CYBERMANIACS CYBER SECURITY AWARENESS Serious Security Awareness through Laughter. Fri, 29 May 2020 01:12:25 +0000 en-US hourly 1 CYBERMANIACS CYBER SECURITY AWARENESS 32 32 Opportunities & Risks in Securing Your “New Normal” Workforce for 2021 Fri, 29 May 2020 00:24:40 +0000 The post Opportunities & Risks in Securing Your “New Normal” Workforce for 2021 appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Seems crazy to think that the hotbed of cybercriminal activity and digital transformation in 2018 and 2019 were ‘simpler times’, thanks to the Pancession, Panicdemic and Murder Hornets, 2020 is shaping up to be a real kick in the nether regions. Remote Teams, Virtual Work, Gig Economy, Demographic Change and more face all businesses to leverage as strengths or mitigate as shortcomings.

Here is a hybrid perspective between HR & Cybersecurity to help small businesses plan for the future post COVID. Hopefully post COVID.


The New Normal cybersecurity

Before the pandemic and economic crisis, cyber security was a major threat to business growth, continuity, and even survival. 60% of small businesses who suffered from a major data breach were out of business in less than a year. The average breach took 2 weeks to recover to a semblance of normal business operations, many companies had to inform customers about breaches and destroyed years of trust in a flash.

You may have had this happen to your company, you may have heard it on the grapevine- small businesses being taken down by cybercriminals, wire fraud, and even state sponsored malicious actors- basically, it’s not an urban myth anymore.

Recovery and a path to stability for the rest of 2020 and into 2021 needs to encompass the traditional business fundamentals (bring in the revenue, stabilise the operations, focus on the core or pivot to a new market) and the new business fundamentals (agility, harnessing data, leadership/culture, and cybersecurity). To NOT consider your company’s security, and as 80% of breaches are caused by humans doing what humans do, to NOT consider your staff’s ability to defend your business from attack, breach, fraud, theft, hacktivists, and more…. Is like being the character from a horror movie that doesn’t have a name and thinks it’s ok cause the zombies won’t get him and they kill him off in the first scene.

30 Million + Unemployed = Buyers Market

As of the end of May 2020, the United States has over 30 Million people unemployed. The very tight labor market of the past few years tipped the balance in favor of the workers, with benefits and salaries, perks and bonuses starting to get almost dotcommey in inflated puffery.

The crisis forced many out of business, many more to furlough workers and search for financial bridges. When the recovery starts to move, companies will have two new things to consider: Available talent at better prices (for the company), and possibly sourcing that talent from a wider geographic area if they are able to continue with remote work.


“We are being thrust into an economic vortex the likes of which we have never seen before, nor have prepared for. I have been prepping my clients for what the talent market will look like for the balance of 2020 (which is a wash) and for 2021. The fact is, the currency of candidates will be ample, with stacks of resumes to choose from and the smart ones are going to entertain opportunities at 20-30% below market rate. My advice is take the opportunity, help rebuild the struggling economy and be part of the market reset, which will recalibrate itself over the next several years. It’s not ideal, however, “you gotta’ be in it to win it” says Angelo D’Agostino of HCG Advisors a full suite HR Consultancy for SME. 

Human Cyber Consideration

Securing remote workers and especially those who work at home requires different approaches- both technical in terms of their access and information work, but also in terms of security. Our security postures change based on the environment and emotional state- if your organisation will be one of the many maintaining remote work as modus operandi for the future- that new context should be reflected in your learning paths and content.

Tap Into The Gig Economy

More companies will tap into the Gig Economy. In the past 10 years the growth of the gig economy and contract work has grown, offering freedom and flexibility for many untapped sources and allowing specialists to create highly tuned niches of talent. Forward looking small and midsize companies will harness this talent to accelerate their recovery and stability, with more virtual C levels, partial roles, service stacks and freelancers helping out as needed.


Securing this wide range of people, skills, information access, and supporting technology is a real challenge. Last stats from 2018 show that only a quarter of small and midsize businesses do any training on security awareness. Thinking that your contractors, partials, freelancers, and other gig workers aren’t ‘in’ your business if you give them ‘access’? Don’t be ridiculous.

Human Cyber Consideration 2

One size fits all training often skips over contractors, and many small to midsize businesses have yet to implement workflows and services to better manage access to information and systems. How will you ensure the levels of safety and security needed for everyone who accesses your information and data? Think about how you can bring contractors and temporary workers into a secure mindset the first day they start their work.

Mass Retirement = Demographic Workforce Shift 


Early stats are showing that we may see mass retirement due to this crisis, shifting the demographic makeup of the workforce to the Gen X, Millennial, and Gen Z.  We’ve written about how to secure your Millenials HERE.

Angelo says : “Given the fact we are facing the highest unemployment rates in modern times, the stats show what is truly a natural progression for the active workforce. In many ways, this pandemic has positioned us uniquely to attract, grow and retain the incoming workforce. I like to refer to it as “the shift” (whether allowing work from home scenarios, which is not optional at this point, or offering benefits/perks that are non-traditional but have come to be expected from this new crop of workers, it really has become battle of the fittest (a modern day hunger games for talent) all taking place in a post-apocalypic future, or as we know it, 2020…and who doesn’t want to be a winning ‘tribute’?!” 

Securing Millennials

In light of the differences in technology consumption patterns, views on privacy and personal data, lack of institutional trust, valuing authenticity over tradition- there are significant considerations to discuss as a company about your risk profile when you put your company’s technology and data in the hands of new generations.

Human Cyber Consideration 3

Writing governance and policy from a demographic and values standpoint and ensuring messaging engages the audiences you are speaking to. Many times we write the same message in three or four different ways, to deliver maximum impact and minimum change resistance- The art of persuasion and influence starts with knowing your audience, and through 2020 and 2021 consider how your internal workforce demographics will shift.

The Final Word

The hardest part of change, which goes against the way human brains work, is not using the thinking skills and hard earned truths that got you to the successful place you are today. What your business ‘did’ to be successful across all functions may need to change. Revenue is still king, but how you go after that revenue and where it comes from could change. Risk is still there, but what you prioritise to hedge against and how you strategically consider your defensive positions should change, and fast.

Here are 3 practical things to consider enacting today to prepare your company for survival and even growth during the economic recovery. Keep your employees cyber safe, productive, and happy- you have a better chance of staying in business.

3 Things to Do Now

Consider a more holistic approach to developing digital skills and cyber security awareness at your company than just phishing training. For more information on our SME Platform click here.

In a buyers market of talent, will you be able to source new team members virtually, rather than require the in-office presence? If your company has the digital capability to do so, using contract and remote work can keep operations running for less operational capital, as long as security and access are properly considered as a first step.

Review policies and your 3rd party supplier agreements to make sure your business is future-proofed for accelerated digital transformation and security needs. They don’t need to be complex, but putting the rules of the road clearly for employees and having alignment with your service providers is a key step of maturity towards digital, remote, virtual success.

The post Opportunities & Risks in Securing Your “New Normal” Workforce for 2021 appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

5 Ways to Future Proof Your Business Cyber Risk Post Pandemic Wed, 20 May 2020 16:15:45 +0000 The post 5 Ways to Future Proof Your Business Cyber Risk Post Pandemic appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Cyber Risk Post Pandemic….Just when you thought it couldn’t get worse. Just when you thought you could relax (a teeny bit) and hope that we will get back to normal. 

…but life isn’t like that sometimes. As business owners, as managers, as leaders in your companies- we double down, we pivot, and we plan for a still uncertain but certainly rocky future. We are masters of resilience and grit, determination and vision. Right now, companies of all industries and sizes who have been able to weather the storm so far are staring at the horizon, hoping to find a path through to stability. But it’s not smooth sailing just yet. 

