Tag Archive for: “cybersecurity keynote speaker”

Cybersecurity Awareness Month 2022: Five Disastrous Pitfalls to Avoid at All Costs

Cybersecurity Awareness Month Keynote Speaker

Security Awareness Training that Won’t Put Your Peeps Asleep

National Cybersecurity Awareness Month, which takes place every year in October, is a lot like spring cleaning. It’s when we buckle down and finally get to that pile of papers we’ve been staring at all year. It’s also when we learn to build new systems that prevent the pileup in the first place. Fall is when we turn on the throwback tunes, grab some reinforcement, and dance our way through important cyberthreat mitigation. As a cybersecurity keynote speaker, it is my responsibility to help you know where to start, what to do next, and how to prevent the mess that comes from not paying attention to security awareness training. It is the combination of deep work in October and preventative education throughout the year that make cybersecurity digestible, effective, and even a whole lotta fun. In the meantime, here are 5 Disastrous Pitfalls you can avoid during your organization’s Cybersecurity Awareness Month 2022:

1. Don’t Overstuff October with Awareness

Assuming that your employees are appropriately educated after just a month of data protection training is as ridiculous as saying “I washed my sheets once, so I’m set for the year!” First of all, no. Second of all, gross! To continue our cleaning metaphor, if you wouldn’t ask your most treasured house guests to sleep in a bed with sheets you washed last October, why would you entrust your company’s most sensitive data to a team that is dealing with year-old information??

It is all too easy for organizations to assume that their responsibilities are contained and fulfilled when they dedicate an entire month and a substantial budget to those responsibilities. Don’t get me wrong, I LOVE that we have a month dedicated to cybersecurity awareness. But many organizations concentrate all of their efforts into October while completely neglecting the other 11 months. Here’s the point: Information overload is not effective, for your people or your budget. Corporations that rely on October alone may forfeit some of their responsibility while exhausting their staff into a state of disengagement.

How do I know this? Every year, I am booked solid from September through November, right around–you guessed it–Cybersecurity Awareness Month. And I’m not complaining about the business! But I am concerned that we see a sudden yet fleeting burst of motivation by companies and yet a lack of accountability the rest of the year. More and more, in addition to a keynote event during their October campaign, smart organizations will supplement their education with monthly emails, phishing contests, brown bag lunch dates on personal security, funny social engineering videos and other relevant updates that keep their staff current on the latest cyber trends.

2. Don’t Hire Speakers Who Bore Them to Tears

Emotions matter. Your people matter. A relatable, captivating experience is critical to creating personal buy-in among your employees. And let’s face it, your people are only your weakest link if you let them be. When you bring in engaging, entertaining speakers who make the topic personally relevant to their lives (not just to your bottom line), they will naturally expand and apply that learning to your organization.

Take Facebook for example. They have successfully implemented “Hacktober” during National Cybersecurity Awareness Month, which provides workshops and gamified contests for workers to implement everything they learned throughout the year. And then in October, they reward their team with a highly entertaining speaker (shameless plug ;-) that benefits them personally and professionally.

When I live hack the iPhone of an audience member (using humor to socially engineer them) or run a game show about deep fake technology to educate them on trending threats, they leave not only with tools for protecting the company, but with personal buy-in about why data defense matters. But if it’s boring, it gets forgotten.

3. Don’t Force Feed Them 8 Straight Hours of cybersecurity awareness training

More is not always better. Faster is rarely better. Eight hours of pure content without a bathroom break is not better. And it’s probably illegal. Because we are productive beings focused on “more”, we sometimes confuse efficiency with effectiveness. In the case of cybersecurity awareness training, eight hours of hearing about hackers, fraudsters and scams (oh my!) isn’t going to do much besides–at best–convincing your people to tune out and enter BORED, SLEEP and WASTE and in their latest Wordle puzzle.

Organizations that treat cybersecurity awareness month as a time to stuff all content into one long day and hope that everyone learns something (or at least stays awake) tend to be wasting their money. More education in less time is not the way to prevent cybercrime from landing you at the top of the news cycle. In fact, content stuffing will dull down the topic so much that your people will care less than when they walked in.

It’s like one of those weeks where you put off doing the laundry just long enough that your clothes barely fit in the washer. So you stuff it all in and not only don’t the clothes get clean, but the machine is toast before the spin cycle subsides. The lesson? Don’t leave your people half-washed by stuffing their brains so full that they can’t finish the cycle. The most savvy data protection education I see tees up the topic with a few new best practices–let’s say password or click hygiene–paired with real life stories of what happens when it all goes bad. Audiences love stories, so don’t drown them with statistics and a boring PowerPoint.

