86. Cyber Behaviour & Influence - part 2 with Lloyd Evans
In part 2 of Claire’s chat Lloyd Evans from LastPass, they talk about the hybrid work setting, communicating the cyber messages to the board, share questions from the audience, and Claire asks the age-old question, are password managers secure?
Lloyd Evans leads LastPass business across JAPAC (inc India). When he’s not training for his next ultra-marathon, Lloyd and the global LastPass teams are helping companies address the human habits and behaviours of password risks to help reduce the leading cause of data breaches globally - compromised credentials.
A Cyber Security, cloud and technology industry veteran, Lloyd has previously held senior management roles with SolarWinds, Commonwealth Bank Australia, St. George Bank and Macquarie Bank.
This season we have partnered with Lastpass -the leading password manager – and we are discussing behaviour and influence when it comes to cybersecurity.
Links:
Transcript
CP: Hello, and welcome to The Security Collective podcast, I'm your host Claire Pales, and today I'm bringing you part two of my discussion with Lloyd Evans of LastPass. Lloyd and I recorded this conversation during a webinar in February 2022. And for those of you who missed it, we're sharing it across two episodes of The Security Collective podcast. In part two, Lloyd and I talked about the hybrid work setting, communicating the cyber messages to the board, and I also asked Lloyd, the age-old question, are password managers secure? This episode also includes questions from the audience during the webinar such as what would we recommend as the best cyber education material? I really enjoyed the live format and the opportunity to both ask and answer some questions on the topic of cyber behaviours. So here's part two of my chat with Lloyd Evans of LastPass during our webinar.
LE: I wanted to maybe shift gears a little bit Claire, just to talk a little bit about our psychology of password report, which we actually found that we sort of talked about this before, but almost half of the employees had engaged in sort of risky password behaviour, obviously working remotely. And we've sort of talked about this, people may be feeling more comfortable at home or something like that. And that's why the behaviour changes. But how do you find that sort of mid level managers, so maybe not the board, but IT managers, and how do they help staff deal with these type of problems that we see in a working remote environment? I know, we sort of talked about this before, but what things have worked well from your experience?
CP: Certainly the behaviours of the manager themselves makes a really big difference. So demonstration of behaviours to staff and pulling staff up on things that are not necessarily in line with the way things should be done and not sort of saying, you know, that's against our policy every time. It can just be that's not how we do things, or that's not appropriate, or trying to also come at this more from a carrot perspective, not just a stick. You know, not necessarily telling our staff all the things they shouldn't be doing, but encouraging the behaviours that they should be doing. And most security awareness or security influence staff now will also talk about how important it is to be educating staff so they can educate their kids as well, and their elderly parents and anybody else who might need this help as well. So getting staff to understand that the activities they do on their work computer or in their work environment, whether or not that's in the office or at their kitchen bench, is just as important in their personal lives. So, you know, we have seen that work for organisations where if they run a webinar or awareness activity that involves somebody who's going to talk about their personal lives, then the people come in their droves. You know, you have to shut the door and people are sort of spilling out, because they want to learn about how to protect their own banking or their own child from social media. But yet, when it comes to the workplace, it's almost like that someone else's information. And what we really want to see is that visceral reaction of a staff member to see okay, well, what if this was my money? What if this was my data? And, you know, would I want it to be sitting offshore somewhere where it's exposed? Or would I want it to be not encrypted, and I guess helping the business to understand how cybersecurity occurs, and not just, you know, we have this expectation that you do these five things, and that will help to protect the business. So tapping into their personal lives, but also tapping into how cybersecurity impacts their day to day job and how what they're doing adds value. And we always talk about how every person in the organisation needs to or should understand how they're contributing to the broader business strategy. It would be great to see organisations showing employees how the work they're doing contributes to the broader cybersecurity strategy as well. You know, if as a cyber team at the moment they're trying to focus on particular passwords is probably a good example. You know, maybe they're rolling out MFA or they're rolling out something like OKTA or some sort of tool. Helping the business understand why that's happening, not just there's a change going through and there's going to be something new when you log in tomorrow. But really talking to them about the why of that is incredibly powerful because it helps them to see what they're doing is contributing to the protection of the organisation. And I don't think that's anything new but it's about investing in that, because oftentimes we see cybersecurity communication or influence or change or awareness funding is one of the first things to get cut from a cyber security budget. And everybody says, it's free to communicate, but actually some of that stuff takes resources and consultants and more than you think would it would take to influence and educate that middle management group. And to engage with them about the work that they're doing and understand how cyber can help them too. It's a relationship, it's absolutely a two way street. And I'd hate to see them feel like they're just being fed information about what they shouldn't do.
