Unsecurity Podcast

In the hustle and bustle of today’s society, taking a step back to look at the “why” sometimes gets lost. Why is information security important? When it comes to information security, we do what we do not just to protect data, but the people behind it. In this week’s UNSECURITY episode, Brad and Evan take a deep dive into what it means to serve people in this industry—not only from a customer side, but an employee one too.

Protect Your Organization from Cybersecurity Threats

SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.

Podcast Transcription:

[00:00:22] Brad Nigh: All right, welcome back. This is episode 83 of the Unsecurity podcast. I’m your host this week Brad Nigh. Today is june 8th and joining me as usual is Evan Francen. Hey, are you, am

[00:00:34] Evan Francen: I supposed to regale you with something

[00:00:36] Brad Nigh: I figured it throw, throw the change up at you.

[00:00:41] Evan Francen: Yeah, I don’t have anything. Well, stories. Yeah, I got stories, but we’ll do that when we do the catch up. Maybe now

[00:00:47] Brad Nigh: Let’s catch up.

[00:00:49] Evan Francen: All right. Well I was just kind of before we get started, you know, I decided to dig what are those called footings for my project that my wife is making me build, not making me, but she’s coursing me. She social engineers me all the time.

[00:01:08] Brad Nigh: Yeah. Why isn’t kids are good at that?

[00:01:11] Evan Francen: Yeah. So I decided I’d try to do my footings by hand and you know, I’m a security guy and I sit on my butt all day. So that was uh, that was interesting. I lived, I didn’t think there was a moment there I was and enough. I was going to play dead.

[00:01:30] Brad Nigh: Well, it was, it was nice and warm. It was like what, 90 ish, 30 mile an hour winds all day, 25 30 mile an hour winds sustained. It was, it was an interesting day yesterday.

[00:01:42] Evan Francen: Yeah. You know, another thing I was just thinking of uh you know Ryan Cloutier cola and Tony all Sleeman. A friend of mine who’s the C show at crap centric care. They came over to my house saturday. Very cool. It rained. But then I got to thinking you, have you been to my house?

[00:02:10] Brad Nigh: I have been a while but

[00:02:13] Evan Francen: you need to come play with me brad.

[00:02:15] Brad Nigh: That would be fun. I can help you build your deck. I built one before I used the auger.

[00:02:21] Evan Francen: What you offer man.

[00:02:23] Brad Nigh: I like doing that stuff. I gotta framing Naylor and everything. It’s fun. I bought a new hair. Uh Professor. Yeah, I’ve got the frame and Naylor. Mm That’s that’s a whole new level of fun.

[00:02:41] Evan Francen: Right? I got a haircut. You got a haircut? Did you get a haircut?

[00:02:45] Brad Nigh: No, just I showered.

[00:02:49] Evan Francen: Have you reading that? Uh Winthrop and Rye. Is that a place by you?

[00:02:56] Brad Nigh: Oh Winchester and Rye. Yeah, that place, yes. Very good

[00:03:00] Evan Francen: Marlys and I had dinner there yesterday.

[00:03:03] Brad Nigh: Uh Would you think

[00:03:06] Evan Francen: it’s really good man. I had the I don’t know something, they don’t think that’s the name of it, but it’s like the fat ass burger or something. It was a big burger man. Uh you know,

[00:03:19] Brad Nigh: Yeah, they had a they have a couple of really good burgers there. Uh like they’re Cajun chicken. It’s like a pulled chicken. It was like a Cajun sauce on it. Bacon and oh that’s really good too. The grand mac and cheese. The kids and okay, love their mac and cheese.

[00:03:38] Evan Francen: That’s awesome. I found a new energy drink. Oh boy. It’s called Spike. Have you ever heard of this? No, it is hard core

[00:03:47] Brad Nigh: energy.

[00:03:49] Evan Francen: 350 mg of

[00:03:52] Brad Nigh: caffeine. Yeah. Yeah, that’s uh that’s quite a bit

[00:03:57] Evan Francen: per can. This is my second can today. Oh my God, I got a bit like three.

