This transcript was created using an automated transcription service and may contain errors.
Welcome to The JoyPowered® Workspace Podcast, where we talk about embracing joy in the workplace. I’m Susan White, owner of Susan Tinder White Consulting. With me is my co-host and dear friend JoDee Curtis, owner of Purple Ink, an HR consulting firm.
Our topic today is cybersecurity. You might wonder why JoDee and I think this is an important subject for us to discuss. If you want to have a JoyPowered® workspace, you want everyone in your firm knowledgeable about the risks to the security of your technology, so they can avoid bringing your business to a standstill. When we say cybersecurity, you might say “Okay, so what exactly do you mean?” Well, the U.S. government’s Cybersecurity and Infrastructure Security Agency defines cybersecurity as the art of protecting networks, devices, and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity, and availability of information. Dave Zielinski wrote an article dated March 5, 2019, on shrm.org, entitled, “5 Top Cybersecurity Concerns for HR in 2019,” which, no matter when you listen to this podcast, has information that I think could be helpful to businesses and HR leaders. Dave cited a 2018 Forrester Research study that 55% of enterprise network security decision makers reported at least one data breach in the prior 12 months, with 44% of those breaches caused by employees who accidentally, or sadly, sometimes intentionally, enabled hackers or data thieves to access information they should not have.
Isn’t that amazing, JoDee? I know.
So the five concerns that Dave said should be on our radar, let’s walk through those. JoDee, you want to start us off?
Yes. Number one is phony chatbots. Susan, I don’t know about you, but I’ve had people before who appeared to be one of my friends send me a direct message or a new friend request on Facebook, and then quickly realized it isn’t them. Have you had that happen, too?
I have. I gotta tell you, I feel so violated. And I feel so bad, when I call my friend and say it, they said they feel violated.
Yeah, both sides, you feel that way. It might be a chatbot who entices you to click on a link that will install malware into your computer to gain personal or financial information, or if you do it on a work computer, you might be exposing your own company to devastation. Fake chatbots can pop up on legitimate business screens your employees or customers are using and can end up steering unsuspecting users into giving up sensitive information, as you think you are communicating with the company they thought they were engaging online with.
Scary. Number two is spear phishing. This is where emails are sent from a supposedly known or trusted sender, like maybe an executive in your company, asking an employee to do something, like buy gift cards and get information that…so that they can transact on that gift card. Or they might be requesting that you send a file with confidential information to them right away. Maybe employees’ names, maybe customer account information. I have seen this happen with several of my clients, where someone deep in the organization gets an email from…and it looks very legitimate to them, but the CEO or the head of finance, asking them to do something. And they are just, like, lickety split, bracing to do it, and they don’t realize that it really wasn’t them. JoDee, I know this has happened at Purple Ink.
It has, and, you know, I think we…a lot of businesses went through a cycle, I don’t know, maybe two years ago where these spear phishing emails were going out and requesting gift cards and…and different things from employees. And so we went through that. I think everyone on my team might have gotten one to send me gift cards. Unfortunately, no one sent them to me.
Yeah, you didn’t get to receive any, did you?
Yeah. But this topic is so timely to me because it just happened again, just a few weeks ago, that one of our brand new employees got an email about buying gift cards for me, and she was on her way to the store to buy them and thankfully texted me to ask where she should drop them off at, and I said, “Whoa, whoa, whoa.” And, you know, I felt bad for her, because she was brand new and totally sucked into it. So.
It happens. So you can imagine how often it does happen. Number three is mobile malware. This is malicious software specifically designed to target mobile devices, such as smartphones and tablets, with the goal of gaining access to private data. This is why so many companies have strengthened their own Bring Your Own Device rules, and also company device policies, with…insisting on safeguards like data encryption, password enforcement, and remote wiping. Remote wiping is where the company can send commands to lost or stolen devices to delete stored data that may be on the device. I know we all get tired of having to change our passwords so many times, but this is one of the reasons why we need to do it.
I know it seems like such a hassle at the time, but boy, if you have a problem for it, it can be a much bigger hassle. And number four is internal risks. Our employees are human and can make mistakes, and it’s important to make sure they are extremely conscientious about what information they send to whom and help them stay out of harm’s way. It is also possible that you have some bad actors who work for you. Take a listen to our podcast on insider threats that we recorded December 2, 2019. You want to thoroughly check out who you employ and monitor behaviors once people are on board in case red flags surface.
And number five, the final one, balancing access with security. Be thoughtful as to who needs to have access to what information. I can totally relate to how much easier it is to open up all the information to everyone, especially to everyone on your HR team, but every time you give a wide berth to lots of people having information that they may not need to know, it also invites risk. We in HR have the keys to the people information bank, and our need to make sure that our HR team members can get out the data they need to do their jobs is very important, but also a challenge to make sure that we don’t give out too much. It’s really worth doing to help keep our team members and our company as safe as they can be.
