Lisa Plaggemier: Empowering Digital Safety for All

Show Notes

In the latest Kitecast episode, Lisa Plaggemier, the Executive Director of the National Cybersecurity Alliance, discusses what it takes to empower digital safety for all peoples and organizations. With an extensive background in marketing, operations, and cybersecurity, including a decade at Ford Motor Company and senior roles at CDK Global and InfoSec, Lisa brings a wealth of experience and lessons learned to the topic. Her focus is on helping businesses and individuals protect themselves in the digital world, which enables organizations to develop better cybersecurity risk management strategies.

Lisa emphasizes the importance of consistent and clear communications when it comes to cybersecurity awareness. She highlights the success of Cybersecurity Awareness Month, an initiative founded by the National Cybersecurity Alliance, attributing its effectiveness to the consistency of the message over time. Lisa also stresses the need to demystify cybersecurity for the average person, making it more attractive and less intimidating to adopt safe online practices.

One of the key challenges Lisa identifies is the knowledge gap between IT professionals and business owners, particularly in small businesses. To address this gap, the National Cybersecurity Alliance launched a training class tailored to educate business leaders on managing cybersecurity as a function of their business. The organization also recognizes the importance of early cybersecurity education, with plans to develop age-appropriate content for children in collaboration with PBS Kids.

Lisa shares insights from the National Cybersecurity Alliance’s annual survey, revealing alarming trends such as the persistence of insecure password practices and the overconfidence of younger generations in their ability to navigate cybersecurity risks. She also discusses the need for widespread adoption of multi-factor authentication (MFA) and the role of social media companies in mandating more stringent security measures.

In addition to the above, Lisa emphasizes the National Cybersecurity Alliance’s commitment to promoting cybersecurity awareness through various initiatives, including the creation of a comedic series called Kubikle Series to engage a broader audience. With her expertise and dedication to the cause, Lisa—and the National Cybersecurity Alliance—continue to play a crucial role in empowering individuals and organizations to stay safe in the ever-evolving digital landscape.

LinkedIn: https://www.linkedin.com/in/lisaplaggemier/

National Cybersecurity Alliance: https://staysafeonline.org/

Kubikle Series: https://kubikleseries.com/ 

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Transcript

Patrick Spencer (00:02.15)
Hey everyone, welcome back to another Kitecast episode. I'm Patrick Spencer, one of your co-hosts. I'm joined by Tim Freestone, your other co-host. Tim, how are you doing today?

Tim Freestone (00:12.015)
Yeah, good. I'm really, really looking forward to this weekend and I'll save everybody the reasons why, but I am looking forward.

Patrick Spencer (00:19.834)
Yeah, I am as well. I suspect Lisa is, she's going to concur with us. We have a real treat today. Lisa Flagmeier is the executive director of the National Cyber Security Alliance with the charter of safe and secure use of all technology. That's a big charter. She's going to talk a bit about that.

Lisa Plaggemier (00:26.419)
Absolutely.

Patrick Spencer (00:42.71)
winner of SC magazine's reboot thought leadership award and a frequent speaker at cyber security events like RSA and Sans and so forth Lisa is focused on helping businesses and Individuals we're gonna talk about both to protect themselves early in her career Lisa spent a decade at Ford Motor Company Their operations in Europe including that in German We're not gonna do this in Germany this to say but I suspect she can say a few words in German for us as a result of a decade

living overseas and she served in various senior and executive roles at CDK global InfoSec media pro and so forth Lisa. Thanks for joining us. We're looking forward to this conversation

Lisa Plaggemier (01:24.174)
Thanks for having me.

Patrick Spencer (01:25.97)
So let's start and talk a bit about National Cybersecurity Alliance. Some in our audience may be familiar with the organization, others may not. Talk a bit about what you guys do, your charter. And I think you've been at the organization for a couple of years now.

Lisa Plaggemier (01:40.738)
years now. Yeah, I was on the board before I was the executive director, so I've been associated with it for quite a while. We are probably best known for being the founders of Cybersecurity Awareness Month every October. If you're in security and you're sick of Cybersecurity Awareness Month every October, just remember that people like your mom and your kids probably need to hear advice from folks like us at least once a year. That's what we're best known for. We've

Lisa Plaggemier (02:10.754)
And then we also are big fans of Data Privacy Week in January, and then we run seasonal campaigns on every different topic you can think of, mainly aimed at end users. And then a lot of materials that we put out for training and awareness managers. They're the biggest cohort in our database. We have events for them to share best practices, and we have constant flow of materials that they can all use for free.