[00:04:05] Brad Nigh: Well that’s, that’s uh, wow. Yeah, with a lot of caffeine.

[00:04:12] Evan Francen: Yeah, there’s a lot of caffeine. But you know, it gets me through the day, gets me uh you know, jacked up for the podcast that we’re doing right now. And yeah, tell me about your weekend,

[00:04:24] Brad Nigh: all that security stuff. Um, yeah, I got some stuff done outside on saturday, finished mowing the yard right? Is the first light? Like I was finishing up the last strip. It was like a big bolt of lightning and the big thunderclap was like, well, that’s good timing. Yeah. And this storm that rolled through saturday. We’re pretty gross. Yeah, it’s cool. Yesterday I took it a little easier. Um We were, yeah, just played outside of the kids a little bit in the sprinkler. Um, did some painting and just clean up around the house just to, I was unlike you. I realized it was too hot to go outside and do manual labor.

[00:05:10] Evan Francen: Well, I think today after work. I think I’ll pour some concrete.

[00:05:14] Brad Nigh: I mean, you know, it’s gonna be like 95. So why not? Is that what’s going to be? I think so. Where the

[00:05:21] Evan Francen: hell did I do this

[00:05:22] Brad Nigh: days? Yeah. You probably didn’t pick the best days to do, do this heavy lifting. I was looking I think next week is supposed to be like 70. So I saved all my outdoor stuff for next weekend. Yes, it must be like 94 today. Next saturday is like 76

[00:05:43] Evan Francen: and sunny, yep, that’s bike riding weather right there.

[00:05:48] Brad Nigh: So, I will be working outside next weekend when it’s like 20 degrees cooler.

[00:05:55] Evan Francen: Do any uh you got your new bicycle? Have you been biking?

[00:05:59] Brad Nigh: Yeah, we do. We’re doing um you know shorter, like 10 minute rides two or three times a day. Trying to That doesn’t work all days. Like Mondays are pretty packed, but usually able to sneak in one or two minimum. Sometimes get

[00:06:15] Evan Francen: I’m gonna put you down here. Oh gosh, look at me. Hey, looking at myself on these things.

[00:06:22] Brad Nigh: That’s why I haven’t switched up so that I can’t see myself. I just see you. Mhm. Makes it easier. Yeah, I don’t want to look at myself

[00:06:33] Evan Francen: making sure all the sun. Yeah. Oh my God. All right. What are we talking about today?

[00:06:40] Brad Nigh: So what are we talking about today? Um So I was looking through and read, you know, always pull up your blog. And I was reading your It’s about its information security is about information or security, which we’ve been, we’ve talked about for many times on this, this podcast and you’ve been talking about since I’ve been working here coming up on four years now next month. That’s crazy man. Before. Right. So uh

[00:07:09] Evan Francen: huh, No refund on those four years, man,

[00:07:12] Brad Nigh: I’m okay with that. They’re gone okay. Four more and four more aftermath. But uh yeah, so I was reading your article or your blog post and you know, that really kind of hit home. Uh you know, I’ve had personally make changes. I realized I did get a new chair at home because the old one I had was causing some back issues and yeah, like yeah, you gotta take care of yourself and do that. So with that I like kind of it just kind of came right, we’ve had a lot of articles written about how do we secure remote workers? How are we doing, you know, protecting the organization from these new threats. But I don’t think there’s been a lot of talk around how do we as leaders as managers or whoever, even just other coworkers? How do you be aware of when somebody’s in trouble? I think your blog post really covered. Well, like what the threat is to information security people are distracted. The threats are continuing to rise. We know that’s the case. So, you know, from a security perspective, I think it’s important that we are aware of this stuff and helping our employees just you know, not, well not just from the security perspective, but um you know, the reality, it’s no secret info second. I. T. Struggle with stress on a healthy work life balance. We’ve talked about that many times before as well. There’s no done for the day. You know, systems are under attack all the time that you can have an outage anytime. You’re you’re never really off. Um even if you are off your there’s still that chance. Now we’ve had three months of social distancing and quarantine that’s adding even more stress. Um you know, the increase in cyberattacks last three months. And as I said, if your staff is struggling and lost focus or is distracted, uh the risk is increasing even more. So you know, what can we do about that? And that’s my disclaimer. Neither of us are licensed mental health professionals. So this is just us talking as mhm. You know, little security professionals and leaders within the organization about what can we do in that role to help our help people. Um Well