Getting hacked after surviving this economic and global pandemic is like surviving COVID but then getting stung by a giant murder hornet.

The Easy Jet Breach, the PWC website hack, Travelex, GoDaddy, MGM and more in the first 5 months of 2020, and especially the last 8 weeks- clearly demonstrates that we’re not out of woods in terms of major cyber risks which could result in business disruption or dissolution. While people agreed that the lockdown was necessary to limit the spread of COVID-19, it has also introduced security risks that have caught organisations off guard. From Zoom accounts being sold on the dark web to Covid phishing scams, PPP Loan fraud and the SMS Smishing explosion it’s been almost too much to wrap your head around on a weekly basis as the digital landscape changes and evolves. 

Almost half of organisations have suffered a cyber security incident as a result of the sudden shift to remote working, a new study has found.

FBI reported a 4x increase in cybercrime reports during the pandemic

Hindsight is 20-20. But the future is murky. In your agenda for the rest of the year, have you gotten serious about shoring up your security? 

Are you reviewing the security practices of third-party services, for example? Do you have a patch management plan to make sure everyone has the latest software updates? Are your staff aware of their security responsibilities while working from home?

Many are still reacting to the seismic shift in March: 


of employed Americans currently say they have worked from home during the crisis, a number that has doubled since mid-March.


According to one source, by 2028, 73% of all teams are expected to have remote workers.


of cyber incidents are caused by employees (error, phishing, or malicious insiders)

Cybercrime isn’t a passing phase or something that only happens to other people and right now it’s on fire.  

cybercrime awareness training

 5 Ways Future Proof Your Business Cyber Risk Post Pandemic

Here are 5 things you can do today to build a modern foundation of cyber secure humans on your team that will help you adapt to the ‘new normal’ (whatever that may be at this point!). For years, it has become more clear that securing your business from cybercriminals is a fundamental business competency. It is increasingly moving up the board level agenda at major global corporations, for small and midsize companies to survive this economic, pandemic, and cybercrime crisis- a quick fix or low hanging fruit will only kick the can down the road. The risk will still be there, and companies far and wide need to level up. 

1. Train for the New Normal, Not the Old Normal

Consider everyone in your company and how their work has changed. Building a foundation for the future means not just educating your teams on what technology to use and how to use it but also delivering learning in a way that fits into remote working schedules and the new virtual paradigm. 

2. Think Beyond Phishing 

Where before a tick box exercise to say ‘yup, we train on phishing’ was enough, threats are now more prevalent across the entire landscape. Here’s our blog that explains what you may be missing. Up-skilling a workforce to act as adaptive defence agents against a wide range of threats from an ever improving adversary means more than one e-learning module off the shelf. 

3. Win Hearts and Minds 

There are many ways to make it interesting- cyber awareness training doesn’t have to be dull or dry. The heavy lifting in this area isn’t about governance or audit requirements, but in the hard work of mindset shifting and habit breaking. As we always say, just because your team can define malware doesn’t mean they know how to keep your company safe or care enough to do so. 

4. Do the Basics Before the Complicated 

You don’t need to be the fastest gazelle, you just can’t be the slowest. Getting the whole team to do the basics can create an incredibly strong barrier for many of the spray and pray attacks out there today. Password hygiene and online safety basics when adopted (not just ‘trained on’) are mission critical. We see small and midsize companies (ok big ones too) continually chasing a silver bullet technology solution that will ‘secure’ everything. Don’t drink the kool aid, that solution doesn’t exist. 

5. Make it a continual journey

Once a year training will tick the box, but it does not create any true risk reduction outcomes for your organization. One example of this: the forgetting curve shows us that over 80% of knowledge acquisition is lost within 2 weeks in adults. When you add on the pace of technology change and the rapid evolution of the cybercrime landscape (see the COVID examples above- this disruption is what criminals live for)… your learning system and content needs to keep up. 

As only 53% of companies did any cyber awareness training before the coronoavirus outbreak, and of that, much was rooted in delivery styles and focusing on threats of the past. If your company is one of the 47% who hasn’t yet implemented a program or one who hasn’t started with the basics- now is the time to start. In a way, you will have a slight edge by starting on a path of holistic modern digital skills and mindset shifting- as you can leapfrog your staff into the future, the ‘new normal’ of remote working, virtual teams, and what will inevitably be a slow and challenging recovery. The cybercrime explosion, the complexities of remote working, and the still uncertain future mean that a clear, safe, easy path is not the future for all of our businesses. Don’t let the murder hornets get you now. 

Take a look at these articles to discover more about what has been happening during this COVID-19 pandemic. Hackers Are Exploiting Businesses During the Coronavirus Outbreak.  Also, Don’t Let Cybersecurity Be Your Proverbial Murder Hornet Post COVID-19.

genius cyber awareness

The Cybermaniacs helps organizations big and small prepare their workforces for an uncertain digital future. Our platform and approach helps workers, remote and onsite, establish good cyber habits, embrace a more secure work culture on a personal journey of change. 


Want to get your team set up for AMAZIWARENESS? You can have your team set up on our learning platform,  enjoying engaging and impactful digital skills learning in under 48 hours.

With special pricing in place for small businesses impacted by COVID 19.

The post 5 Ways to Future Proof Your Business Cyber Risk Post Pandemic appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

Is Your Cyber Security Relationship Like Talledega Nights? Mon, 11 May 2020 14:50:26 +0000 Just as Cal’s push to outshine Ricky seemed inevitable, cyber security has tried to push its way onto the board agenda, sometimes rather awkwardly around the back of or away from the overall IT agenda. This competition for board attention has led to a few wins for CISCOs, but ultimately has created an extra obstacle for the digital transformation agenda overall.

The post Is Your Cyber Security Relationship Like Talledega Nights? appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Shake and Bake

In Adam McKay’s masterpiece, Talladega Nights (starring Will Ferrell), the hero is supported throughout his initial rise to fame by his best friend, Carl Naughton Jr. (John C. Reilly). Their formula is supportive, balanced and ultimately each knows their place in the hierarchy. “Shake and Bake!” is their signature shout-out for a move that invariably establishes their dominance against all challengers. But woven into this triumphant relationship is a tragic flaw. Although they win, time and time again, it is Will Ferrell’s character, Ricky Bobby, that insists he must always come first. 
Eventually this institution of excellence is upended in part by Carl’s ambition to begin to put himself first, ahead of Ricky. Balance is only restored when Ricky and Carl come to understand better the power and intertwined nature of their relationship and begin to work together, with renewed mutual respect and intimacy, to restore their dominance. Shake and bake, 2.0.

Cyber Security Relationship

Talledega Nights and Cyber Security Relationship

Like many of my fellow movie goers, I left the theater that night with a gift. Adam McKay had revealed for me timeless insights applicable to many aspects of my life, including my own chosen line of work, IT. For me, the arc of Cal and Ricky’s relationship mapped to the story cyber security’s relationship to IT, particularly over the last decade. For much of the last 30 years, cyber security, represented by Carl, has been an afterthought, a bolt-on to the digital agenda. But the reality is that any wins for automation, digitalization and IT in general, represented by Ricky, were all underpinned by the basic disciplines of cyber security including protection, segmentation, disaster recovery, identity authentication, etc. 

But over the last 10 years, cyber security has become increasingly uncomfortable as the threat landscape evolved quickly and new attack vectors seemed to emerge almost daily. 


It has seemed to CISCOs the world over that cyber security should, at least occasionally, be pulled forward from the back of the back office to get a little luvin’ from the board. Unfortunately, CIO’s have been trying to get that same board luvin’ for decades and haven’t been really gracious about acting as a slingshot for their cyber security colleague’s careers.  

Just as Cal’s push to outshine Ricky seemed inevitable, cyber security has tried to push its way onto the board agenda, sometimes rather awkwardly around the back of or away from the overall IT agenda. This competition for board attention has led to a few wins for CISCOs, but ultimately has created an extra obstacle for the digital transformation agenda overall. 