So we just finished Valentine's Day here lately, we did a campaign on romance scams that included a lot of media for the public as well as those campaign kits and games and things like that people can use to share within their organizations. So whatever is timely and topical, summer travel security, safe holiday shopping, any of those things, that's what we're focused on when it comes to getting the word out. We also have a program for small business education and we have a program to try and...

recruit more students from historically black colleges and universities into careers in cyber security.

Patrick Spencer (03:11.338)
That's it. Now you guys are nonprofit. If I. So that you've worked for some nonprofits in the past, or they all been for profit organizations, obviously Ford.

Lisa Plaggemier (03:13.59)
We are. That's right.

Lisa Plaggemier (03:22.543)
There were years at Ford where it felt like a non-profit. I was there in the late 80s through to the late 90s and market share was a battle. If it weren't for the F series, our lives would have been really difficult. But it's a great company and I learned a lot there about marketing and advertising. And that's really served me well in training and awareness.

Patrick Spencer (03:46.75)
Yeah, that's a great point. So what attracted you to join a nonprofit? What was exciting? This is a transition for you from a crew standpoint.

Lisa Plaggemier (03:57.662)
Yeah, so I think for me, what really gets me up every day, when I first saw I was, you know, just meandering through a career in cybersecurity, I was at an automotive technology company, and that's our meandering through a career in marketing, and mining my own business when the CISO came along and said, hey, we should do thought leadership about security topics, because we have half a billion consumer records and all the auto manufacturers and 35,000 car dealers were our customers and.

The G-Pak happened and manufacturers were worried about brand damage and, hey, we should kind of tout, you know, not pound our chest, but talk about our security program. And we think we're better than competition. We can definitely take some thought leadership there. So that's what got me pulled in to the world of security. And the more I learned about it, the more I realized there was a huge, I won't even call it a communication gap, it is a communication chasm between what those of us working in security see all day and the fight that we fight.

your average human, your average American, your average citizen, people like my mom and my kids who I pick on all the time. You know, folks in their 20s and in their 70s and 80s that just really aren't aware of some of these things. A lot of people working age get training, so we see some differences in the data there about their behaviors and their attitudes about it, but there's just such a huge communication gap and that's

what I like being able to try to branch every day, to try and demystify security for the average person, to try and simplify it so that it's more attractive for them to do some of the behaviors we're asking them to do, like use a VPN or use MFA or not use the same password on everything. We have a tendency to make it sound complicated and hard because it is hard if you're a security professional, it's not an easy job. But if we make it sound hard to everybody else.

then they're not gonna engage, and they're not gonna do some of the things that actually are very simple to do. We've just made them sound a little bit too difficult.

Patrick Spencer (06:00.938)
I have one, Tim's going to jump here in a second, I'm sure. I have a, you got me thinking about, you know, security gaps, just from a, whether they're business professionals or they're, you know, your mom and my mom trying to do computing at the home. What's the biggest gap that you think we've closed or we've made really good progress on over the last five years? And what's one that you think we still have a lot of work to do?

Lisa Plaggemier (06:25.57)
So I think a lot of people are a lot more aware of phishing. That's the one thing when we ask people as a result of training that you've gotten at your place of work, but usually, you know, there's very few schools and other organizations that are doing a lot of cybersecurity training. It's mainly people getting end user training at work. When we ask them, what have you gotten better at as a result of that training? Like, what did you change? What behaviors did you change? This is self-reported, so it's not observational research.

But in every country where we ask people this question and every single year that we've asked them the question, the answer is I feel like I'm better equipped to recognize phishing emails or texts or anything malicious like that. And I also credit those sometimes controversial simulated phishing programs that organizations run. There's somebody who is lighting up Twitter in the last week because their spouse got...

an email about a, I think it was a Valentine's package waiting for you at the front desk or something. And it was a simulated fish and this was sent to members of an organization on Valentine's Day. And they thought that was kind of cruel. So there are, sometimes there are controversies when you pick a topic that, you know, like, please don't send a benefits.

simulated fish during open enrollment. Like that's just not going to make you any friends outside of the security organization. And it's not about us being tricky, right? We're trying to educate people. And yes, I know the bad guys are really tricky. But you also have to think about the relationship that you're trying to build in the organization. And you want people reporting things to you. You want people involving you upstream in their projects. Especially if you're in a tech company and you're trying to influence the...

the development of new products and everything, you wanna seat at the table. And so some of those things, if you're just kinda gonna tick off the whole organization by doing a simulated fish, that makes everybody angry. I would argue that you might win the battle, but you might lose the war. So that's the one thing that we see consistently. And I do think the simulated fishing programs, when done right, really help.