LE: Yeah, I think that's interesting, right. I mean, a couple of things you sort of touched on that I kind of just wanted to expand on a little bit, this idea of linking it back to sort of personal behaviours. And I'm a big fan of this, because we do it here, and I'm a big supporter of it, is really thinking about, well, how does this impact someone's personal life? How would that impact the way that they deal with credentials, obviously, passwords at home in their personal life? How does that potentially impact their family? I think that's a super important way to both reinforce good personal behaviour, but also how that relates back into the business as well. And I think that's just a good way to be able to, you know, deal with that.
There's a tonne of questions coming in Claire. So let me just pull up a couple of those. This is good one from Peter, thanks Peter for this question, do you have or can you recommend any, some high quality educational content for boards and executives around cyber risk exposure management and mitigation?
CP: I think a couple of things in response to this. One is that it would be a shame not to suggest that every single board needs to get educated in a contextual manner from within their organisation. I really think that the best way to educate the board is to talk to them about what's important to them as a business. There are plenty of books out there. Some of them I've written, there are plenty of podcasts out there, there's lots and lots of information out there. The AICD have courses, the Governance Institute have courses, there's so much information out there. But what I really want to see is boards educated from within inside their business, and also from consultants that they know and trust. But they've got to have that contextual side of things because just because an incident happens to another similar business in your industry, doesn't necessarily mean that that's possible within your organisation or that it's going to happen. It's more about what your business is doing. And then the board obviously seeking external education at a macro level, but at a micro level being educated internally with inside their business. Would you add to that Lloyd?
LE: I think I think you've hit the nail on the head. The only thing I would say is I mean, there's a tonne of content out there. Obviously the stuff by the ACSC and a few others. Let me see what this question is about. Do you have any tips for managing cybersecurity for staff that are working outside of Australia? So I'm not sure if that's a language question or maybe a cultural change question as well.
CP: Yeah, I think it's probably broader than the cybersecurity conversation, it's making sure that those staff at a minimum feel like they're part of the employee community anyway. And so if management are maybe in Australia and the staff are in another country, broader than the cyber conversation, making sure that culturally, they feel like they're part of the norms and the environment that the business is trying to establish. And then overlaying cybersecurity over the top of that. And it's consistent, regular messaging that's contextual to their business. And there's another episode coming out this season, where one of my guests talks about nudge tactics. Where you continuously nudge your staff, you know, giving them little tips, giving them ideas, talking to them on a regular basis. I had another CISO once say to me that he plays this roulette, where once a month he will just choose someone out of the global address list and book a meeting with them and have a chat to them about what's going on in their business, a bit about what's going on in cyber. You know, back in the day, when you could actually have a coffee with somebody, then he might have done that. But these days, if you've got staff in another country, the security team making the effort and also leadership making the effort, to engage with these people on a semi regular basis. And, you know, it might be a surprise to someone that the security leader wants to have a meeting with you. But you know, making sure that you let them know that it's all aboveboard and there's no concerns. But really engaging on a regular basis with the business, that's the key to it. It doesn't matter if they're around the corner, or they're in another country. It's bringing them into the conversation regularly that would be my tip. I don't know Lloyd if you've got additional tips.