4. Don’t Make it Only About the Organization

Would you rather fold your own underwear or those of a random stranger? If you have any common sense (or knack for hygiene), you’d choose your own. Doing the laundry may not be the funnest part of your Sunday routine, but you know it is necessary because in the end, it directly impacts you. Forget to start the wash? You’re the one going commando. Dumped the basket of dress shirts on the floor and forgot about it? Monday is going to be stress with a side of wrinkles.

The point is, when something impacts us personally, we notice it quicker and invest in it more fully. Many keynote speakers on cyber threats ask you to fold someone else’s laundry–they only want you looking out for the good of the organization. They don’t give individual employees a “why” that impacts each of them personally.

In other words, Cybersecurity Awareness Month is not just about educating. It is about creating emotional buy-in. In order to be remotely effective, cyber education should come over the course of the entire year–not just one month dedicated to it. So why have a dedicated month at all? Because October serves as a national reminder about why this matters. It is the responsibility of your keynote speaker to 1) Get employees and executives passionate about protecting the data that drives your profits and 2) Illustrate how protection affects them personally first. If the individual doesn’t give half a load of laundry about defending their own private information, they sure as heck aren’t going to care about protecting the corporation’s information capital. By bridging the personal and the organizational, we can encourage personal buy-in that leaves the individual and the company better off for it.

So, if Pitfall #3 is an oversupply of content, then Pitfall #4 is having an inadequate reason to listen and take ownership in the first place.

5. Don’t Focus on Failure, Focus on the Future

When organizations and leaders only focus on what their people are doing wrong, those people are far less likely to embrace change. Employees want to feel like they are successfully contributing to the health and well-being of the company. So, if you approach cybersecurity education and awareness from a peripheral angle and point out what IS working and where you have thwarted attacks, individuals feel proud and therefore much more empowered to continue the momentum into the future. Cybercrime is already a negative topic, needlessly harping on past failures only depresses progress.

For example, in my cybersecurity keynote presentation, I make it a priority to point out how it is generally the human beings inside of any organization that catch fraud in process. Your people are your superheroes when it comes to data defense. You can have the greatest technological tools in the world, but if you don’t have a smart human wielding them, they are worth next to nothing. This approach is called Appreciative Inquiry, and it is an incredibly powerful tool in your arsenal of human cyber weapons. And it is generally missing from the average Cybersecurity Awareness Month playlist.

And with that in mind, here is the good news. YOU DON’T HAVE TO BE VICTIM TO THESE PITFALLS. I have witnessed hundreds of cybersecurity awareness month events in my two decades of keynoting events, and the leaders that understand and avoid these pitfalls don’t just create a better awareness event, they build a long-term cybersecurity culture. And that’s something that doesn’t come out in the wash.

_____________________________

John Sileo specializes in Cybersecurity Awareness Month 2022 keynote presentations that set your month, year and awareness program up for success. If you’d like to learn how John will customize his speech to your event, contact us directly on 303.777.322 or by filling out our friendly contact form.

Automotive Cybersecurity: Don’t Bank on Untrained “Drivers”

Would you send your newly licensed 16-year-old out to drive on the interstate without spending months teaching them safety skills and the rules of the road? I hope not! Even if their car had all of the latest safety technology – front and side airbags, auto-locking seatbelts, crash-warning sensors – and a low-deductible insurance policy, you still wouldn’t take the risk.

In other words, technology without training is completely useless. And the same is true of cybersecurity, whether you are running a local car dealership or a national automotive chain. And that matters because in the past two years, 85% of auto dealerships have reported being a victim of cybercrime. Let’s go back a step.

National Auto Dealers Association Highlights Hacking Among Auto Dealers

I recently spoke for the National Automobile Dealers Association (NADA). NADA is an American trade organization composed of nearly 16,500 franchised new car and truck dealerships. Each year, the folks at NADA gather business leaders to discuss the latest in industry innovation and shop thousands of new products and services from the industry’s top vendors and suppliers. In addition to showcasing exceptionally cool new concept cars, auto dealers are keenly aware of the rapid increase of cyberattacks targeting their privacy, profits and reputation.

This year, the NADA Show 2022 took place in the Las Vegas Convention Center. In addition to a keynote interview with Michael Strahan, the conference also featured a Distinguished Speaker Series, which had a fantastic roster of keynote speakers that included Col. Nicole Malachowski, Lt. Cdr. Jesse Iwuji, and myself. I was invited to chat about pressing automotive cybersecurity threats and solutions as they specifically relate to car dealers and the automotive industry.