[00:09:44] Evan Francen: that’s it, man. I mean, you don’t have to be a mental health, a licensed mental health professional to care about people to love people to to help people. You know what I mean? It’s not like I’m giving you clinical advice, I walk alongside you and you know when I noticed that something is a little bit different, it’s a little bit off. I mean you had like this morning, you know, I’m seeing you on this video and you look good, you look like you got some rest. But you know, you remember like a week and a half ago, maybe two weeks ago, you look like sit there, you look like you got run over man, you were tired, you look tired, you know? Yeah, you don’t have to be a licensed health care professional or mental health professional to notice things, you know, try to adjust.

[00:10:33] Brad Nigh: Yeah, I think well, and that’s it. Right. I think a lot of times there’s, well, there’s like a stigma around mental health and talking about it, A lot of people won’t do it. And I think that’s the, I’m hoping that, you know, this kind of helps. This is the first step, right? We’re just talking about it. If you know, if you’re struggling, don’t hesitate to ask and if you notice somebody his offer or something, say something. Um, there’s a couple articles in there, you know? Well, so one of the things that I’ve noticed is it is really hard. It’s a lot more difficult to do this over video than it is in person because you don’t, you do miss some of those cues. I can only see your face. I can’t see, you know what your hands are doing or how you’re sitting, right? Those cues that you would typically see if somebody’s like closed off. Uh, you know notice that they’re acting different, it’s a little it’s definitely harder. So I think you have to be far more vigilant aware alert,

[00:11:36] Evan Francen: you know?

[00:11:38] Brad Nigh: So there was a couple articles, one from Forbes 33 warning signs. Your remote employees are starting to crack under the stress of working from home. I thought this was really interesting. The warning signs are the decreased resilience. Um you know they had some really good questions in there uh compared to how I felt four months ago, I find myself experiencing difficulty concentrating lots of interesting things. I used to enjoy feeling hopeless about the future. Excuse me feeling distant or cut off from others and feeling irritable or angry

[00:12:14] Evan Francen: and talking about the Forbes article.

[00:12:16] Brad Nigh: Yeah, the Forbes one. Okay and so Okay.

[00:12:21] Evan Francen: No, well so you know you the first, you know you started off kind of referencing um the article last from last week and where I talk about, you know information security is not about information or security as much as it is about people right? And there’s there’s two areas of focus. There are two angles, one perspective, my perspective, one perspective is uh when we get things wrong, people suffer if nobody suffered then nobody would care. So that just drives home. The fact that this is about people. The second thing is um people are your biggest risk, right, computers only do what you tell them to do, they don’t have moods, they don’t have stress, you know, rather than my damn processor gets hot as hell. But you know, but people do right. And when people are stressed out, when people aren’t mentally yeah, in a good place, they make more mistakes. They do things they wouldn’t normally do, they get unpredictable. There’s all kinds of things that come from that, you know, and you also mentioned, you know, the fact that, you know, with the covid and the lockdown and everything, you know, everybody’s not everybody, but you know, lots of people, a lot more people working from home and everybody’s got advice about how to protect information at home, Right? I mean I I have a google alert. You ever use google alerts? Yes, I use google alerts to keep up on news, uncertain things that I’m interested in. And one of those google alerts is home, you know, quote home plus quote cybersecurity.

[00:14:11] Brad Nigh: Uh, how many, how many do you get all of them?