Taledega Nights and Cyber Security Relationship Cyber Se

Digital Transformation Offers Opportunities for CICOs

But where understanding, patience, love and hard work are available, hope can flourish. The digital transformation agenda offers exactly such an opportunity for CIOs and CISCOs to more fully examine the their own agendas in light of the other’s. The potential benefits of digital transformation are enormous. But the entire exercise of developing a digital strategy, a transformation roadmap and detailed project plans cannot, must not, happen with security treated as a bolt on.
The opportunities lost in this separation of the shake and the bake are clear. Think about network traffic analysis software. Sure, it is bought and sold as a defensive tool; to monitor for bad actors and traffic on the network which is not normal. But what can that same network traffic tell you about team performance? About collaboration patterns? How can you use that same data to think about how to supercharge your organisation, not just protect it? This is a clear instance (one of many) where cyber security can be given a much broader remit in helping reflect back to the organisation who and what it actually is on a minute by minute basis. 


Digital Data As Part of Your Cyber Security Agenda

Of course, on the other side of the equation, the digital agenda is all about data. In discussing and considering how data can and should be utilized, considerations of confidentiality, criticality and accessibility must be considered. This is a clear instance (one of many) where the cyber security agenda must be wholly understood and appreciated by both IT business partners and any of the business process analysts employed to push the digital transformation agenda.


“You ARE putting process at the centre of your digital transformation agenda, right?!!!”

Technologies are becoming more intertwined as digitalization accelerates complification (I looked it up, yeah, it’s a real word) across multiple layers of the overall business landscape.  Risk and opportunity are so closely tied together now that strategies for protecting value and creating value should be virtually indistinguishable. At the very least each must be developed in full view and consideration of the insights from the other.  If you figure out how to ensure that any attention, budget and invitation to participate in strategic conversations at board level can be balanced across IT and cyber security, just as Ricky and Carl did, you’ll achieve a powerful alchemy for the sake of your company’s performance.

Shake and Bake, baby, Shake and Bake!

Talledega Nights and Cyber Security Relationship

The Cybermaniacs creates cyber secure humans through our learning experience platform and unique approach to change. Fuzzy on the outside, data driven on the inside, our cyber awareness training content is sure to delight all demographics at your organization.  Learn more about our platform and take a ride on a free demo.

Fancy a Chat?

Want to get your team set up for AMAZIWARENESS? You can have your team set up on our learning platform,  enjoying engaging and impactful digital skills learning in under 48 hours. 

With special pricing in place for small businesses impacted by COVID 19. 

The post Is Your Cyber Security Relationship Like Talledega Nights? appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

FBI Warns of Major Spike in Cyberattacks With the Release of COVID-19 Relief Funds Tue, 05 May 2020 21:11:51 +0000 The post FBI Warns of Major Spike in Cyberattacks With the Release of COVID-19 Relief Funds appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


What’s Going On

Domestic cyber criminals and nation-state attackers alike are capitalising on this time of uncertainty. Right now there are two major targets. The first is remote workers, and the second is companies who have received aid packages from the government. 

Criminals are taking advantage of “enormously high public interest in information” on COVID-19: as can be seen by some very simple google trends searches. 

They know, as well as we do, the status of checks from the government or loans from banks. They are reading the same news about information on current pandemic restrictions. In the first few weeks of the crisis, cybercriminals were hot to trot on setting up fake domains around COVID19 (as it is far too easy and far too cheap to do…see our training and coverage on phishing for more). The very real and understandable fear that we are processing on a national level from this unprecedented situation has provided a rich envionrment for criminals to createe a plethora of phoney and fraudulent websites. From claiming to sell personal protective equipment, faking it as charities working to raise money for patients or offering non-existant loans to the financially strained- you name it, they are exploiting it. It’s generally understood throughout history, in times of confusion, uncertainty, new processes, fear, and our very human need for information and security- for those bent on crime, tricks, destruction or deception- these events present a lucrative opportunity for cyber criminals – and they took it.

FBI’s Internet Crime Complaint Center (IC3) is currently receiving between 3,000 and 4,000 cybersecurity complaints daily – a massive jump from their normal average of 1,000.

North Korea is On the move

Here’s just one angle as a wake up call for midsize businesses and small scrappy underdogs who may not have access to (or the time to distill) enterprise level threat intelligence.  There is organised cyber crime all over the world, but some of the dogs-and-cats-living-together kind of stuff is state sponsored. 

North Korea is getting squeezed during this global crisis, having lost China as a cross border trading partner till the pandemic is over, and so is fully at the mercy of UN sanctions. How will the Pyongyang elite hold onto power?  Well they raked in billions for cybercrime in 2019. If they aren’t able to trade with china or use other international crime channels… they pretty much most certainly I would guess …. double down on cybercrime. 

According to the report released Sunday by Recorded Future, a company well known for almost-too-honest-and-scary examinations of how nations use digital weaponry:

“Over the past three years, the study concluded, North Korea has improved its ability to both steal and “mine” cryptocurrencies, hide its footprints in gaining technology for its nuclear program and cyber operations, and use the internet for day-to-day control of its government.”

From cyrptojacking to ransomeware, North Korea and a host of other deep pocketed nation state actors are taking advantage of American and European Small and midsize businesses currently in the strain of a pandemic and economic crisis. Frankly, it gets our stars and stripes in a twist. Our Union Jack in a knot. (We’re international puppets of mystery, you see). 

At CM HQ, we don’t do fear…

but to say you aren’t a target right now would straight up be lying. 

You might not know as much about cybercrime, state sponsored threats, and how this all works as the average mid level manager or executive working for a large, midsize or especially small business. Having been breached is a totally taboo subject (unless you are talking to your lawyers, your IT support, your Cyber Insurance agents, or maybe a privacy-trusted executive forum). We don’t talk about it, we don’t publish it for fear of business reputation loss (and those who do are either forced to through regulator controls aka GDPR, or are very brave indeed).  But all of us in cybersecurity who have been around the block even for a few years know it’s true- an overwhelming number of people, government agencies, global enterprises, and small businesses have been hacked, breached, and attacked in the past. Research carried out in 2019 by Keeper and the Ponemon Institute has previously revealed that 80 percent of US-based SMBs have already experienced a cyberattack.

NSBA found that despite the increasing threats posed by cyberattacks, an astounding one in four small business owners have little to no understanding of the issue whatsoever.

Dr. Jane LeClair, the Chief Operating Officer of the National Cybersecurity Institute noted in testimony to the House Committee on Small Business that: 

“Small to medium-sized businesses, also known as SMBs are challenged both by the ability and the desire to secure themselves against cyberthreats which makes them uniquely vulnerable to cyber attacks. Fifty percent of SMBs have been the victims of cyber attack and over 60 percent of those attacked go out of business. Often SMB’s do not even know they have been attacked until it is too late.”

Did you know that even the government knows that you don’t know, and that in and of itself, is scary. 

How is it happening?

Same **** different day: Phishing and credentials 

Mostly phishing. Attackers are looking for sensitive information they can exploit – and they are doing so by compromising endpoints, stealing credentials and escalating privileges in order to access their targets. 

This is not about sophistication, this is a super-soaker approach that doesn’t require sophisticated tactics to be effective. During the COVID 19 crisis, cybercriminals are largely relying on user error or deception. From their favorite bag of tricks: two of the most common attacks used against SMBs in 2019 phishing (57%) and credential theft (30%).

Remote Workers at Greater Risk

The directive came down to shelter in place, and so we all are doing the best we can with that. But from an operations and technology standpoint: Holy Moly.