Patrick Spencer (08:40.142)
Interesting. What's the biggest gap on the second question that you see?

Tim Freestone (08:40.86)
Yeah.

Lisa Plaggemier (08:44.079)
Oh my goodness.

Lisa Plaggemier (08:48.29)
In general, there's just this knowledge gap. I see this in small businesses where they just feel like, my IT guys got this, right? Like there's a huge communication gap between business owners. So for example, we're gonna start our next cohort of our training class for small businesses is gonna be car dealers because they are kind of like banks, they write loans. And they also are...

businesses that are like SIBs, there's a lot of vendors running around, there's a lot of data flowing around, they give a lot of different vendors access to their networks to access data for sales and promotion programs, stuff like that. And there's 50% employee turnover in the sales department usually. So there's a lot of opportunities for things to go wrong. And I can't tell you, coming from automotive, how many times I would talk to a dealer principal and ask him some question that was IT or security related.

And that is the answer you get is, boy, I just hope my IT guys got it handled because I don't really understand this stuff. So our class is going to be to teach business leadership enough about cybersecurity to manage it as a function of their business. How do you hire an MSP or an MSSP? What questions do you need to be asking your IT guy? How do you manage that person, guy or gal? I mean, the classic example is, you know, my IT guy keeps telling me I need to replace that.

old Windows XP machine in the parts department, but my parts manager tells me it's running just fine. So why should I do that? I mean, there's just, they don't talk in terms that the other one understands. So that's the gap we're going to try and bridge there. I think most people feel like if they're not technical, even somebody as business savvy as somebody who owns four or five car dealerships, they don't feel confident even asking questions because it all...

is very confusing and they just are intimidated by the topic. And that's something that our research shows us as well, that people are in general kind of intimidated by cybersecurity. So our goal is to demystify it in those training classes.

Tim Freestone (10:59.908)
Is your goal and your charter mainly just people in business or just people?

Lisa Plaggemier (11:05.526)
People, humans, we've decided that it's all about belly buttons, right? Like no matter what you do or what your role is in an organization or what other demographic you're in, that at the end of the day, it's human beings. And so while we have content that might put business context around some of these issues, at the end of the day, we're trying to influence individual human beings.

Tim Freestone (11:28.383)
Okay. The, the, when you mentioned Cybersecurity Awareness Month, I think that's great. And it's been successful. You can't operate in business and not know that. I don't think, like everybody knows that. What do you think that particular initiative was, has been successful, at least in a business layer? Cause I have more follow-ons to this, but like if I were to ask my mom or my kids, people, or even probably someone who works the retail,

computer at Bloomingdale's, most likely probably doesn't know that. So I think it's resonated well in the business community. So we'll just start there. Why do you think that has taken off? And do you have any other initiatives that you're hoping to replicate for further awareness that are similar to that?

Lisa Plaggemier (12:17.578)
I think it's the consistency of the message over time. I remember being in a meeting when I was on the board with some of the folks at SESA we were talking about the campaign, this was a couple of years ago, and there had been this habit of changing the theme and the logo and everything sort of every year that there was this thought that this needed to be somehow freshened up. And I said if McDonald's changed their logo every year would we still know who McDonald's is?

Tim Freestone (12:39.422)
HAH

Lisa Plaggemier (12:47.902)
But we don't go buy fries every day. And if they want us to go buy fries every day, they need to keep pushing that same message. I mean, marketing 101 is consistency. So I think that's the one thing that we've tried to do is be really consistent with, especially the last few years, we're focusing on the same core four behaviors, recognizing, reporting, phishing, MFA, updates and patching, and what am I forgetting, password habits.

Until we see, I mean, my belief is until we see widespread adoption of any of those things, we need to keep talking about them over and over and over again, because people aren't paying that much attention. And so you're only getting a sliver of share of mind there. And so you've just got to keep repeating, singing off that same song sheet. And then we changed the language in the last few years to talk about how quick and easy some of these things are to do. So I think that's helping as well.