[00:14:16] Evan Francen: Yeah. Yeah. And I and I used to get, you know, maybe because I’m interested in people at home because people are creatures of habit. So the same good or bad habits you have at home are the same things you’re bringing into the workplace. Yeah. So I set up these google alerts before Covid and you know, I’d get a news article or two, maybe a week now I get three or four a day minimum and they’ve all got the same stuff, it’s not crap. It’s good advice, but it’s the same stuff. So people are getting at home for information security is the same stuff, same stuff stuff, same stuff. So we’re just beating the shit, excuse my language, beating the crap out of them on this. They are already stressed out there already in this weird place. And then you throw, you know, the racial injustice things from, you know, yeah, that, you know, boiled over in the last couple of weeks and man, people are just like, I just want to run and then we, and then we hit them with, hey, don’t click on stuff, hey, you know, it’s just

[00:15:26] Brad Nigh: like, yeah, do all these things that, yeah, well, and that’s why I didn’t want to talk about those things, right? I think what I want that’s, and I agree. I think your article hits it on the head and that’s really kind of was like, yeah, uh, you know, so what if we tell them all this stuff if they’re not paying attention because you know, everything else is going on. And uh, look, I’ll be honest, I’d be lying if I ever saying I haven’t been distracted. It’s hard, right?

[00:15:56] Evan Francen: Dude, I have all the time.

[00:15:58] Brad Nigh: You know, it’s, and you’ve been able to get, you know, go in. But you know, it’s really hard to it to balance that, right? Like I’m trying to work and do these things and my daughters want to come in and talk and I love that, but you don’t want to neglect that right? Right? From a work perspective, it’s like oh my gosh guys, right? Like give me 20 minutes to finish this up, right and you feel bad for doing that. But when were you know under deadlines at work and it’s definitely very stressful and I can see where you know somebody who’s not a security professional who’s not as mhm You know, aware of maybe the fishing, how they could easily get distracted by a kid and click something without and be like not not uh huh you know, register what they’ve done. You know, it’s really easy. So he’s got a

[00:16:59] Evan Francen: so like one of the things, you know, because we’re still pretty secure. You me, a lot of people like us even in all the stress, right? Even in all the other things because you know, you can deal, you know, deal with kids and deal with work stuff and it does get stressful but you know, from an information security perspective we’re still pretty secure, right? Well look

[00:17:30] Brad Nigh: what we do,

[00:17:31] Evan Francen: right? And one of the things that Ryan likes to say is information security or cybersecurity is a life skill. So for us it’s kind of a life skill.

[00:17:43] Brad Nigh: Yeah,

[00:17:45] Evan Francen: but for lots and lots and lots of people out there, it’s not and so the things like you know this Forbes article is awesome, you know? And the title is three warning signs that your remote employees are starting to crack under the stress of working from home. That that’s awesome man, I love the fact that you found that and I read it and I was like damn it’s good stuff.

[00:18:08] Brad Nigh: So here’s what I actually did. There’s a link in there for that online resiliency test and you know shockingly it requires a name and email address so you know the minute email it was but I actually went through and did it.

[00:18:24] Evan Francen: What’s

[00:18:24] Brad Nigh: that?

[00:18:25] Evan Francen: Your email address?

[00:18:26] Brad Nigh: Thanks I appreciate that but I went through it and it was actually really enlightening like I had trouble answering a couple of them because I was like man these are there really well but it came through and said above average resiliency but be careful about too much retrospection which and then it goes through it and I would agree with what that said and if he says if I’m if I have above average and I’m really starting to feel the stress, I can’t imagine you know what some of these some other people that maybe are you’ll have a lower resiliency, what they’re going through. So you know how I love the you know right into that those those questions how do you feel compared to four months ago and you know even reading through that I haven’t really had a lot of difficulty concentrating isn’t I’m still able to concentrate and just being interrupted. Yeah right there’s a difference there. Okay. Lots of interesting things I used to enjoy, Well no, I just can’t do the things I used to enjoy, hopeless about the future. Not at all. This is our cut off from others. Yeah. How can you not thank you? You know how when when you see, like it says, if you see that, how do you how do you talk to people? Right? How do you be aware of this and what can we do? Because they said if this isn’t there ingrained, if it’s not a life skill when you start having these these things come up, that’s where the that risk comes does increase. So you know, I think simple things like I know every time I have a call with, you know anybody that you know, I haven’t talked to or whatever. I just always ask like we get through whatever we have to and say, hey, before we get off, how are you doing? You know, anything I can do, How can how are you, are you okay? And you know, we try to do a lot of the video calls and stuff with employees and you can see I’ve seen people get a little bit of like a you can see their guard come down right and open up a little bit and Uh huh it sucks because you can’t do a lot about it, but you can be supportive and be aware.