“In today’s environment, remote workers are increasingly using both personal and corporate devices to access corporate resources. While a company may have made the office computer as secure as it can, if the remote worker logs on with their home laptop, that doesn’t help. Even employer-owned devices may be more vulnerable at home as many workers will be connecting through unsecured Wi-Fi.

Furthermore, with the adjustment to working from home – whether that means setting up a laptop on the kitchen table or working with kids playing in the background – many newly remote workers are not at their most alert, which makes it easy for them to mistakenly click on the wrong link”

No Time like the present

Black Hat Hackers gonna hack. Perhaps during this Coronavirus Panic-demic they have the upper hand because now: 

  • we’re working from home with less security 
  • companies have moved to remote work without being digitally ready and so processes are all over the place 
  • workers are stressed, consumers and those out of work are fearful and easier to prey on
  • workers security postures and behaviours change when out of the office 

Our final word: If you haven’t put the basics in place of helping your users keep a cyber-safe mindset at home and at work, that’s what we here at Cybermaniacs are all about.

There is no silver bullet to protect organizations from this surge in criminal activity. But with 80% of breaches happenign becuase of users under normal circumstances, right now a very real, tactical, and pragmatic step to recovery is getting your employees and teams trained up and cyber savvy on all the new tech you are throwing at them. It could in very real terms save your company from the raging fire of data loss, wire fraud, and business operations meltdown that comes after the frying pan of an economic disaster due to a global pandemic.

Who said 2020 wouldn’t be an interesting year?

Fancy A Chat?

Want to get your team set up for AMAZIWARENESS? You can have your team set up on our learning platform,  enjoying engaging and impactful digital skills learning in under 48 hours. 

With special pricing in place for small businesses impacted by COVID 19. 

The post FBI Warns of Major Spike in Cyberattacks With the Release of COVID-19 Relief Funds appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

5 Scary Cyber Security Gaps if You Only Train Users on Phishing Mon, 04 May 2020 19:42:52 +0000 The post 5 Scary Cyber Security Gaps if You Only Train Users on Phishing appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Gaps in cyber security remains one of the most challenging issues for small business owners. Small businesses bear 43% of the brunt of cyber-attacks, opening them up to huge liabilities. This includes business closure. Of those attacked, 60% will go out of business within six months. As only 25% of SMB’s currently train on ‘cyber awareness’ and most of that effort is spent on phishing… here are a few things to consider as you mature (or start!) your awareness program. 

​Scary Security Gaps

A survey conducted by GetApp reports 43% of employees do not get regular data security training while 8% have never received any training at all.    Since 95% of successful attacks start as a phishing email, we can confidently state that phishing is the biggest cyber threat to small and midsize businesses, no joke. And most cybersecurity training for SMB and tools almost entirely on phishing attacks.  

But are phishing attacks really the only cyber threat that we should be worried about?  There are several other ways that a hacker can get what they want.    

In this post, we’ll talk about other potential ways that attackers target you, most of which don’t even need a computer.

1. Mobile Security

Poor mobile security habits can come in many forms.  The increasing functionality of mobile devices makes taking work out of the office ever easier, and the trend toward Bring Your Own Devices (BYOD) policies continues to blur the lines between work life and home life.  

From an efficiency perspective, this isn’t such a bad thing;  working from a familiar mobile device means no need to spend time and brain space figuring out how to use a new device. 

However, from a security perspective, a poor BYOD policy can be an organizational nightmare.  It’s not uncommon for people to download apps without really thinking about the potential security concerns. 

Have you ever downloaded a flashlight app to your phone?  Ever think about the permissions that it asked for  and why it needs access to your text messages and the Internet?  Things have been improving lately, but in the past, flashlight apps were notorious for being Trojans that installed malware on your smartphone.

Discarding phones used for work is another huge hole in many organizations cybersecurity.

  • Do you perform a memory wipe of any device that previously held sensitive company data before throwing it away? 
  • Or do you rely on the fact that the phone is protected with a PIN number?
  • Did you know that devices that can guess a phones 4-digit PIN number in less 17 hours are available for sale for less than 250 Euros?

Any reasonably motivated hacker could snag a discarded (or lost) company phone and have complete access to sensitive company information stored on it and any logged-in accounts within a day.

2. Physical Security

Most organizations are aware of the need for physical security, but most of them don’t go far enough.  While important, a clear delineation between the “public” and “private” areas in your building just isn’t enough to deter an attacker.   In order to protect your people and your property, you need to think outside the box about potential holes in your security setup.

How many of the people in your organization are nice and helpful?  We hope it’s quite a few! 

If one of them saw a mailman struggling with a load of packages or someone carrying a large box, what are the odds that they’d hold the door for them?  Do you think that they’ll be thinking about the fact that everyone coming through the door is supposed to swipe their ID card?  While impersonating a member of a federal mail service is illegal, there is no law against dressing like you work for UPS, FedEx, etc.  

Even if there were, a suit, a cup of coffee, and an important-sounding phone call gives an air of authority and an excuse not to do anything but give a nod of thanks while walking through the open door.


3. Dumpster Diving

Dumpster diving is a low-tech, low-cost method of collecting sensitive data about an organization.  Anything from an old company org chart to photos of the last company picnic can give an attacker information to use in a phishing or other attack.

Dumpster diving also happens to be a surprisingly low-risk method of gathering information.  Are your organization’s dumpsters located on private property all of the time or are they located on or moved to public property for collection? 

According to UK and US law, dumpster diving is completely legal as long as the dumpster diver is not trespassing in the process.  If your trash (and valuable company information) is located on public property, it’s fair game for an attacker.

Think that you have good security habits when working remotely?  Have you ever taken a work call in a cafe, airport, etc.?  If so, did you greet the caller by name?  Maybe name your organization or talk about topics that would let someone guess where you work?  If so, you’ve given anyone in earshot enough information to attack your organization.  Just consider what an attacker could learn by dropping a few names and facts gathered from eavesdropping on your conversation and doing a bit of open-source reconnaissance.
Other risks are also present when working remotely.  Using public WiFi carries risks ranging from attackers eavesdropping on and datamining your web traffic for useful nuggets to malicious networks where attackers take advantage of proximity to attack your computer.  Working in public also carries the risk of shoulder surfing, where someone watches you type in a password or looks over your shoulder at sensitive company information.  You can learn a lot about a person just by listening and keeping your eyes open when hanging out in a public place.

4. Social Engineering

Social engineering is a big topic in cybersecurity.  Even ignoring phishing attacks (which are bad enough on their own), social engineers can bypass your personal and company security measures in a variety of ways.  Social engineers take advantage of human psychology, habits, and instinctive behaviors to manipulate people into doing what they want.

Say someone walks up to your company’s front desk holding a USB drive that they claimed that they found lying in your company parking lot.  Maybe it even has a label on it saying “If lost, return to Your Company at Your Company Address”.  What will most people do when faced with this situation?  

Probably thank the helpful person and then plug it into a computer to see if there is any clue on it as to whom the drive belongs.  And if the USB drive has malware set up to run when the USB is plugged into a computer?  Oops.  


To put this in perspective- only 27 % of companies provide social engineering awareness training for their employees according to a recent survey (link)  and almost 75% of businesses are vulnerable, thus endangering customers’ records, employee data, intellectual property and more.

5. Supply Chain

Many organizations think about the quality of their supply chain.  If you put a defective widget into your product and it breaks, your customers don’t blame the widget maker; they blame you.  For the sake of your bottom line, you need to make sure that every component that goes into your product meets minimum quality standards to avoid reputational or legal repercussions.

Have you considered the security side of your supply chain? 

If the software that your organization develops includes code that is vulnerable to malware, then your code is probably vulnerable too. 

Have you heard of the Equifax breach?  The loss of millions of people’s sensitive data was caused by Equifax using software with a vulnerability that they failed to patch.  But no one seems to be mad at Apache for writing vulnerable code in the first place, they blame Equifax for not taking the appropriate steps to fix code that they inherited from their suppliers. 