LE: I like that. I think that the roulette thing is interesting, right. But I you know, I'd probably would be a little bit funny about getting a call from a security leader, but I think it's a good idea. You know, really, what tends to happen is you may get an email from a CISO every now and again to the business talking about security risks and everything, I think that's a good way to do it. The other thing that you touched on before Claire, which I wanted to sort of circle back on, was this idea around communicating the reasons why a company would be going down a path to implement a security tool. And I think you talked about MFA as an example. Actually explaining to staff why the business is actually implementing that, and the theory and the idea around it. As opposed to just saying, hey, we're deploying this because it'll make us more secure, I don't really think drives a good level adoption. And there's no linkage back to or what's in it for me sort of thing, which I think is super important.
I’ve got one more question before I might hand over to you, I know you've got a couple questions for me, Claire. I mean, we talked about this a little bit, but really around behavioural change, which is something that's sort of close to my heart, and really thinking about how we can go about doing that from a longer standpoint, any companies that you've worked for in the past or with that have impacted that meaningfully in terms of how they've actually done it? I mean, I know a lot of people, when they tune into these type of sessions are looking for sort of practical tips, but obviously talking about that roulette session, or anything else that sort of comes to mind before I hand over to you.
CP: Yeah, there's, there's a couple of things that I've seen done quite well. The first one would be just exactly what I said, I guess, in my last answer, and that was the visibility. So not allowing cybersecurity to be something that people learn about through an online training module, but really being something that they learn about through the subject matter experts within the organisation. So being a visible cybersecurity leader, being a visible cybersecurity team is incredibly important. And fortunately, I was part of a cybersecurity culture change programme a few years back. And between my staff and I, we reached 5000 employees across four different countries. And it was really hard work, you know. And there were language barriers, and there was content that had to be tailored for different audiences in different countries with different cultures. But we're all part of the one organisation essentially, and we got out there and we delivered this content to 5000 staff and everything from customer service through to engineers through to the board. And it had an impact, and we were able to measure that, and we were able to revisit those people over time. And I think that's something, that ongoing behaviour change has to be more than checking in once a year to a compliance training course, you know, looping back to the start of our conversation. It's consistently being visible and consistently reminding people how important this stuff is, in the same way that revenue is important, and customer service is important. You know, we don't go to our customer service staff and teach them once. We go back and they re-listen to calls and they see what customers want, you know. Security is the same, we have to keep the conversation going. But my number one tip would be to have that visibility, and you can still do that remotely, it just takes extra effort, it really does. And making sure that the business knows who you are, and they know how to make contact with you as well.
LE: Yeah, I think that's important, like repetition in anything, right, it' the way you form habits, and good habits of forms can be formed quickly, or depending if it's done consistently or not. So I think, you know, making sure that security leaders are visible, and they're not just getting the old security training session sent to them every now and again, I think it's super important. I think you had a couple of questions for me, Claire, before we wrap up,
CP: I do and I get asked all the time about password managers. And so I thought while I've got you, I want to ask you these questions. So one is, does having a password manager stop people putting post-it-notes on screens and stop executive assistants being handed the passwords to all the CEO's applications? Is that something we can really get rid of with a password manager?
LE: Definitely, I mean that the post-it-note effectively died I think when everyone moved to remote working, right the post-it-note is probably still in the office. But I sort of talked about this before and trying to get into this, like habit change and behavioural change. A lot of the time why people put post-it-notes or passwords on post-it-notes is really just it's a poor habit and they've done in the past. And what a password manager does, obviously with LastPass or others, is really as acting is that circuit breaker to change that behaviour as to you know, rather than just emailing a password across to my executive assistant or putting a putting my password on a post-it-note so I don't forget it. Using a password manager to automate that, store it securely, so you don't have to think about it again is an easy way to reduce risk that we found obviously from our experience.