Think about it – even corporate auto dealers like Toyota and Lexus aren’t immune to cyber threats. After 3.1 million pieces of consumer data were compromised in an automotive industry cyber attack that targeted Australia, Japan, Thailand and Vietnam, it was only going to be a matter of time before auto dealerships and manufacturers in the U.S. came under fire. And the industry is under attack for a very good reason.

Auto dealers handle a treasure trove of valuable customer data. And when you are as busy as dealers are with product supply chain issues, labor shortages and general entrepreneurship duties, cybersecurity can become just another item on a very long checklist. So let me give you a quick recap of the small business cybersecurity checklist I detailed during my presentation, The Art of Human Hacking: Social Engineering Self-Defense for Auto Dealers.

Automotive Cybersecurity Trending Cyber Attacks

Why are car dealerships coming under so much cyber fire? The COVID-19 pandemic accelerated a playing field that was already taking shape – the remote workforce. As the marketplace was forced into working remotely, many elements of a traditional dealership — like sensitive customer and financial data — were moved into the cloud so they could be accessed from outside the dealership. Cloud operations can be convenient, scalable and profitable. But they also open up backdoors into the dealership if cybersecurity isn’t built in from the beginning.

In essence, the auto industry has moved from a fortress model (where data is secured behind a centralized network protected by a moat, or perimeter security, like firewalls and VPN), to a widely distributed computing kingdom where data is accessed from the dealership itself as well as homes, remote offices, cafes, airports, hotels and conferences. That means that traditional defenses like anti-virus, firewalls and virtual private networks are no longer sufficient.

A second threat is the advent of supply chain attacks, where the cyber criminals hijack legitimate software that the dealer trusts and uses it to infect the entire network. SolarWinds, Casey and Loj4j are examples of this malicious attack vector. This is particularly damaging because there is no warning that the enemy has crossed the gate and is living in your systems.

But probably the most effective and pervasive form of attack is ransomware. Ransomware uses encryption to lock down every connected computer on your network, and then charges you a ransom to recover your data. When you don’t pay the ransom, the ransomware gangs leak your data and report you to the press and regulatory agencies to trigger expensive and reputation-damaging publicity.

The average cost to a dealer to regain their data is trending quickly upward. Though the average ransom payment is just over $150,000, a recent attack on Arrigo Automotive Group in West Palm Beach, Florida cost the dealerships approximately $500,000 in remediation. And that doesn’t account for reputation damage or lost revenue due to fleeing customers.

To make matters worse, the average downtime associated with an auto dealers cyber attack is 21 days long — three weeks’ worth of lost revenue as the icing on the bitter cyberattack cake. And since the Federal Trade Commission revealed there were 38,561 reported cases of identity theft related to auto loans and leases in 2019, it’s no surprise that over 80% of customers would choose to take their business elsewhere, leaving the compromised auto dealer behind.

Why Car Dealer Data is so Attractive to Hackers

  1. Unfortunately, but rightly so, cybercriminals view unprepared auto dealers as poorly protected financial institutions. Because of the costs involved in purchasing an automobile, dealers collect data just like a bank does, from consumer identity and credit details to loan payment and banking information, not to mention demographics, online behaviors and more. But unlike a bank, the automotive industry is not government regulated, removing one powerful incentive for dealerships to implement safeguards.
  2. Dealerships have a multitude of hacker entry points. Think about the variety of third-party partners and digital marketplaces with which dealers do business. Then consider the varied operating systems and software packages that finance, admin, sales and service utilize on a daily basis. Don’t forget the free guest WiFi access, the number of customers who have access to associates’ desks and the multiple locations they potentially service. Every one of those nodes is an entry point for a cybercriminal.
  3. And most importantly, nearly half of American dealerships don’t have adequate automotive cybersecurity solutions, or even basic small business cybersecurity solutions, to defend these entry points. Only 49% of dealerships claim to have adequate protection against cyberattacks, while another 73% have yet to undergo automotive cybersecurity testing to fine-tune their incident response plans.

Auto Dealers and Small Business Cybersecurity Checklist

If auto dealers want to prevent an auto dealer cyber attack, the answer is not to simply build a technological fortress around their sensitive data. While advanced technology can certainly deter hackers, 91% of cyber attacks rely on social engineering — when a cybercriminal uses techniques such as phishing emails to gain access into an organization.