Protecting Yourself and Your Organization

The common thread between all of the scenarios described in this post is that they are fixable with a well-developed cybersecurity strategy.

Some, like the potential for malicious apps on BYOD devices, have technological solutions.  Others involve developing procedures for securely managing certain situations or deploying a cybersecurity education program that prepares your organization for all of the threats that it’s likely to face rather than the most common or those in vogue at the moment.  

By taking the time to carefully consider the risks and develop plans to address them, you can protect your organization and your employees both professionally and personally.

 Developing a security-aware culture and thinking about risks from the human perspective, how you can empower your teams to be a strong line of defense, is a key step for all sized organizations. 

Are you enjoying our articles and finding yourself interested to understand more about how The Cybermaniacs focus on behavior change in the work culture?  Then you will be interested in Channeling Edna Mole as CISO for Creating Cyber Secure Humans

The Cybermaniacs creates cyber secure humans through our learning experience platform and unique approach to change. Fuzzy on the outside, data driven on the inside, our cyber awareness training content is sure to delight all demographics at your organization.  Learn more about our platform and take a ride on a free demo.

The post 5 Scary Cyber Security Gaps if You Only Train Users on Phishing appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

Channeling Edna Mode as CISO for Creating Cyber Secure Humans Wed, 22 Apr 2020 14:39:28 +0000 The post Channeling Edna Mode as CISO for Creating Cyber Secure Humans appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Is Your Work Culture geared towards protecting the most valuable assets in your company, your people?

Everybody’s saying it. Literally. Everybody. “The most important thing about [enter company name here] is our people.”

Ever since Peter Drucker started talking about the promise of the “knowledge worker” in the “knowledge economy”, the individuals within an organization have been increasingly seen as a critical source of competitive advantage.

​Work Culture


Getting the “attitude” right, the “culture” right, the “collaboration” right in an organization is definitely on the board agenda and is likely to stay there. Effectively, companies that look and treat their staff like superheroes are, more often than not, getting this part of the equation right. And they are reaping the benefits of superior performance.

In order for them to feel and perform like superheroes, your people need a bit of protection and support. And when the going gets heavy, where do superheroes turn to for a bit of protection and support. They turn to Edna.

In Pixar’s “The Incredibles”, Mr. & Mrs. Incredible rely heavily on the fashion skills of Edna Mode, (created and voiced by Brad Bird) to both maximise their unique strengths and protect their weaknesses. In spite of a ban on superhero activities, Mr. & Mrs. Incredible have remained close with Edna because she is able to do more than simply oversee the design and production of an appropriately defensive body suit. 

Nay, EMode is far more to them. She generously provides crucial insights into their mission, the best approach for success, she understands their emotional sensitivities and knows just what to say to inspire them.

Don’t you wish all CISO’s were like that? 

Is Your CISO Protecting Your People, Like Edna Mole? 


No, far too often, CISOs don’t come across as if they are just as committed to the staff’s confidence, success and mission as the staff is. They don’t seem awfully creative in how they are going about designing the protective kit that every employee must wear when venturing out into the virtual world. And they sure as heck don’t, (on average, mind you…Roland, just relax), display an overgenerous amount of emotional intelligence when it comes to motivating staff to change their behaviors.

It’s easy to imagine how much better life would be at any company that considers its people to be their most important asset if Edna were their CISO. Decisive and creative, passionate and practical, committed, and compassionate. She would not only design cyber security to be sleek and effective, but it would also be stylish and inspire confidence in the people relying on it day in and day out.


Heck, she might even use puppets. Yeah, she’d probably use puppets. 



The Cybermaniacs creates cyber secure humans through our learning experience platform and unique approach to change. Fuzzy on the outside, data driven on the inside, our cyber awareness training content is sure to delight all demographics at your organization.  Learn more about our platform and take a ride on a free demo.

The post Channeling Edna Mode as CISO for Creating Cyber Secure Humans appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

Securing Your Millennials Sat, 11 Apr 2020 14:06:24 +0000 For cybersecurity awareness, behavior and culture change we think hard about how we can engage everyone to be more secure. This includes sometimes the challenging feat of bringing millennials onboard with governance and compliance around information security…

The post Securing Your Millennials appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Millennials, born between 1980 and 2000, are sometimes derided by X’ers and Boomers as selfie-obsessed, reality-tv-watching, soft-in-the-middle, wish-I-was-an-Instagram-travel-blogger whiners. But, are they secure? 

In working with numerous customers to shape internal audiences and behavioural groups, we often take  a dive into Digital Tribes© and the cultural values that underpin security compliance, we have bumped into many an ‘aha’ moment around this elusive demographic. These revelations; of value differences, cultural shifts, priorities, and behaviours, when made objective and brought to the fore in the pursuit of good (not blame!) can often help bridge the gap between management, executives, and yes, dare we say, even “the board” (whose average age in the USA is 63 years old, BTW). 

Cyber Secuirty Awareness


So who are these Millennials you speak of? What are their cyber habits or viewpoints (as a group)? What can you do to better reach them, engage them, and ultimately secure them as “part of your cyber team”?

“Easier said than done, but not impossible”, says Angelo D’Agostino, Managing Partner at HC Group Advisors, a full-service HR and Talent Consultancy.  “It has been my experience over the past 20 years that it is more important than ever to be ‘in the know’ as it relates to the upcoming generations in your workforce. For instance, look at the way people seek out opportunities. In the past 40 years, the drive for a new job could be about pay or advancement. However, Millennials are putting together impressive and full-bodied research to help inform their decisions around prospective employers. They are studied, care about values and culture, and know their market value.  I tell HR and talent professionals to get a bit uncomfortable, learn to move forward digitally, and not get stuck in old data and processes. This sounds similar to the challenge in cyber security awareness- we need to find comfort in the discomfort and not worry because in a few weeks, it will have changed yet again. It’s about connecting and moving forwards.”

Stats & Values to Consider

Right now, more than one-in-three American labor force participants (35%) are Millennials, making them the largest generation in the U.S. labor force, according to Pew Research. As with any generation, the unique experience of millennials during the formative coming of age years has shaped their worldview. For me, that was the 80’s & 90’s, and indeed, I can wax rhapsodic for hours about Atari, Etch-a-sketch, neon & acid wash, Thundercats, and more. A reminder for our readers in the Boomer and Gen X demographics, the formative years for the Millenials was the 1990’s/2000’s.

According to Pscyhology Today:

“This generation came of age in a post-9/11 America primarily at war. High profile data breaches and Edward Snowden’s disclosure that America engaged in mass surveillance of its own citizens has seriously shaken young professionals’ trust in government. Additionally, both the government’s and the private sector’s reluctance to take decisive action to stymie global climate change leaves many millennials frustrated by what they see as a problem of epic proportion that has been passed along to them to handle. Lastly, Millennials are drivers of today’s movement of ethical consumerism. Their socially responsible attitudes are both despite and because of a set of crises, most notably a recession set in motion by Wall Street that was deeper than any other since the Great Depression that seriously damaged Americans’ confidence in financial, banking, and governmental institutions.”

So what do Millennials value as a generation in contrast with others in the workforce? 

Without sounding like a horoscope in the Sunday papers (remember those? Kidding), here are a few values of the Millenaial Generation to consider:


  • Millennials want straightforwardness in what they understand to be a capricious, unstable world.
  • They work hard and feel strongly about wanting their work to be meaningful.
  • According to the United States Treasury, millennials tend to invest in organizations that prioritize the greater good more than any previous generation.
  • David Burstein, author of the book “Fast Future,” describes Millennials’ approach to social change as “pragmatic idealism.” He notes that this generation expresses a deep desire to improve the world and that they recognize this will require the creation of new institutions while working within existing structures.