[00:20:50] Evan Francen: Well that’s I love where you’re going with this because you know, information security ends up kind of being secondary when people are suffering from all this. Right? You know, the last thing I want to hear from the security person is, hey, you got mandatory training or some crap, right? Don’t pile anything more on me. If I’m about ready to crack and go crazy

[00:21:20] Brad Nigh: is right. And honestly, I kind of wonder is right now the right time to do fishing training where they’re going to get us into a warning page and education page and have them go great. I sailed again right there at the edges. This we, we know you have to do it, but I don’t know. Maybe this isn’t the right time to like you said, add that extra piece.

[00:21:43] Evan Francen: No. Yeah, I mean you bring up a great point and how do I, you know, from a security person’s perspective, you know, some security people are better at communicating than others, you know, And if I communicate the wrong way, if I come off as or if I have a reputation of being the no person or the,

[00:22:06] Brad Nigh: you know, the hard ass Right? That right? That’s kind of the reputation a lot have

[00:22:12] Evan Francen: if anything, you know, if you came to me, if I was under a lot of the stress because I read all the articles that you wrote or that you referenced and if I was feeling like this and you come to me with like, mm if you come at me the wrong way about security stuff, I’d probably be more apt to do the opposite of what it is. You’re asking me because I’m pissed

[00:22:37] Brad Nigh: off or just shut down and not listen at all. Right.

[00:22:42] Evan Francen: So it definitely changes the way we approach people.

[00:22:46] Brad Nigh: Right? Oh yeah. Which I think is another, It brings up that point of communication issues from security people in general, Right? You know, a lot of them and it’s not not to put them down in any way. It’s just not a skill they have. That’s okay. Right. Not everybody can have every skill. That’s just not realistic. Not everyone can be like a seven.

[00:23:12] Evan Francen: Right, exceptional communicators, Right? Yeah. But the second, the second article you references, you know, what managers can do to ease workplace stress. So maybe one strategy and I think there is no one strategy that fits for everybody in every situation. But hopefully you work in an organization where managers have closer, tighter relationships with the people that work for them. And maybe as the security person, if I have a message or I want to do training, maybe I use the managers more than I normally would. And that’s probably a good thing going forward anyway to, you know, work with the managers and say, hey, you know, we got this security thing, blah blah blah. This new threat or whatever it is. I want to communicate. Can you help me communicate or craft the message is going to work for your team and then let the managers at their discretion say, you know what johnny is just not in a good spot right now. So I’m just going to exclude him from this messaging for now. You know what I mean? Leave it at their discretion. Make it a little more discretionary

[00:24:21] Brad Nigh: maybe. Yeah, that’s a good point right now. Hopefully they know, right? We have, if people that were affected and live close to the, the protest and everything, maybe, you know, you got to know they’re stressed out because they can’t literally can’t leave the house, not they don’t want to, it’s it’s a safety thing.

[00:24:39] Evan Francen: Well, if you really want that, they’re going to get shot right down.

[00:24:44] Brad Nigh: So yeah, is that should they be included in? Hey, be aware for physical security? Probably not. It’s going to be the last thing on their mind. It’s gonna be like, you know, you got to know those people and you’re right, I think crafting your message correctly.