Tim Freestone (13:46.215)
Um, the expanding beyond the business side of things. Like I think about, you know, again, just my kids, they're 13 and 11. They haven't had a single cybersecurity, anything in, in grade school or, and they're the most susceptible because they're the ones that are, they're just online and all these weird, you know, weird, but like tick tock, but they have, you know, w what do we do with the education that starts at, you know,

Kindergarten basically.

Lisa Plaggemier (14:17.49)
I think it starts with teachers, right? I mean, I've heard stories of, you know, there's some new app that they're all using in the classroom, so the teacher writes a common password on the blackboard and says, this is what we're all gonna use. I mean, the minute you put technology in a child's hands is when you need to start talking about how to use it responsibly.

Tim Freestone (14:30.131)
Yeah.

Lisa Plaggemier (14:37.578)
So I know there's good work being done at cyber.org and K through 12. Cyber Florida, the state of Florida has a great program where they have summer camps for kids. They have summer education programs for teachers. It's a very comprehensive program. So a lot of those are happening at the state level. Some of them are using some federal grants, I think, to do that. And there needs to be, you know, if I can replicate.

the Cyber Florida program in every state in the country, I would. They do a really great job there with that program, trying to push the topic in K through 12 and educate the teachers enough so that they understand what's at stake and they can communicate that to the kids.

Tim Freestone (15:18.791)
Yeah.

Patrick Spencer (15:18.914)
Raising awareness at that level, you think that'll help with the cybersecurity skills shortage that we've been talking about for what two decades, it seems like now forever. You know, with the kids learning about cybersecurity, you think they'll be more inclined when they get to college, when they get ready to launch their career to actually do something in the cybersecurity realm.

Lisa Plaggemier (15:39.406)
I think so that's one of the things we try to accomplish with the see yourself in cyber program, the HBCU program is for the first time, we're going to invite some high schoolers to that to our events that are coming up in Maryland. I think part of what gets lost, like I agree that yes, I think that makes a difference. But people still believe this is largely a field only for STEM folks, right? We try to at our college events anyway, we try to invite students in business school. You could be pre-law.

and end up working in security or privacy. You could be, I mean, a lot of some of the more advanced schools have programs like University of Texas at San Antonio. San Antonio is known for being a hotbed of cybersecurity, and they have a business degree in cyber. So you could end up being a business security officer or working in GRC or something along those lines. And I think that's really, really important.

that we get outside of our comfortable place. We get more integrated with the business. That's really, really important for changes to happen. You've gotta have that seat at the table. And so there's room, I think, for people of all different backgrounds, not just people who are really strong in STEM.

Tim Freestone (16:58.467)
It just, it doesn't seem like it's seated earlier. I guess what I'm getting at, like it would be great if, if it were, you know, perfect world. Um, if this started to get seated. Really early in a, in a person's education at, you know, elementary school. I mean, we have courses on, um, uh, home ec and, um, uh, you know, all the course social studies history, all that stuff.

Lisa Plaggemier (17:01.962)
Mm-hmm. Yeah.

Lisa Plaggemier (17:20.535)
Right.

Tim Freestone (17:25.191)
But the one thing that impacts everybody's daily life, there's relatively no courses on, that would be something I think, you know, if my kids, if I saw an A in cybersecurity awareness on a report card, that would be fantastic because it lasts, that stuff lasts a lifetime. And I'll just add another little story here because I know you guys do a lot of work with scamming and social engineering.

just to the point of how sophisticated these people have come. My mom was actually scammed out of a couple thousand dollars, believe it or not. And she, yeah, this was years ago, but what happened was what made it so sophisticated was they had found the people that she was texting with the most somehow and were able to spoof her best friend's phone number to send my mom texts about how good of a deal this thing that she was being offered was.

Lisa Plaggemier (18:00.782)
Sorry to hear that.

Tim Freestone (18:21.399)
The sophistication is so incredible that this education, you know, watching an animated cartoon once a year for an hour and a half in my business, okay, that's something, but it just seems like it's gotta get embedded into the culture earlier and longer.

Lisa Plaggemier (18:22.787)
Yeah.

Lisa Plaggemier (18:39.69)
Yeah, we actually have an open invitation from PBS Kids to if we can come up with some sort of game or appropriate content for little kids that we're welcome to post it on pbskids.org. My only problem for that right now is funding. Like if we can find a funder to help us do something like that, like I think we have the right brains in place to help us produce something. It's just like anything else money.

Tim Freestone (18:56.959)
Yeah, yeah, yeah.