Deloitte’s 2019 survey of millennials recap states that

”Despite current global economic growth, expansion and opportunity, millennials and Generation Z are expressing uneasiness and pessimism—about their careers, their lives and the world around them, according to Deloitte’s eighth annual Millennial Survey. In the past two years especially, we’ve seen steep declines in respondents’ views on the economy, their countries’ social/political situations, and institutions like government, the media and business. Organizations that can make the future brighter for millennials and Gen Zs stand to have the brightest futures themselves.”

Putting it in Perspective


For cyber security awareness, behavior and culture change we think hard about how we can engage everyone to be more secure. This includes the challenging feat of bringing millennials onboard with governance and compliance around information security… the first big challenge is that demographically speaking, they look at technology differently.

  • Millennials have high social media use. While a majority of adults today are users (and hooked on tiny addictive dopamine hits and the ‘acceptance high’ that comes with them…  but that’s the story for another blog…) the younger generations are constantly adapting to new platforms and ways of communicating.  
  • No More waiting, for anything? Amazon prime, Netflix binge watching, instant or quick gratification. In marekting and consumer research, to sell to Millenials if you don’t deliver it, and quick, they will move on.
  • Ascribing authenticity and honesty to voices in authority is not a given. 
  • More than nine-in-ten Millennials (93% of those who turn ages 23 to 38 this year) own smartphones, compared with 90% of Gen Xers (those ages 39 to 54 this year)
  • Compared to 68% of Baby Boomers (ages 55 to 73) and 40% of the Silent Generation (74 to 91) according to Pew Research.

It won’t be surprising that according to a recent Pew poll, nearly 100% of Millennials use the internet, but 19% of them are smartphone-only internet users – that is, they own a smartphone but do not have broadband internet service at home. The great untethering has begun, and while TV and cable are freaking out to lose viewers, now having a wired connection at home may seem old fashioned. (We are certainly hoping that 5G doesn’t microwave us all into tiny bits, but that’s another blog post). 

There isn’t as much published research on the cyber safety of millenials are in a corporate setting, although  Dark Reading published survey results showing that millenails are:

  • 2x more likely to share confidential information over messaging/collaboration apps.
  • 3x more likely to download sensitive info or intellectual property from their companies.
  • 2x more likely to talk badly about the boss over chat.
  • 3x more likely to share company credit card or password information.
  • 2x more likely to gossip about co-workers.
  • 2x more likely to download a communications app not approved by IT.

Password habits are a great leveler of all things cyber security- and in our learning program we tackle them first as a fundamental area of change. Security Intelligence found: 


  • Only 42 percent of millennials use complex passwords combining random capitalization, numbers and symbols (compared to 49 percent of people over the age of 55).
  • Millennials are also much more likely to use the same password across multiple sites or apps (41 percent versus 31 percent of those 55 and older).
  • On average, the older generations use 12 passwords regularly, while millennials use only eight.
  • Nearly half (47 percent) of those under the age of 24 said they’d use a less secure method of authentication to save a few seconds of time. That’s close to triple the 16 percent of respondents over age 55 who would do the same.

We also found some interesting data that can help you think about how you can reach out and make new connections, increase awareness, and create more targeted messaging to increase compliance AND employee satisfaction at the same time.

  • Half of under-30 respondents think that responsibility for cybersecurity rests solely with the IT department. This is 6% higher than respondents in the older-age categories.
  • Under-30s are more likely to consider paying a hacker’s ransom demand (39%) than over-30s (30%). This may be due to an impatience to get systems back up and running, or a greater knowledge of bitcoin and other cryptocurrencies.
  • Growing up in a technology skills crisis, 46% of under-30s are worried their company doesn’t have the right cybersecurity skills and resources in-house. This is 4% higher than for over-30s.
  • The desire for flexibility and agility could be affecting attitudes to incident response. Under-30s estimate that a company could recover from a cybersecurity breach in just 62 days––six days less than the time estimated by older age groups (68 days).
  • Younger workers are more accepting of personal devices at work than their older counterparts; 8% fewer consider them a security risk. However, they’re more concerned about the Internet of Things (IoT) as a potential risk (61% compared to 59%).
  • Eighty-one percent believe cybersecurity should be an item on the boardroom agenda, compared to 85% of over-30s.

All this should be taken with a large grain of salt, as perhaps some of these values, attitudes, and behaviors could be tempered by new statistics and research coming out about Gen Z. Risk appetites vary by culture, personality type, and by age… and nothing stays still for long.

Securing Millennials

Perhaps some of what we see in these is the folly of youth which will in time be tempered by wisdom and experience? Or perhaps this generation is wise beyond the years and not willing to accept corporate-speak, craving something authentic and truthful instead. Food for thought, for sure!

So, What Can You Do to Better Secure Your Millenials?



  •  Talk with your HR team. Ask if they have any reports or if they can help you better understand what generations and demographics make up the people at your company. Do they, for any business reason (expansion and growth for instance) expect them to change in the next year, two, three? Does your HR team have any cultural insight reports that can help you understand the demographic groups, and how your Millennials may relate to the values researched above. 
  • What kind of cyber awareness messages do you put out to the company? Can you write different ‘styles’ or flavors, or use different channels to reach audiences who may have different values and alignment? As social media adoption varies in the consumer space by generation- do you have social style channels to use to communicate cyber security awareness reminders?
  • How can you change and adapt messaging on an ongoing basis to match the values of not just generational groups, but also the different digital tribes in your organization? Age can be one characteristic, but there are many ways to look at human behaviour and preferences- if you are in a small or midsized organization, perhaps a wider lens will give better results for targeting awareness training.
  • Are you delivering content that millennials want to engage with? Does it address their concerns? Can you speak to the WIFM to them? Find a few at your company and set up a coffee to ask. The more we talk and learn, the better! 


Our Take


For as much as Millennials have ‘grown up’ with technology as a de facto component of life and work, it’s concerning that in overall technology use and habits, they are no more cyber savvy than older generations. Using digital technology safely, protecting information, and understanding how companies use data (both in our work, but also as consumers and citizens) is a multigenerational challenge that we desperately need to address. The growing lack of trust in institutions and the lack of cyber skills makes top-down approaches to change seem old fashioned; but Millennials’ strong ties to meaningful work, and strong desires to improve the world offer us a key to unlock the door. By using stories that are relatable to different audiences, social influence and proof techniques, creating training content that hits home on values, it’s just about knowledge but also has meaning and depth helps you connect with and engage Millennials on your teams to inspire and awaken them to the very real need of protecting their digital future.



The Cybermaniacs creates cyber secure humans through our learning experience platform and unique approach to change. Fuzzy on the outside, data driven on the inside, our cyber awareness training content is sure to delight all demographics at your organization.  Learn more about our platform and take a ride on a free demo.

The post Securing Your Millennials appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

COVID 19 Non Compliance Fri, 27 Mar 2020 20:02:26 +0000 The post COVID 19 Non Compliance appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Getting People On Board When Change Matters.

(aka. Why are people breaking quarantine? & How it relates to your Digital Outliers.)

There is a shocking amount of non-adherence to clear and immediate directions regarding the coronavirus pandemic. Why is that?

Ah, the pesky humans are at it again. 

People ‘doing the right thing’ (aka policy adherents) are expressing worry, disbelief, and outrage about those who are currently flouting the rules. How can they not be listening to directives from the government, health services, and experts from around the world? What are they doing having parties, going to church, shaking hands, and dancing together? What is wrong with them?

In Italy, Mayors are literally *swearing* at their residents, shaming and insulting them, and even threatening to use flamethrowers on the people breaking quarantine and congregating.

The governor of New York has chastised the many large groups of New Yorkers congregating in parks and going about “life as normal” when the city has a shelter-in-place order in effect. 

