England: Oh, and I was going to say, I did have a client a long time ago where the CEO traveled a lot and he emailed out. It was normal for him to text things from his phone or send emails from his phone. And I had a client who spent $200,000 on gift cards because she was fairly new. She was his new assistant, and she was used to him just like, asking for things like that. And they ended up spending $200,000 on itunes gift cards.
Will Nobles: Nice. It's crazy. And they're getting better and better, and they can trick you. So I had a neighbor and here's just another. I had a neighbor that had a trucking business. He lost his trucking business because of this. I'm not going to disclose the trucking business or how much he lost, but they literally had him on the phone, talked him in, going to the bank and doing a wire while they were on the phone and wire, let's say, a lot of money to this account, and he thought it was legit. Now, hindsight 2020, you set back and say, that would never happen to me. I'm not that foolish, right? I know the guy. He's not that way either. But unfortunately, life gets busy.
Will Nobles: You don't pay attention to what you're doing, and you just sign things, or you just pay things, and you're going a million miles an hour. Slow down and think, if it's out of the abnormal to do something, it's probably not legit. I tell my team, if there's an invoice that comes in, that's not a normal bill that we pay, throw your hand up and ask. Do not just pay a bill. So. That's a few things there. So, Carolyn, what are we looking at here? Some stats.
Caroline England: Yeah, something to note is I pulled a couple of stats, but something that I see all the time that everybody hates to admit. A lot of people use the same password for everything and sometimes it's password one or your birthday or whatever it is. 82% of people use the same password for multiple accounts. So that kind of shows you the domino effect, right, of clicking into something or providing your credentials. Let's say on the personal side, my bank account password, hopefully not is the same as my computer password or as my email password. You're opening a whole door personally and for your organization just by not having smart passwords. So that's the other piece of this training is hey for you. Hey, let's check your passwords. Are they password one? Are they I love my wife less than three? Those kind of things.
Caroline England: 98% of companies say that they have a cybersecurity awareness program in place. I see that all the time with prospects, people who come to us. Oh, well, we do cybersecurity, we do have training and one of the things that we'll do is like a 30 day trial to see how prone everybody in the organization is to clicking and that a lot of times says, yeah, you might have one in place, but we might need to implement a more cohesive one. And the most interesting one to me is that 90% of ransomware attacks come from email phishing. So everybody hears ransomware and their head just starts exploding. Worst case scenario.
Caroline England: But the fact that 90% of that can come from emails and people clicking on things, that is by far one of the largest holes that you have in your organization and you're completely dependent on the people that you have working for you.
Will Nobles: Yeah, and I think that's where it's good working with Caroline and my team, is that you can be paying for security awareness training, but not implementing it and managing it. Right. So what we do, not only do we give you the tool, we also help you implement it and we manage it for you. We provide those reports and we keep you informed of things that's going on. If that's all you're doing with us, that's something we can do. Now, it is part of all our managed services packages and stuff, but it's something that we can do ala carte for you as well, where we can manage and make sure that it is actually truly being used in the organization. So Caroline, this is something like example report on clicking the fake attachment, clicking the fake link.
Will Nobles: These are just sort of example of how we can show statistics and we can drill down and see what individual employee actually clicked on it or opened it up. Right?
Caroline England: Yeah. And like how far they go. So there's something to be said for hey, I looked at the email, but I didn't do anything. Hey, I clicked on the link, but then I stopped. Hey, I clicked on the link and I put in my password or, hey, I also downloaded that Excel sheet, filled it all out and sent it back. It shows me how far people are actually going, which is really cool because a lot of times someone will be like, yeah, I clicked the link, but I don't think I put in anything. This shows me exactly how far they're drilling down into it and how far they're willing to go. So that's a really cool aspect of the training as well.
Will Nobles: Yeah, we have some especially for you business owners. We have Amex, we have credit cards. And you think, hey, I need to reset my password for my Amex account. We got you. So that's some fun things there as well. I don't know if you consider it fun, but some things that we can do for you. So what are the strategies when you're talking to our customers, to Caroline? What are the strategy of getting them to implement the training process? What buy in do you have to have from management as well as the employees, and how do we go about that?