Lisa Plaggemier (19:08.982)
money can make things happen. So, yeah, I'd like to see it go. We even start before elementary school, right? Preschool age.

Tim Freestone (19:17.279)
So call to action to everybody who watches this. Donate to the National Cyber Security Alliance. Yeah.

Lisa Plaggemier (19:20.69)
No.

Patrick Spencer (19:23.346)
Call Lisa she needs some money You mentioned in a PBS ad you never know

Tim Freestone (19:28.457)
Here you go.

Lisa Plaggemier (19:28.807)
Yeah.

Patrick Spencer (19:32.574)
So in your report last year, do you see any interesting trends like changes over previous years? You talked a bit about fishing and the biggest gaps. Are there any trends you see that are promising, any that are alarming?

Lisa Plaggemier (19:48.514)
So the most alarming one for me that every year just kind of makes me shake my head is when we ask people, how do you keep track of your passwords, the most popular answer every year so far has been I write them down in a password notebook. And we survey a thousand people in each country where we do the survey and we follow census data to get a demographic sample that's statistically valid. So this includes people from 18 all the way through retirees.

And so we do a lot of talking about why we're not big fans of passports notebooks. So that one's a little bit alarming. We are starting to see a little bit more adoption of password managers, though. The biggest changes this past year that we saw, the biggest trends that we saw were age related. So we know from FBI data and other sources that younger folks get scammed more frequently. Our data shows the same thing, but it's for lower dollar amounts.

Older folks, when they get scammed, it's less frequent, but the dollar amounts are much, much higher. I mean, why did the criminal rob the bank? Because that's where the money was. The older folks have accumulated more assets during their lifetime. And so some of those scams, they can be incredibly sophisticated, I think, for the bad guys. If I just look at the ROI, I'm going to be willing, even a romance scam, I'm going to be willing to invest some time and some OSINT into that.

make sure my backstops are all in place, because my payout is potentially six figures over time. So I think I'm hearing, just like you said, Tim, more and more really sophisticated scams that just take a whole lot of work to put into place. But what I'm seeing so far is when those are successful,

The ROI is really high for the bad guy, unfortunately.

Tim Freestone (21:47.327)
I mean, I've heard of some of the podcasts I listen to, they'll dive into case studies of people being scammed. I mean, it can get millions of dollars from one person, you know, ruin entire lives.

Patrick Spencer (21:47.38)
on the s-

Lisa Plaggemier (22:00.222)
Yeah, the scary thing that we learned this year about that age difference is that younger people feel more confident. And they claim that if we look at like Gen X and Gen Y, they are millennials, they will say that my older friends and family members rely on me to keep them safe and to help them with their use of technology. But when you ask the older folks in their lives, they'll say

Tim Freestone (22:21.395)
Hmm.

Lisa Plaggemier (22:29.51)
Yeah, they think they know, but they really don't know. And they get themselves into trouble with technology more frequently than I do. So if you ask anybody who's a parent of a teenager, yeah, of course they think they know more than you do. Or we see that same dynamic when it comes to security behaviors. Younger folks don't prioritize it as much. They also feel more cynical, because we ask them about whether or not they think it's inevitable, that you can't avoid it these days on the internet, you're going to get scammed.

That's unfortunate because that tells me they don't even understand that there's a few simple things they could be doing that would make a big difference, like MFA, for example. If they feel like it's inevitable, then that tells me that they don't understand that they have some power, they have some control. So we've got to fight that. But a lot of that, I think, is the news media because when they talk about breaches and things in the headlines, there's very seldom any discussion around some of the...

you know, simple end user behaviors that you could use to protect yourself. They, you know, they feel like a lot of it is in the hands of the company that's been breached, which is true. But because of that breach, you know, because your data is out there, you're probably more susceptible to social engineering. So here's some of the things you need to be thinking about, right, about protecting yourself. And that's usually not a part of the story on the 6 o'clock news.

Tim Freestone (23:52.509)
Yeah.

Patrick Spencer (23:53.382)
On the MFA front, some organizations are making it mandatory. You don't have a choice. Others make it optional. Are you seeing any trends there? Obviously, probably more and more organizations will just make all their users employ MFA to two factor to begin with. But do you see more and more people opting in when it is optional? Is that something that you track?

Lisa Plaggemier (24:01.019)
Right.