In London, the police have been called into parks to oust sunbathers and those treating stay-at-home mandates like a bank holiday. The UK government decided to bring down the hammer and go for a three week near-total lockdown, citing the fact that a good portion of the population couldn’t stay away from the pub and was hoarding supplies and panic shopping as a reason for the draconian measures. 

But what IS up with these rule-flouters? Why are they living life as usual?

Ignorance isn’t it. With the level of media coverage and daily concern, I think we can rule out the possibility that these people haven’t heard about the spread or deadliness of COVID19. Or that they didn’t know about the orders in place. A few might not know the most recent public safety orders from their city, region, or federal government. But lack of awareness can’t possibly explain the high number of people out and about. 

To believe that rule-flouting stems from low intelligence is wrong as well. As much as we might call them idiots, the individuals and groups who are noncompliant can’t possibly all be either dumb or uneducated or both. For instance, we can assume US Senators are reasonably smart, and we know that many are highly educated, and yet they still crowd together in their own chamber while debating stimulus legislation. Besides, saying people do something stupid because they are stupid prevents us from understanding the real problem.

When pressed as to why, these rule-breakers give lots of reasons: the safety measures are overblown; their own personal risk is low; they’re young and less susceptible; they’re old and set in their ways; they don’t know anyone with COVID-19; they don’t trust the government; they won’t care if they get sick or even die; they see themselves as rebels; they fancy themselves risk-takers. Maybe they feel like they don’t have to participate in this national or international social contract we are all agreeing to. Or they aren’t properly ‘engaged’ in how we want to work, as you know, a society (yes, that was sarcasm). There are plenty of reasons people will give for why they don’t listen to reason, advice, direct orders, and more. And these reasons come from different values, priorities, and sentiments. But these should be considered rationale, because it’s clearly not rational. 

Ethan Decker, President of Applied Brand Science and marketing guru at The Cybermaniacs, says that a deeper understanding of why so many people are noncompliant comes from the Rogers innovation adoption curve that Everett Rogers developed back in the 1960s. Rogers ignored all the rationale people offered and instead focused on our herd tendencies. He noticed that new behaviors go through populations like a wave, and that adoption speed is shaped like a bell curve. A small group of innovators leads the change, followed by a larger group of early adopters. Once they normalize a behavior, the early majority and late majority follow along in their wake. Bringing up the rear are the laggards, a small group of holdouts who might never jump on the trend.

Critically, Decker notes, Rogers’ model got a significant adjustment in the 1990’s from Geoffrey Moore: the chasm. See, the early groups love novelty and embrace change. They prefer things that aren’t common. It’s not that they want to be different from others; they want to safely be part of the group that adopts things first. But the majority — the mainstream — are more resistant to change and like to wait until things are familiar and common to adopt them. You know the types from your own life.


This is exactly what we’re seeing play out globally with the response to the pandemic and people’s compliance with the orders. And seeing how often police have to ask people to go home in various countries, we’re starting to see a bit more of who these laggards are. Even in getting told off, facing fines, or public shame, they are perpetuating the risk. They are even putting the entire painful exercise we are all going through at risk. (Which is infuriating. I say this as I run a startup, look for funding, and homeschool three children under 10. I don’t mind the juggle, but I’m not doing this twice just because a tiny slice of the population would rather lark around the town square and spread the virus some more!) 


To be effective with any public health program or any large-scale safety program, it’s imperative to understand what sits below the surface of the community you are trying to change. What is the culture, and what are the values, sentiments, and beliefs? These are the people factors that drive adherence or non-adherence around the change you’re trying to achieve. 


In the case of the coronavirus isolation measures, we obviously have the rather large stick of the government’s penalties and fines (and jail in Russia!). But we have lots of social pressure of various flavors. In some parts of the world people comply to maintain group cohesion. In others they respect authority. Some places appeal to people’s self-interest and self-preservation. 

During this crisis I’ve seen great examples of influence techniques and tactics. Some groups are using visualisation to help explain complex topics around pandemics, exponential growth, and epidemiology. (See the Flatten the Curve) Social media has provided thousands of examples of social proof: neighbors sharing highs and lows, celebrities pushing safety measures, people sharing remote working set-ups (sometimes not as cyber safely as they should FYI). Humor and entertainment are being employed, with memes, gifs, and jokes getting everybody in on the action. Companies are showcasing what they are doing to help fight the virus, such as hotels offering free lodging for health care workers, or grocery stores having senior citizens’ hour first thing in the morning when stores are freshly stocked and cleaned. 


Using positive messaging, good influence techniques, clear visualisation, actionable language, and a bit of humor that centers on values-based behaviour change CAN get a majority of that bell curve of people to do the right thing. Together, this has generated, for the most part, a high level of compliance. Around the globe, whole countries are adopting these behaviors and making them the new normal.


But then…. you have the last quadrant. The laggards. 

Exhibit A: Spring break in Miami. 


What Do We Do With The Rest?

So how do we reach that last 10% or 20% who don’t seem to be with the program? If carrots and cautions don’t work, do sticks? I don’t think so. How to bring the risky outliers into the fold is a question we’ve been trying to answer here at the Cybermaniacs, mostly as it relates to cyber security behaviors. We use a deeper and more comprehensive look at the human element within your organisation. When we pull back and take a better look at the ‘who factor’ at organisations, we start by identifying and mapping digital tribes. They’re identified based on values, behaviour, knowledge, sentiment, and perceptions. We tease out those brave and shiny early adopters, as well as identify the comfortable majority that will adhere to most governance and policy that’s rolled out. But then, the trickier bit. Who are the laggards? Where is the resistance to change? What are the deeper, implicit reasons behind this group’s highest-risk behaviours? 

Even Jake Tapper had to help Presidential Candidate Joe Biden cough into his elbow… on live TV!

There is a great article in Psychology Today by Julia Shaw about this global phenomenon of non-compliance. What stood out to me was how we, the rule-followers, are feeling about these COVID-19 renegades:

“…just because someone is acting in a way that may lead to the death of others who become infected by COVID-19 does not mean they don’t care if their actions cause people to die. But our brains naturally jump to that conclusion. We assume that people who act badly, are bad, even in uncertain and complicated situations like a global pandemic.” 

In other words, when people do things that have bad consequences, we assume it’s the person, and not the situation, that’s at fault. We attribute the problem to them and their terrible character, not the circumstance. This common and universal bias is called the “fundamental attribution error.”

While the article is fantastic in explaining how we feel about them, and how we can use social proof and behavior contagion to perhaps coax the others into compliance, Shaw never really answers why the quarantine-breakers are doing what they are doing. If analyzed more closely, from a psychological or cultural standpoint, I wonder what the Gen Z partiers on spring break in Miami would say? What would the people picnicking at a park in London say? What would churchgoers and group runners and team sportsers say? You don’t really know until you ask the questions, do the surveys, get the assessments, and find out through objective means the drivers that feed implicit culture and the reasons things are done. 


Getting the laggards on board requires the most creativity and insight. Novelty doesn’t work: they don’t want to be an early adopter. Familiarity doesn’t work: they’re not part of the mainstream. The answer is attainable, but you need to shed the fundamental attribution error and look to the specific context for each person or group, rather than looking for the answer within them.

Getting people On Board When Change Matters.

When we flip the mirror onto ourselves and the businesses we work with, a company is made of people, process, technology, assets and value. Every company is going to have a different map of digital tribes. Every company is going to have different regulatory pressure or policy requirements, depending on a range of factors such as size, countries of operation, industry, safety requirements, and more. 