Now a word from our sponsors. This podcast is sponsored by Susan Tinder White Consulting, a progressive human resource practice that helps businesses resolve people challenges through consulting, coaching, and training. Whether the opportunity is in a corporation, a not for profit, or government agency, HR solutions are tailored to optimize individuals’ and organizations’ strengths.
You can reach Susan via email at Susan Tinder White at gmail dot com – that’s Susan T-I-N-D-E-R W-H-I-T-E at gmail dot com – or by phone at 317-332-8017 or via the company website, susantinderwhiteconsulting.com.
We look forward to hearing from you.
All right, well, we brought a guest in today, JoDee, who is an expert at cybersecurity. It’s Heather Stratford. Heather Stratford is the founder of Stronger International, Inc. and a new sister company called Drip7 that are both focused on cybersecurity and educating a company’s workforce. Heather is a thought leader, writes and speaks about cybersecurity education. Her team works with governments and companies, both in the U.S. and worldwide, from state governments and universities to large manufacturing and oil companies. Heather, we’re so glad that you’re here. Would you mind telling us a little bit about your background and how you ended up working in technology, and more specifically, how did you gain an expertise in cybersecurity?
Well, I’m super excited to be here as well. And I came in to cybersecurity and technology kind of from the side. So I do not have a degree in computer science, but most people in cybersecurity do not. I was in different industries, both in the food industry, the publishing industry, the contractor services industry, and every time I landed in a different industry, I was in charge of websites, rollouts, ERP systems, and slowly I learned a lot about the industry. And about six years ago, I became president of Stronger International, and it was a training firm that specialized in education in IT, and specifically, in cyber education. And that has developed into, now, Drip7, which is an educational platform designed for end users. So over time, my education and what I’ve learned has grown, and my staff stretches a couple of continents, and we work with people all the way from small organizations to very large multinational brands that people would recognize.
So Heather, specifically from an HR or business owner perspective, what are five things that businesses can do to help reduce the risk of a cyber breach?
The first thing that I always say to people is, people can either be your weakest link, or they can be your strongest asset. And as HR professionals, you realize that people are what make your company. And so educating and…and helping your staff, no matter where they’re located, no matter what level they’re at, helping them understand the importance and what needs to happen is critical. So educating staff is the number one thing that any business can do in terms of preventing and reducing the risk of a cyber breach. Some other things that help…staff, right now, a lot of staff is remote, people are working from home, and because of that, they need to be more careful about how they log in to different systems. So companies should be using VPN, or virtual private networks, so that they are not on a general WiFi system. So if you don’t have that set up, talk to your IT team about setting up VPN systems for people to log in. Other things that are very important are passwords. So passwords are the keys to everything in the company. We have normal keys that open doors, right, to a physical building. But we have a lot of data, whether it’s internal information to the company, or it’s information about our customers, and all of that is locked by keys, and that’s the passwords. Right now people are putting into place things like dual factor authentication, and a lot of either HR professionals or other management, they’re like, “Oh, no, why are you putting so many restrictions, this is a pain,” right? And it is a pain. It requires more time, it requires just a little bit of extra, but that is a safeguard. And if you think about it, it’s the key, and then the dual factor authentication is the deadbolt. So somebody might be able to get the basic key, but that deadbolt is the second form that will block somebody who’s trying to break down that door. And I have seen it numerous times come back and it is what saves a company from a massive breach. So the third thing would be passwords. Number four are backups. People right now are reading in the news about ransomware, and ransomware is just a fancy term to talk about a specific type of malware. I relate it to cancer. There’s lots of different varieties of cancer, and we all know they’re all bad, right? It doesn’t matter what kind of cancer you have, we know it’s a bad word, and it’s bad for everybody. It’s the same way with malware. But there’s different types of malware. A type of malware that is ransomware encrypts the information on your computer, and it doesn’t erase it, it doesn’t move it, it just encrypts it so you can’t get to it. And then they ask you for money to unencrypt that information. What I tell people is prevention. Prevention, you know, a little bit on the front end is really going to save you on the back end. So for ransomware, the best solution is to have a backup so you can say, “I don’t care what’s on that computer. I have a backup, and I’ll just restore it.” I have backups on all the computers in our company, my personal computer backs up every 15 minutes automatically, so I know if I were attacked by ransomware, that I have a solution to say “I don’t care and I’m not paying you.” I have a solution because I have a backup. The fifth thing that I would recommend is shifting the mindset. HR professionals often are part of an executive team, and they have the ear of CEOs, CFOs, other people in the organization. And the entire organization, from an executive level from the top down needs to understand that cybersecurity is a major threat, and cybersecurity is not going away, and cybersecurity needs to be a priority, and if it’s not, you might not be here in five years.