Lisa Plaggemier (24:20.618)
I don't have data around that. I mean, we do see that using MFA is in the top. So all the behaviors that we list when we ask people, what have you changed as a result of training? The top three are my password habits. First one is always better at recognizing phishing. And then it's kind of a volley for second or third place between using MFA and having better, using unique passwords, having better password habits.

Yeah, the most notable story I've seen lately was Salesforce mandated it for all their customers. And that was really impressive. We're actually going to write a little case study about it because they've grown so much, you know, by acquisition. It's complex. It's not like flip one switch. Like, it's a big project to implement that across the enterprise. And then in some cases, their customers are standing in front of a retail customer when they're needing to log into Salesforce. And you know,

you ask any retail organization, the last thing they want is any friction in the process of somebody buying something. So we thought that was really brave and was the right thing to do. I know there's a website out there, I forget the name of it, but there's some guys, some developers, I think who casually keep track, they have a name and chain list. There's a website out there of companies that don't offer MFA.

Tim Freestone (25:25.405)
Right.

Lisa Plaggemier (25:44.586)
at all and then companies that don't mandate it. And I was on there the other day and I noticed that some of the companies that shocked me a couple of years ago, like banks, are no longer on that list. So I think that's a really, really good thing. I wish more of the social media companies, I think there might be still one or two social media companies that don't even offer it. And I wish more companies would mandate it, especially social media. Exactly.

Tim Freestone (26:07.923)
from a consumer standpoint, right? Like their customers, yeah. I can see that being, I can see that friction problem being very critical.

Lisa Plaggemier (26:19.33)
Yeah. Yeah, but if Salesforce can do it, I mean, to me, that's a great example. You know, they're a huge organization, and I don't know what excuse anybody else has at this point.

Tim Freestone (26:22.527)
Sure.

Tim Freestone (26:27.068)
Yeah.

Yeah. And the technology is so easy now. Like I remember when MFA started, you know, everybody was a pain, but now it's just, it's force of habit, at least for me, I just don't even notice it anymore. It's just, that's what you do, you know, once it becomes part of your force of habit, it's just, it's a non-issue. You just got to get it going though.

Lisa Plaggemier (26:32.604)
Mm-hmm.

Lisa Plaggemier (26:36.17)
Right.

Lisa Plaggemier (26:41.619)
Exactly. Yeah.

Lisa Plaggemier (26:49.726)
Yeah, my only pet peeve is that we should have named it something better, so that people like my mom and my kids would have adopted it easier.

Patrick Spencer (26:56.574)
I'm out.

Tim Freestone (26:57.535)
Yeah, yeah, that's true. Especially since it is, is one of those acronyms that doesn't stay in the cyber security realm.

Patrick Spencer (27:03.882)
I was about to say, well, it does have an acronym, you know, that's a part and parcel when it comes to cyber security.

Lisa Plaggemier (27:06.912)
Yeah.

Tim Freestone (27:11.912)
What would you call it? Yeah. And they're touched your marketing brain, right? Or on spawn. This.

Patrick Spencer (27:12.154)
Smoke yeah, I don't know. Why are you Brandon now? We see you you're in marketing

Lisa Plaggemier (27:14.261)
Oh, apologies.

Lisa Plaggemier (27:19.078)
I got a couple of writers I'd have to put on that one. Yeah, we'd have to focus group some, come up with a few names and do some focus groups and figure it out. Yeah, yeah, exactly.

Tim Freestone (27:20.871)
Yeah, there you go.

Tim Freestone (27:26.695)
He just asked at GPT.

Patrick Spencer (27:31.042)
I have 10 names and it'll brand it for you. So small businesses, you've done some research there, it sounds like, every report you pick up, the industry is doing well, small businesses are lagging because they just don't have the resources to tackle cybersecurity issues like a larger organization in most instances, right? You see improvements there, the small businesses, they're behind in many instances, how far behind are they?

Lisa Plaggemier (27:50.414)
Mm-hmm.

Lisa Plaggemier (27:59.178)
We haven't done research in that segment. I mean, there's probably some small businesses because our research is aimed at just the general population. So I'm sure there's some small business owners in there. But ask me again in a couple of months once we've run our first class. So this course where we're going to educate business leaders, we're going to collect a lot of data. So there's going to be homework every week. And we're going to follow the NIST five steps, you know, see your homework.

week one is probably going to be identify, you know, what are the list of things that get with your department heads, what are the list of things in your business that you need to protect. We're customizing the content for different industry verticals, because even that list of like what you have to protect, if I'm a car dealer, I might say in the age of a connected car, I might say shop manuals and the laptops out in the shop, right?

that's going to look very different than a list for a hospital or a legal office or an accountant or anything else. So that's why we're customizing the content for different industry verticals so that it resonates more with people. We're trying to meet people where they are with the content. But we're keeping track of who's going to do their homework and who is not. And that's going to give us some data.