Caroline England: Yeah, so it's really talking about each business is different. How they operate is different. Are you in the office all the time? Is everybody remote? Where are they checking emails from? So it's really working with each client to discuss, hey, do you want to separate out by department or by teams? You need the buy in of A, the executive team, b, the management team, just to make sure obviously, you don't want to tell people that they're being fished because then people aren't going to we're not going to see their true behavior. So there's a lot of planning and like, hey, how often do you guys want to be tested? How far do we want to go? And for trainings, we have thousands and thousands of modules depending on ranging all over the place.
Caroline England: So it's really working and customizing with each client on their organization in particular. And there are certain things that you can implement called like, a fish hook. So in your email, for people who want to reward their employees, they can literally, if they think it's a phishing email, they'll click that link or that hook, and if it is from our testing program, it'll give them a point. And then if it is a legit phishing email, it sends it to our support at Vector Choice to open a ticket. And then with those points, I have some clients who reward from management like they do get gift cards. Hey, you caught the most out of this quarter. Congratulations. Here's a gift card. So it's really two pronged also.
Will Nobles: I didn't even know that. That's pretty cool. I didn't even know. I tell you how out of touch. Sometimes on the day to day. But no Caroline. That's awesome. I didn't realize we could do that. So let's talk about mobile device security. When it comes down to mobile device, even if the employee owns the mobile device and you don't own that device right. How is that data leaving your office? And from a security standpoint, if they install email or they install an application or let's say they're using OneDrive or SharePoint or teams and they're putting those applications on their personal machine, technically that is an unprotected device. And in a lot of cases, like healthcare or other compliances, that would be in a violation of that compliance. Right? And big no for insurance as well, insurance companies.
Will Nobles: But talk a little bit about mobile device security and how we can handle training when it comes to that.
Caroline England: Yeah, so that's probably the second largest question I get is how do I know that if I'm looking at something on my phone that it's secure? Because it does work differently how you open links and if I get a text message. So there's a whole entire different training module that we can enlist for mobile devices specifically on. You can't hover over a link on your phone, obviously, but there's other ways to check and make sure. So it does a whole training based on that because a lot of times we do have people that work completely remotely or they travel all the time or they're on the go, or even if you do like home health and you're driving and you get an email that's urgent, you want to check it.
Caroline England: It shows you how that differentiates from checking things on your computer versus a tablet or phone.
Will Nobles: I encourage you guys as well, off topic, but if you're using mobile devices, your employees are accessing your data on mobile devices. If some of you guys remember old enough to remember the days of the BlackBerry where you can control what data was on there. Well, even with iPhones, Androids and stuff, there is ways to do that as well where you don't take full control of the employee's phone, but you can sort of ring fence your data from the other things that they have on their personal phone and everything. But another topic for another day there. So let's talk about how we can break down these modules for training specific with verticals healthcare, if it's FTC compliance, safeguards and types of stuff like that. I know you said we have thousands of different types of modules and training videos.
Will Nobles: If anybody has a question like do you guys cover this type of industry? Throw that in Chat or the Q A. But Caroline, if you can read through a few of what besides outside of HIPAA I see here, what are other ones that we can cover?
Caroline England: Legal manufacturing. So if you meet a compliance, there's a whole section that even like the client, some of my clients that I work with, they want to be able to go in and look at trainings and deploy them to certain teams or people as well so they have access to it. But we can do manufacturing, marketing, legal. Obviously, if you have a compliance, there's an entire section dedicated to that with all different types. So this is like the general HIPAA for healthcare, but there's also thousands based on even more specialized subjects. So really, for example, for legal teams, we have a general training that we do for all clients that's, hey, this is just everybody should know. And then as we pinpoint certain departments or certain compliance requirements or certain verticals, then we can narrow down the trainings from there.
Will Nobles: Okay, all right, good deal. Let's talk about incorporating the phishing simulation. When we go into a customer for the first time, sort of walk through, what would they expect? What are we going to work with them on? How does that work?