Heavy but true.
Yeah, that’s great advice. And I love your analogies about the…I’m one of those on the passwords that is always thinking, “Ugh, I have to have a 10 digit password and special characters and…” but thinking about it as a key and a deadbolt, that’s really helpful to me.
Because it is a pain. And you’re like, “Oh, I don’t want to have to log in again.” Or sometimes people have assitants, and you’re…they’re trying to get some information and you say, “oh, here’s my password, I’ll change it later,” or you hand out that password. Well, that’s a major faux pas. That’s a big deal. And so being able to manage the passwords using a password manager in the company…there are many out there that are very reliable. One of the biggest ones, and the one that my company uses, is LastPass. But there’s many different reliable, good password managers. And if your company doesn’t have that in place, what happens if a senior management person doesn’t come in the next day? Do you know their passwords? Do you know how to lock things down? If there’s an internal breach, do you know what to do? So having a password manager and understanding and really having that tight in your organization is a critical component of being ready for cybersecurity risks.
Good advice. So Heather, I know your company created a micro-learning technology for cybersecurity, and you mentioned it a few minutes ago, Drip7. First, I got to know what Drip7 means. Like, how did you come about that name? And then what led you to create it? And how does it help businesses mitigate cybersecurity risk?
We’re super excited about Drip7. The name came from this idea that a once a year compliance is just not enough. You know, a one hour sit down, “yep, I got through it, I clicked through,” it just doesn’t work anymore. Because what we really need is behavior change, and a once a year, one hour doesn’t change behavior. And so drip is the idea of little bits of information, bite sized information that is over time. If you had 60 seconds or a minute and a half of education, and then could move on, while you’re getting your coffee in the morning, you have a little bit of drip that you’re moving in that direction. And as we all know, we’ve been to places like the Grand Canyon, or beautiful rock formations in southern Utah. How did they form? They formed from small bits of water over time. And so I believe in empowerment, and that all people in the…in an organization can become the strength of that organization. But they need knowledge. And they need knowledge in small bits, not in “checked that box, yep, they got it done,” not in a checkbox compliance format. And so Drip7, all wonderful things come in seven, right? Seven days of the week, seven colors in a rainbow. Seven is a is a great number. And it also happens to be the number of, if you hear something seven times, then it goes into your deep memory, right? Like, you actually learn it. You hear something once, “Do the dishes,” my kids don’t hear that. I got to tell them more than once, right? And we’re all that way. We don’t really learn something if we hear it once. So Drip7 is this idea that education can be fun and engaging, gamified, and yet, it moves forward with the idea that it’s in small bits that we really learn and move forward.
I love it. Very creative, and insightful, too. It’s easy to set up a training one time a year, but we all need it more often than that. Heather, what other advice do you have for our listeners to keep their technology environment safe?
That they make sure they treat it with respect. Don’t leave your computer open when you go down the hall to the bathroom. Don’t leave it unprotected by a password. Don’t leave your laptop in the back of your car when you go into a downtown, you know, city and park it on a street. Just realize there’s a lot of information and ways that is an inroad into that company, and you hold it in your hands, so just be knowledgeable and treat it with respect, because you are the cybersecurity team. Everybody who has a computer and logs in, you are the front…front line, and you have to realize you’re part of the team. It’s not an IT person in the basement of of a different building. Right? Yes, they’re helpful, and yes, they’re coordinating the team, but you are part of the cybersecurity team. You have to be, because we’re in a different world. 30 years ago, not all companies were even running on computers. Nowadays, everything is computerized. Everybody’s moving to the cloud, and there’s got to be security protocol around that or there will be breaches, and there will be fines, and things can really go wrong fast.
So true. So Heather, how can our listeners reach you if they want to learn more?
I’m on LinkedIn, Heather Stratford. We have two websites, stronger.tech – T-E-C-H – we do international engagements, from vulnerability assessments to penetration testing. And then Drip7 is its own website, drip – D-R-I-P – and the number seven dot com. Just reach out to me, I’d love to answer anybody’s questions, especially about micro-learning, and how to really change the dial and change the dialogue in your company, and behavior change around compliance and security issues.
Well, Heather, thank you so much for joining us. I feel like you are speaking directly to me today and things I probably don’t do well with my passwords and leaving my computer in my car, and so I think it was really impactful, and your company sounds like they have some good tools and some good advice to share with people.
Thank you so much for joining.
Thank you so much.
So, every once in a while, we’ll insert a best practice sharing in one of our episodes, and today’s one of those. We asked our listeners, “what lessons have you learned in 2020?” Here are some of the things that we heard.
This is my favorite one of all. Always keep plenty of toilet paper on hand.
Isn’t that crazy? Who knew? Yeah, right now I’ve got a closet full. Number two, the importance of having a business resumption plan or a disaster recovery plan in place so that you’re ready to enact it for any kind of crisis that arises.