Patrick Spencer (29:11.882)
You got a shame list?

Lisa Plaggemier (29:13.738)
Yeah, well, we're going to keep it friendly. These are going to be actually instructor-led. So people will be able to ask questions remote, but instructor-led live instructor, no chatbot, you get to ask somebody real quiet, real security professional will answer your questions. And we'll be able to just collect that data over time and follow up with people over time to see what other steps they've taken even after they finish the six weeks class, which is once a week for six weeks.

what steps have they taken in their business. We'll be gathering data over time and asking them sort of what the starting point is and then trying to measure what kind of progress they've made over time.

Tim Freestone (29:44.851)
EHH

Patrick Spencer (29:55.43)
Interesting. We're obviously very focused as an organization, Kiteworks is on sensitive content, how organizations share it, send it, collaborate, and so forth. A lot of the stuff we're talking about is protecting the network, protecting the devices, protecting the applications and so forth. Do you see a growing focus on the data itself, which is-

nine times out of 10 is often the target of the cyber criminals or the nation states who are foisting these attacks on individuals or businesses.

Lisa Plaggemier (30:33.582)
You're making me think of something really funny that happened to me a week or two ago when I had a doctor's appointment. And they, of course, have a portal and they have methods to do, you know, secure file sharing and encrypted communications. But they told me to email them something. And I said, wait a minute, don't you want me to, you know, upload this in the portal or whatever it was? And she said, no, that's okay, you can email it. And I'm like, well, what about HIPAA?

And she said, oh, that's only if I'm emailing it to you. And I said, so you're telling me it's okay to commit, I can commit a HIPAA violation against myself? Like, so that one really made me scratch my head because I thought, wow, this is letter of the law, not spirit of the law. Like the whole point of this has been lost on this medical professional. And yeah, that one, that one stuck with me. I guess I just can't.

Tim Freestone (31:01.427)
I'm sorry.

Patrick Spencer (31:05.214)
Ha ha ha!

Tim Freestone (31:10.663)
Yeah.

Patrick Spencer (31:12.956)
believe it.

Tim Freestone (31:29.651)
Seems like that's not even a lack of education. That's just a lack of following the rules.

Lisa Plaggemier (31:32.799)
Right.

Lisa Plaggemier (31:36.282)
Yeah, yeah, I mean, they're probably told the progress is probably on what they can't send to patients, right? Not on what a patient can send to you. So, yeah, yeah. So, I mean, I do see, I've noticed just over the past couple years, communications that I mean, you try to do business with people that you feel like have some reasonable, especially when it comes to your accountant and healthcare and all those things, with small and medium sized businesses that have some reasonable processes.

Tim Freestone (31:43.611)
Yeah, yeah. Inbound versus slowbound.

Lisa Plaggemier (32:06.486)
But I have noticed more and more folks that'll give you a warning, like, please don't, you might not know what I do for a living, and they'll say, please don't email me xyz, upload it here or put it in the portal or do whatever. So I think it's getting down to the level of the everyday person thinking twice before they do something like the classic that I used to see all the time when I was a practitioner was folks.

downloading their W2 from the company portal and emailing it to themselves and things like that. I think those kind of behaviors in the everyday human are hopefully becoming less frequent.

Tim Freestone (32:44.871)
Yeah. And that's where a lot of the, um, the bad actors get information is, you know, they get ahold of all these personal files and there's, you know, everything from your, your birth information through your life in a lot of instances, especially in healthcare organizations, that's really leverageable info to social engineer someone, you know.

Lisa Plaggemier (32:50.03)
Mm-hmm. Yep.

Lisa Plaggemier (33:01.355)
Right.

Lisa Plaggemier (33:07.208)
Exactly, yeah.

Tim Freestone (33:09.075)
So just a reinforcement from our perspective in the communities on, companies need to pay as close attention to what they're doing with the data in terms of security as they are with what they're doing with the devices and the applications to Patrick's point. Because we think multi-factor authentication is an incredibly good layer, but it's a layer that guards the...

Lisa Plaggemier (33:22.35)
Thanks for watching!