You don’t know who you are as a company until you do the work to get the data, and try to understand where the human risk factors actually are. (And for my UBEA fans, I don’t think that something that profound can be found only by looking at keystrokes or network behaviour. You have to get messy and, you know, talk to your humans.) The underpinning cultural elements can help you find a way to communicate the change and properly inspire the laggards. I think are not only the greatest win but could be your greatest advocates, if only you can get on their level and give them the reasons and tools to change. Isn’t it sometimes the case that the greatest advocates for change are the people that have gone through the greatest transformations themselves? Whether that be recovered alcoholics who are now sponsors, ex-smokers who convince others to quit, the fantastic people who have achieved huge weight loss and fitness goals, or people who have recovered from diseases and run the charity marathon every year. What if you could find the riskiest people at your company and turn them into champions for cyber security? 


While we ponder the best way to do all these things, we hope you all stay home, stay safe and keep the faith alive. 

We close with a reinvestned classic from Neil Diamond. Talk about using humour and fun to reinforce a message!!

Want to Learn More?

12 + 6 =

The post COVID 19 Non Compliance appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

The Matrix Tue, 17 Mar 2020 21:54:06 +0000 The post The Matrix appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


The Matrix

The Matrix

In the Wachowski’s film, The Matrix (starring Bill…or was it Ted?), the heroes of the film are betrayed by a member of their own team, Cypher (Joe Pantoliano). In perhaps one of the most prophetic scenes in any movie of recent memory, Cypher sits with the ultimate villain, Agent Smith (Hugo Weaving), eating a steak. But the room they are in isn’t real. The steak isn’t real. The wine isn’t real. It’s all taking place in the matrix, a virtual reality created by machine coders and patrolled by software. 

The Matix - Cyber Security Awarness


Cypher is fully cognisant that the reality he’s immersed in is virtual…that his real body is plugged into a computer somewhere and his energy is being harvested by the machines he’s plugged into for their own purposes. But he’s perfectly alright with that deal as he knows the machines can give him exactly the virtual experience he wants, when he wants it.

The Matrix

This is, for me, the perfect analogy for what’s going on around all of us right now. Of course, we haven’t developed the ability to go full Borg assimilation yet. But more often now, more and more of us are surrendering control of our focus and decision making to software that we can’t see, we don’t understand and that is designed to USE US to SERVE SOMEONE ELSE.

And thanks to algorithms, computers are getting better and better at figuring out exactly what we want and exactly when we want it. Gradually, more of us are starting to see things Cypher’s way.  We know that Alexa is listening, that Samsung is watching and that Mark Zuckerberg really doesn’t give a monkey’s ass about our privacy. But we are participating anyway. The cost doesn’t seem all THAT bad in comparison to the benefits of having so much convenience and immediate gratification. 

The Matrix

This is a massive problem. Not that we do surrender to online temptation or that we enjoy our needs and wants being anticipated. That’s all fine in and of itself.

The real issue is not understanding HOW your temptations are being anticipated or what the transaction is that allows this software and the companies that develop it to flourish. Nothing good comes free, even when it seems like it should. 

And trust me, you, your colleagues and your loved ones are all paying. 

We just don’t seem to care too much about how the whole thing works. This conscious choice for ignorance, or at least a lack of effort to dispel our ignorance is creating a layer of abstraction between online services consumers and producers allowing producers to create more and more elaborate and fulfilling experiences, without having to explain the real cost. 

So how do we counteract this layer of abstraction? Well, by trying to dive in and understand exactly how its working and who its working for. But that’s hard. The virtual world is complex and becoming increasingly more complex and nuanced by the hour. Governments are playing catch up with regulation, but they have a LOOOOOOOOOOOOOOOOOOOOONNNNNNNNGGGGGGGG way to go before they are actually able to keep us safe from our own impulsive decision making online. It’s up to us…each of us…to help keep one another safe in the mean time. 

Cyber Security Awareness

This is where cyber security awareness can come into play. But only if you look at cyber security awareness as a gateway to understanding more about the entire online ecosystem. Cyber security can start by pointing out the most overt issues facing you, your family and your work colleagues.

There are people who want to steal from you, find satisfaction in causing harm, whose interests are directly juxtaposed to yours. OK, we need to learn how to defend ourselves against these bad actors. But what about the people who want to give you EXACTLY what you want so you’ll be attracted to them? These people are less hackers and more like smart sales people operating in a completely unregulated market environment. They can sell just about anything to you without any sort of warranty for your health or disclosure on the full value they are extracting from you in the transaction.

Cyber Security Awareness

In order for you to protect yourself, your colleagues and the ones you love…and in order for them to protect you…staying alert and aware of how the ecosystem works is the only way. The first step in that journey is cyber security awareness, but it’s only the beginning.


Follow the white rabbit.     



The post The Matrix appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.

Once Upon A Time in Hollywood Tue, 17 Mar 2020 21:38:45 +0000 A growing tide of unethical, and outright illegal, actors are trying to take advantage of us every day. This blog series will be dedicated to combining these two tools to help illuminate key issues facing us as these bad actors (see what I did there?!) try to manipulate our behaviour to serve their own, selfish, unethical purposes. Allow me to demonstrate…

The post Once Upon A Time in Hollywood appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.


Once Upon A Time In Hollywood

I spent most of my childhood in the Los Angeles suburbs where Hollywood was an ever-present force, constantly confounding the boundaries between reality and fiction. But more than just bumping up against the industry that made movie and TV magic, the good citizens of LA often got caught up in trying to live out the magical narratives that the industry was busy spinning. It often felt like anything was possible in Los Angeles…especially the impossible.

Of course, there were winners and losers in the game of spinning up, selling and living out fantasies. As a kid in L.A., you learned a lot about the line between reality and pure fantasy the hard way. But this upbringing prepared me for grappling with life online as partial news reporting, deep fakes and social engineering have an increasing hand in driving people’s opinions and decision making. I now have two important tools in my toolbelt from my time growing up in LA: 

  1. An instinct for discerning between reality and spin doctoring
  2. A deep knowledge inventory of movie plot lines to use as analogies for making a point.

Key Issues Facing Bad Actors

A growing tide of unethical, and outright illegal, actors are trying to take advantage of us every day.

This blog series will be dedicated to combining these two tools to help illuminate key issues facing us as these bad actors (see what I did there?!) try to manipulate our behaviour to serve their own, selfish, unethical purposes. Allow me to demonstrate…

Once Upon a Time in Hollywood

Quinten Tarantino’s “Once Upon a Time in Hollywood” depicts a main character, Rick Dalton (played by Leonardo DiCaprio), an actor who is trying to make his own Hollywood dreams come true. He’s talented enough to get to what he wants, but he’s a bit short-sighted in his focus and lacks a broader understanding of how the industry works. 

Enter Marvin Schwarz (Al Pacino). Marvin has made his career in the background, pulling strings. He sits Rick down for lunch one day and explains exactly how Hollywood is conspiring to manipulate his career for the benefit of others. It’s not a message Rick wants to hear, nor does he particularly want to make the changes required to reboot his career. But through a bit of showmanship and good humour, Marvin gets Rick to understand a bit about how the machine works, his place in it and Rick is able to make decisions to get his career unstuck.

The Internet is Aiding and Abetting 

It seems today that the Internet has helped many of the most intoxicating and insidious elements of Hollywood metastasize. Only now the audience doesn’t need to collect at appointed times in theatres. Anyone with a laptop, phone, smartwatch, smart fridge or navigation system in their car is the target of countless manipulators selling some product or narrative all trying to entice certain behaviour choices.  

Of course, the messages about online risks have been out there for decades. But people are often too caught up in responding to the stimuli to really take the time to understand how the environment actually works. Well, we all need a bit of Marvin in our lives. We need to receive messages about risks and the benefits of certain choices over others in a way that’s entertaining, that seeks to make us feel positive and hopeful as opposed to just frightened and exploite.

May the Schwarz be with you, always.

Sign up with The Cybermaniacs

The post Once Upon A Time in Hollywood appeared first on CYBERMANIACS CYBER SECURITY AWARENESS.