CP: Okay, the next one I want to ask you is, is it safe to put all my passwords inside a password manager? How do I know the password manager is not going to hacked?
LE: That's good question. So yes it is. Obviously, I worked for a password management company, but LastPass is obviously very secure in terms of the way we manage the product. And obviously, it's encrypted and we are IRAP assessed by the Australian Government. So we go through general security procedure for the product. And you can obviously read all about that on our Privacy and Trust website, but you can say for sure that password is secure in our product as well.
CP: And then something I've been asking all of my guests on this season, I've already recorded four or five episodes ready to go for the season. And I've been asking everybody, since you've been working in the cybersecurity field, what is the key cybersecurity behaviour that you do? What are you a stickler for? What's that one thing in your personal life? And I don't think you're allowed to say a password manager, given that you work for a password management company, you have to say something different. What are you a stickler for what's your one thing that you now do as a cybersecurity industry person?
LE: So I would normally say password manager, obviously, Claire, but given you've said I can't. The second thing is really looking at privacy settings, you know. So looking at, you know, cookies, and that sort of thing, where people are clicking data. I was an Android user for a long time, I have switched over to Apple, so I'm a convert. And part of the reason for doing that was around the privacy stance that they're taking at the moment. I know, it's not completely foolproof. But the ability to manage that more effectively was was something that I'm a big fan of, and I'm a big advocate of it. In my personal life, I'm very protective of my personal information, and the personal information of my children as well. And so that's probably one thing that I'm super conscious of, because I know that, you know, once the data is out there, and you've lost it, you can't get it back, right. And so I'm very conscious of that and making sure that the information about me personally is not exposed in any way. If I was to flip that question Claire, what would you say? I mean you've obviously worked in the field for a while, what are you a stickler for?.
CP: I'm probably overly paranoid about my information, and probably to the point of frustration of my family and my children. But I'm probably a stickler for really giving my kids and understanding of the importance of cybersecurity. And all my kids use a password app. And I am very conscious of when poor behaviours happen in the classroom, that I talk to them about why that's not right. And I'm having an argument with my 13 year old son at the moment about all his friends putting games onto their school computers. And I keep saying to him, this is a non negotiable, you cannot put games onto your school computer, and trying to explain to him that when he connects that computer into the school network, the risk that he's putting into that network is huge. And I want him to learn about the empathy. You know, the impact that his actions could have on somebody else. So, you know, if I do nothing else, if I can educate the four little people that I have around me most of the time, about the importance of cybersecurity, I'm hoping that when they become our professionals of tomorrow, that they'll go into the workplace with, at least with their eyes wide open. I can't guarantee that they won't do silly things, but at least they'll be more aware and hopefully that they'll hear me say have a strong password and don't download computer games onto your work computer. Yeah, that would be my thing, I think.
LE: Which is good. I mean, that's the influence thing that we've been talking about. I also have four little people. And, you know, I've been trying to educate my son who's, I think, probably similar age to yours, around password strength and complexity. And so I finally got through to him, which was good. It's not on a school computer, it's on a personal computer. But I think just those little steps and explaining it to them, how they would understand it, meeting people where they are is what I sort of talked about before.
CP: Thank you so much, Lloyd. And it was really enjoyable thanks to those who asked questions as well. And it's been great to chat to you today. Cheers.
LE: Look forward to speaking to you again soon. Thanks again.
CP: Well, that's a wrap on our live webinar episodes of the security collective. A big thank you to LastPass for arranging the session, and for the few hundred people who joined us live on the day. If you missed part one, please head back and take a listen. And finally a reminder that this whole season is dedicated to awareness, influence and behaviour change. So please look out for the other episodes in season nine. And of course, please go and revisit the whole back catalogue of the security collective podcast. I'll see you next time.
Season nine for security collective podcast is recorded and shared with you in partnership with LastPass, the leading password manager that enables companies of every size with the tools necessary to secure and centralise control of employee passwords and apps you can learn more@lastpass.com.