Caroline England: Yeah, so the first thing that we typically do is I start off by asking, are you guys getting a lot of spam or phishing emails to begin with? The first step I call it is a baseline. That's just to see, just like you would go to triage at the hospital if you're not feeling well. It's like, how sick are we? We send out a 30 day period typically of how prone are you guys to clicking, responding, putting information in these types of emails. Then I have a call with a client to kind of walk through, hey, here are your results. You guys had a 30% click rate. Here's the type of emails that you guys clicked on.
Caroline England: Now let's implement some training and we talk through that and then I test again because typically you see those numbers fall from like 30, 40% down to single digits, and that's obviously where you want them.
Will Nobles: Show some of the stats here that we can show. Pull up like last five phishing campaigns. And this is what 8.3% of all users in this particular scenario open up the.
Caroline England: That was the latest one. So the first one that I ran was the 13%. At the bottom, you can see where it says baseline down there. When I accidentally sent it out the first time it went from 13, we did a training, went to nine. So as you can see as went on through the different quarters, it is slowly going down, which is what you want to see.
Will Nobles: And the good thing is you could track that. So if your insurance company or whatever your governing compliance body is says, are you doing this? You could turn around and produce this report. Like, yes, we've got it in place, we're doing the training. You see it's going down, we actually check the check. All the employees have gone through the videos and done the training, which ultimately helps your premium go down as well.
Caroline England: From an insurance standpoint, from the training for example, we have a healthcare company. I automatically send out the training. It's all automated. Their first day of orientation, they get a link to the training, you get a certificate of completion and so if you're ever audited or something happens, we have copies of all of those certificates of completion for the training.
Will Nobles: That's mandatory and it definitely should be something. When a new employee starts, you have them go through that's part of the onboarding of a new employee, have them go through this training with the first week or two of being in the company. So what are the best practices? Engaging the employees. Right? Because I know we all get so many emails, right, and I know best intentions of management and the sea levels. They want to make sure that the company is protected, but encouraging those employees to, let's say, move forward. How do you do that, how do we work with our clients to do that?
Caroline England: So the way I suggest is a reward program, hey, let's all take part of this. Or you can go the fear tactic route, which some people do, hey, you have to take this training or else but it's really customized to your company. I know different teams will say, hey, we're going to do this as a team. If we do that, then everybody can leave at three on Friday or whatever. So there's different ways that you can do it, but Gauging, the participation, I handle a lot of that on the back end. So let's say everybody has 30 days to complete the first initial training. If they haven't logged in, I'm going to annoy them so much that they're going to do it just to get done with it. It's 15 minutes and you can do it in different increments.
Caroline England: It's not like you have to sit there for 3 hours and complete this whole thing. You can come back and do it when you have a chance, but if it continuously reminds you and your manager that you're not doing it and so that kind of helps move along. Participation on its own. But like it says here, like Gamification, there's a lot of different things that we do. We have interactive quizzes that you can hand out to employees. Like I said, there's like that hook in the email that you can do that gives them points. So there's a lot of different strategies and ways to go about it.
Will Nobles: Sorry guys, we're wrapping up here. Is there any questions while we're looking for questions here? If you guys are interested in anything we said today, you can click on the link here or actually scan the QR code sorry and schedule an appointment with Caroline. She can meet with you, go through this with you, give you a demo of our product. Again, we can sell this to you as Ala carte item. You don't have to do all managed services with us, but it is part of our managed services packages that we have as well. Caroline takes care of our clients from a day-to-day standpoint from a client relationship standpoint, so she knows what she's doing from that standpoint and how to help you and how to talk you through your needs that you need for your company.
Will Nobles: All right, I don't see any questions. So, Caroline, either you're so good that you addressed everything, or you're so damn boring that they didn't want to listen anymore. No, I'm just kidding, guys. Thank you so much. Caroline, thank you for being on today. Everyone, thank you for being on. Please share this with your team. Please get this in place to help protect your company and your assets that you have from a attack. And, Caroline, again, thank you so much. Thanks everyone, and you guys have a wonderful rest of the day.
Caroline England: Thank you. Have a good one.