Number three, remote work has more benefits than initially recognized. Not sure I will insist my staff be in the office as much as I used to for esprit de corps.
Yeah, I’m hearing that one a lot. Number four, people on the front line, in medicine, retail stores, restaurants are heroes every day, but it took a pandemic to realize it.
Number five, there is some good in slowing down, staying home, reconnecting with your loved ones. Boy, I’ve learned that lesson for sure.
Well, that’s what we’ve heard so far, but we’d love to hear any other lessons people have learned in 2020. I’d be happy to share those.
Susan, we had a listener question today from Scottsdale, Arizona. They said, “I am in a small company with under 50 employees. We don’t do performance reviews, and I have a low performer on my team who doesn’t seem to be a fit in our culture. When I talked to him yesterday about my concerns, he was surprised I didn’t think he was doing fine. We don’t have an HR person. So what can I do?”
First of all, I’d think about getting an HR person. When you have 50 employees, we often say that’s kind of the trigger, because there’s a number of laws where, when you start having 50 employees, that you want to be paying attention to, to make sure you’re in compliance. But, all right, let’s say you’ve got 49 people or you’ve got 50 and you’re still looking for that HR person. I think that when somebody is not performing well, it’s extremely important, even if you don’t have written policies that has a path of corrective action or anything in place, it’s taking the time to sit down and tell the individual what’s not working. And get their perspective on it, too. Like, in this case, it sounds like the person is blindsided, they didn’t realize it. Okay, well, here’s step one. You’re sitting down to raise their consciousness about elements of the role that you don’t think they’re performing. Be honest, be transparent, sit down and ask them some of the whys. Why is this not getting done? or Why are you not able to do this the way that we’re hoping you would? And try to pull that out, because maybe they didn’t know that’s the way it needed to be done. This first meeting could be your fix it meeting because they didn’t realize it. Now, if you have this meeting and you lay it all out, the person is committed to making it work, and you offer any support you have, and the time passes and it doesn’t work and they’re not getting any better, then you really do need to have another conversation, and at that point, I think you start to talk consequences. Maybe it’s not the right fit for the person, maybe there is additional training or…that you can offer and they need to do it, and if they don’t, then…or they’re not successful with it, then the consequence is maybe it’s still not the job for them. So I would definitely have this first meeting. I would document you had it. And then I would watch things, monitor things, stay close to the person and to the performance. And it…I would raise the stakes with a second conversation and document, what’s our performance improvement plan here and what’s the consequences if you don’t fix it. JoDee, anything else you might add?
No, I think that’s good. I…I do always find it fascinating, sometimes, when we leaders or people managers feel that someone is struggling and then have a conversation with them and they’re surprised about it. And sometimes I wonder if that’s a coping mechanism or if maybe they really think it’s going okay. Right? It…the key, to me, is to always set good expectations for people so that they know. If the expectations are clear, we should know whether we’re meeting those expectations or not.
Very good point. All right, well, it’s time for in the news. HRdive.com published an article by Aman Kidwai on November 23, 2020, entitled, “Video call fatigue is setting in.” Robert Half study published November 12, 2020 reported 38% of employees reported video call fatigue since the beginning of the pandemic. 24% said they would rather communicate via phone or email, as video calls are inefficient and exhausting. And finally, 26% says the novelty of video calls has worn off. I need to tell our listeners right now that we are recording this on a video to call. JoDee and I are staring at each other. You can’t see that as you listen to us. And we are not fatigued with each other, but honestly, I am a little fatigued with all the zoom calls I do day after day.
Yeah, I’ve found myself having more phone calls than I was three months ago, four months ago.
Yeah, there’s something….Yeah, I agree. Anyway, Kidwai’s article suggests companies should consider if all team meetings, regular one on ones, client meetings, etc. need to be done in a video meeting format and recommends care be given in making video calls as short and streamlined as possible. I do think that’s good advice for all of us.
I do too.
Thank you so much, and have a JoyPowered® day.
Thank you for listening. We hope you enjoyed The JoyPowered® Workspace Podcast. If you like the show, please tell your friends about it. And let us know what you think of our podcast by rating and reviewing us on Apple Podcasts. It helps new people find our show. The JoyPowered® Workspace Podcast can be found on Apple Podcasts, Spotify, Stitcher, or wherever you listen to podcasts.
You can learn more about JoyPowered® and find our books and blogs at getjoypowered.com We’re @JoyPowered on Facebook, LinkedIn, Instagram, and Twitter. Sign up for our monthly email newsletter at getjoypowered.com/newsletter.
If you have comments, suggestions, or questions about anything related to business or HR, you can leave us a voicemail at 317.688.1613 or email us at firstname.lastname@example.org. We hope you tune in next time. Make it a JoyPowered® day.