[00:25:00] Evan Francen: Yeah. And one of the things you mentioned, you know, where, you know, you kind of preface that, you know, we’re not mental health professionals, but there’s this thing that I’ve been meaning to do and I haven’t gotten to it yet and I need to do it. It’s called Mental Health First Aid. Have you ever seen this? It’s uh, if you just google mental health first aid or if you go to mental health first aid dot org, uh you can get training two be a first responder basically for mental health, right? It’s still not a mental health professional, but and learn the boundaries. You can learn to identify signs and people you can learn uh you know, if you’re but he calls you and says, you know, dude, I’m I’m suicidal, right? I mean, how do you deal with that? Right. What the last thing you want to do is push them over the edge or give them advice that’s maybe not going to be healthy for them. But then, you know, I don’t want to overstep my bounds either. I don’t want to start, you know, I don’t know,

[00:26:11] Brad Nigh: very good point, you know, And I think it’s kind of breaking down some of these barriers. Like, so in out of high school, I thought I thought I wanted to do psychology and so I took some classes and I mean, not not a whole lot, but I did, you know, multiple semesters for that and went to like a grief counselor workshop, because I thought that’s what I wanted to do. So I can tell you that the benefits of having somebody like we’ve talked about of having somebody to talk to. And but also like, yeah, doing that mental health first aid, that’s a great thing, knowing how to talk to someone is is almost as critical as is asking, right? Because if I say, hey, how are you doing? And you say, well, that’s so great. I’m like, okay, we’ll talk to you later.

[00:26:59] Evan Francen: Yeah, right. And that’s the Minnesota way

[00:27:01] Brad Nigh: and you’re but what’s that going to do to your health? Well, I’ve just completely dismissed everything that you said or how you feel by, even if it’s completely unintentional, so yeah, yeah, there’s a lot lot around that.

[00:27:19] Evan Francen: Yeah, so the next class is, you know, where we live in bloomington, you know, next classes in bloomington, the next bulk class on june 17th. So I was thinking about taking that day off or maybe the one after that is september 24th and then the one after that is december 8th, so I don’t want to wait until december eight, so I’m either going to do the june 17th of the september 24th. So if you and I, if you want to come with me, it’s gonna take we’re gonna have to take the day off.

[00:27:48] Brad Nigh: Yeah. Are we allowed to do that? Oh, yeah. Oh,

[00:27:53] Evan Francen: absolutely. Especially for something like this, man, I mean, this is like I said, I’ve been wanting to do this for the longest time and I uh just haven’t for whatever reason, you know, life gets in the way and I haven’t gotten around to it because how much how much of what we do from an information security perspective, unless I’m an analyst, you know, like uh a pen test or even a pen tester, I mean, how much of what we do requires social interaction, social engineering, you know? Um I’ve said numerous times when I’ve been a VC, so at organizations that my goal is to socially engineer this whole company. Yeah,

[00:28:41] Brad Nigh: a really good way of looking at it. Yeah.

[00:28:45] Evan Francen: And so if that’s the piece man, you can’t discount where people are at mentally. Mhm. You just can’t

[00:28:55] Brad Nigh: Yeah, yeah.

[00:28:58] Evan Francen: Last time we did that, we did this mental, we did a mental health, I think episode maybe not only be 40 episodes ago. I mean, it was a while ago in somebody who had listened in and sent a message, you know, when I first heard, you know, the first part of the podcast, I was like, what the hell are these guys talking about? And then we’re able to put things into context and I was like, okay, I see it now, but it’s the same thing. I mean, I wonder how many security people, you know, and they start hearing us talk about mental health or like, this isn’t about information security and it’s like, well, yeah, it really is.

[00:29:39] Brad Nigh: Well, not only that, but what about your mental health? Not, not just the employees, but as a security person, if you’re not on top of things, do you miss that alert, Do you miss, you know something? And then if you do and you get a ransomware or something, what is that going to do to you? Because you know crap, I should have caught that and you beat yourself up. Mhm. Yeah,

[00:30:08] Evan Francen: goes around Ryan salt, Ryan diagnosed me know if it’s true and I don’t know if it’s true or not and take the test, but he says I’m a D. H. D. It’s like dude, whatever, but maybe I am. But then that would explain some things, you know, I guess.

[00:30:24] Brad Nigh: Yeah, I mean there’s some there’s benefits to every little quirk, right?