Lisa Plaggemier (33:36.883)
Just one layer.

Tim Freestone (33:37.799)
It's technology. It doesn't guard the data that's behind it. So if you even get through that, you know, companies, they just have to keep layering security on for the inevitables.

Lisa Plaggemier (33:41.079)
Right?

Lisa Plaggemier (33:47.67)
Yep, yep, I think that's probably what is an industry snags us the most is when we have these single points of failure. And people really don't take a layered approach seriously and think through it, you know, if this fails, what's next? If that fails, then what happens? I mean, you know, I've worked for a large manufacturer for a long time that you never want a single point of failure in anything.

Patrick Spencer (34:14.054)
Yeah, makes a lot of sense. Well, this has been fascinating. Tim, we're going to do a rapid fire session with Lisa here. You have some questions prepared? I have a question or two for her, not related with cyber security.

Lisa Plaggemier (34:22.987)
Uh oh.

Tim Freestone (34:27.187)
I did not prepare a rapid fire. So don't worry, Lise, I don't have a rapid fire. But I did actually, while we were speaking, ask Chachi BT to come up with a more consumer-friendly version of multi-factor authentication. And out of it, the one that I think has the most legs is Authenticheck. We need to workshop that a bit more.

Lisa Plaggemier (34:28.386)
This sounds... this sounds scary.

Lisa Plaggemier (34:40.164)
Oh

Patrick Spencer (34:50.257)
Yeah.

Lisa Plaggemier (34:54.515)
Yeah, I think so.

Patrick Spencer (34:54.602)
Well, I was going to ask Lisa if the Wolverines have a better chance at the national championship next year or the Lions going to the Super Bowl, considering her mission and background.

Lisa Plaggemier (35:03.802)
Oh, the Lions. I'm going to mourn the Harbaugh loss for a while. Sorry about that. I was there when he was the quarterback, so that one hit me hard. That was unfortunate. Yeah. So I celebrated for a little while. And then as soon as that happened, then I went into mourning probably way too soon. I should still be happy about the national championship. Yeah. The other thing I'll plug real quick is our website, StaySafeOnline.org.

Tim Freestone (35:08.574)
Thank you.

Lisa Plaggemier (35:32.874)
And then if you're looking for some entertainment, we have a comedic series that we put out called Cubicle, but it's cubicle spelled with Ks. So that's cubicleseries.com. And this is like, if you can't get your kids to pay any attention to cybersecurity or any young people in your life, or your parents for that matter, this is a comedic series. So imagine you're watching The Office, except this is The Office of the Bad Guys. You have a romance.

scam department and you have a phishing department and you have helped us that will help you set up your Bitcoin account to pay your ransom and everything else. And the characters all represent folks from the big four, North Korea, China, Russia, and Iran. And they're just little one or two minute videos. But we've had 8.1 million views. We had a Fortune 100 make a donation to us and said, we don't want anybody to know it's us, but we want you to do something really edgy to get people's attention. We want to get to the people who don't care.

And so that's what we're trying to do. And so far it's going really well, but have a look. They're really entertaining.

Tim Freestone (36:35.324)
Now that's cool.

Patrick Spencer (36:35.51)
Which one of those out of curiosity has generated the most views and shares? Do you happen to know?

Lisa Plaggemier (36:43.35)
Off the top of my head, it's the teaser, believe it or not. The teaser has been passed all over the place. And then what's happening is most people who view the teaser, more than a third of them will actually come back and watch all the videos. And the stat that surprised us the most is that 88% of the views are now on a TV. So people want, that tells us that the content is engaging because they don't want to just scroll through it on their phone like it's a TikTok video. They actually want to, so they either...

Tim Freestone (37:10.911)
Sure.

Lisa Plaggemier (37:11.05)
find it on YouTube TV or they connect their device to their TV to watch it on their television. So that was a stat we didn't expect and we only thought if we got a million views we'd be happy, we never imagined we'd get what we got. So there might be another season coming, we'll have to see.

Tim Freestone (37:29.223)
That's fantastic.

Patrick Spencer (37:32.2)
Well, folks, make sure to check out their website. And if you have any dollars, they will welcome the donations. And for those who are interested in other Kitecast episodes, you go to kiteworks.com slash kitecast. Lisa, thanks for joining us today. We really enjoyed the conversation. Have a long weekend. If you come to Seattle, as you can tell from the sunlight that's been shining in on me the entire podcast.

We actually have some sun this weekend.