In other words, hackers always go after the humans first, because poorly trained employees and executives tend to be the weakest link in the cybersecurity chain. But they don’t have to be.

As auto dealerships of all sizes continue to navigate an evolving cybersecurity landscape, staff and employees must be treated as integral part of cyber defenses. To refuse to do so isn’t just costly, it’s like putting an inexperienced driver behind the wheel of a potentially harmful machine. If you own or operate an auto dealership business and are unsure if your organization is doing everything it can to fulfill the framework for automotive cybersecurity best practices, take a look at this small business cybersecurity checklist I recently shared with the attendees of the NADA Show 2022:

  • Does your dealership currently have cybersecurity defenses in place? Defenses include end-point protection, zero trust architecture, two-factor authentication, password managers, default deny firewalls and many other layered techniques.
  • Does your dealership have around-the-clock security monitoring to detect cyber threats? It is not enough to have the equipment, you also need to attend to the alerts when they arise.
  • Does your dealership understand the specific cyber risks impacting your industry, including but not limited to: malware, ransomware, supply chain attacks, brute force hacking, phishing, social engineering attacks and credential theft?
  • Has your dealership contracted with an external security vendor to conduct a risk assessment in the past 12 months?
  • Does your dealership periodically assess third-party partners and marketplaces to understand the risks they can pose to your business?
  • Does your dealership have established policies and procedures in place to protect your business information and systems?
  • Do you have a robust data backup and recovery response plan in case ransomware locks up your network?
  • Has your dealership conducted an incident response test in the past 12 months to ensure all procedures are accurate and effective?
  • Do your dealership employees know what to do in the event of a cyberattack or a loss of service?
  • Do you provide regular, engaging Security Awareness Training for your employees, executes and 3rd-party partners?

If you answered no to any of these questions, you are well advised to resolve those issues before they take down your business like they did mine. Make a call today to a  cybersecurity expert you trust deeply who will help you build a framework to your dealership needs and then educate your people to become your strongest cybersecurity defense instead of your weakest, most exploitable link.

The Best Framework for Automotive Cybersecurity Best Practices

In today’s digital age, cybersecurity for automotive dealerships is just as mission-critical as it is for large banking institutions. It’s important to treat your customer data just like customers treat the precious cargo they transport in the cars you provide. The framework that I shared at NADA 2022 is called the Blockbuster Cybersecurity Framework. It includes 9 components with corresponding questions that help you analyze, organize and communicate the cybersecurity changes you need to make.

If you are unclear of how best to deploy a non-technical framework for moving forward, or need to improve your Security Awareness Training, consider bringing me in as a board advisor or keynote speaker who will energize and illuminate your cyber efforts and your people. Once I share my two-year battle with cybercrime and how I almost went to jail for taking my eye off the ball, your team will be motivated to make the necessary changes. Send me an inquiry today to learn more.

And no matter what, don’t send your employees out on the road without training them how to be a proactive, knowledgeable part of the solution.

Security Keynote Speaker on Rachael Ray, 60 Minutes…

[youtube http://www.youtube.com/watch?v=s2Rvl5JuQJM&rel=0]

 

Cyber Security Keynote Speaker National TV Montage

The average security keynote speaker is technical in nature (Zzz), which sometimes means they can be dry and boring. Death by PowerPoint! This is not good for your event. In fact, it can be disastrous for a meeting planner’s career or an organization’s entire conference. You want a keynote speaker who will interact with your audience, make them laugh, help them to understand where the worlds of human behavior, technology and the Internet converge, so that they walk out of the presentation with greater insight into securing the information that defines them.

Ideally, the perfect cyber security keynote speaker for your event will blend content, laughter, entertainment and cutting-edge data with the specific outcome necessary to change your audience’s behavior. That won’t just make you the hero, it will make the event a home run for the attendees, which is what it’s all about anyway. Take a quick look of this video to see what an engaging security keynote looks like (on stage).

Cyber Security Keynote Speaker John Sileo on Stage

[youtube http://www.youtube.com/watch?v=B1st4gzcdLs&rel=0]

 

John Sileo is an an award-winning author and security keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it sticks. In addition to national media coverage on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business, John has appeared as a security keynote speaker for the Pentagon, Visa, Homeland Security, Pfizer and more than a thousand organizations of all sizes. Interested in bringing John in to shake up your security conference? Contact The Sileo Group directly on 800.258.8076. 

Security Keynote Speaker John Sileo