[00:30:32] Evan Francen: But I love the fact. So, you know, three warning signs. Those are awesome warning signs. It’s number one decreased resilience. So you’re not as resilient. You’re making mistakes, warning sign. Number to your employees are making mistakes. How often, how many breaches, how many security bad events happen because an employee makes a mistake? Mhm. So if you’re not mentally in the right spot now, I mean, number one is you’re not mentally in the right spot. So getting help right before it gets worse before he leads to despair. And God forbid suicide or something else. But from a security person’s perspective, if your people are mentally healthy, they’re making more mistakes, which means more breaches or at least

[00:31:19] Brad Nigh: more stress for you.

[00:31:22] Evan Francen: Exactly, the third warning sign he had is, you know, your employees languages becoming more negative and emotional. Yeah,

[00:31:32] Brad Nigh: yeah. And then, you know, the other one was from S. H. R. M dot org, which is H. R. Something

[00:31:41] Evan Francen: uh I don’t get what they do,

[00:31:44] Brad Nigh: but it was what can you do to ease workplace stress and there’s a lot of pretty interesting things on there, it’s you know, unrealistic expectations, uh excessive workloads, you know, there’s not enough hours in the day to get things done. Um You know, there’s yeah, it’s interesting, I thought those were both really, really good and then, okay, so it’s great, we’ve identified somebody has a problem or stressed out or is really struggling, what do we do? And, you know, I found these there’s three articles, one is we work remotely how to keep your mental health in check when you work from home. Another one from Heart dot org for stopping the stress of working at home and then the balance careers dot com of how to manage stress when you work from home. And I thought these were all really they really hit hit the nail on the head in terms of, I think at least personally like reading through this and going, you know, having gone through some of it and having worked from home in the past and how do you be successful working from home? They really did a good job of explaining kind of what are the what is some of the struggles and how do you handle it? Um you know that we work remotely the loneliness and isolation. I think that that’s probably going to be just Mhm personally from from who I’ve talked to and you know, even myself, that loneliness and isolation, it’s really different, right? You don’t realize? Yeah, I’m an introvert, I get my, my energy that, but you you do at least I do miss actually interacting with people not over a camera. You know, it’s funny how you don’t realize how much of that just the camaraderie and stuff like mentioned goes away, right? Um So yeah,

[00:33:52] Evan Francen: what is that movie about? What was that movie about stress? It was not office space or it was the hell was his name? Mhm. He was like an accountant in, you know, in he gets out of his car in like the middle of the highway is like,

[00:34:10] Brad Nigh: oh yeah, he likes snapped. Um Oh gosh, I know exactly what you’re talking about

[00:34:15] Evan Francen: that movie. You know, it’s like, it’s like that, right? I mean, because the thing was stress, you know, because stress is just one of many mental health things are things that affect your mental health and I know that, you know, just like stressing like a a piece of wood, right? Eventually it’s going to break, You don’t relieve the stress, it’s going to break. And so your employees, if they don’t, if you don’t they don’t have a release. If they don’t have a way to relieve the stress, they’re going to break. Yeah. And when they break, what are the consequences? You know, again, putting your security hat on, I mean, oh the person had like just being a person who gives a shit about, excuse my language, my

[00:35:03] Brad Nigh: goddamn we’re gonna get explosive for this episode.

[00:35:06] Evan Francen: I’m sorry, I care about people and yeah, let’s say you don’t care about people, which is just crazy. You need mental health things probably. But you know, from a security perspective to they’re going to crack and when they crack, what is that going to mean? Yeah, they are they going to steal, you know when they normally wouldn’t steal from you or do something bad? Well they do it now because they’re just stressed and they’re gonna lash out. I mean, I don’t know, people deal with people.

[00:35:45] Brad Nigh: Yeah, just back in

[00:35:46] Evan Francen: different ways. You know,

[00:35:47] Brad Nigh: could they just be like, you know like I’m done, I’m done working on this and delete it, right? It’s gone. They just say, you know, you they crack and ethics and wipe out whole drive. Yeah,

[00:36:03] Evan Francen: I mean because you read that that one, the second article, the shrm 80% of american workers are stressed by at least one thing at work,

[00:36:13] Brad Nigh: right? Mhm

[00:36:15] Evan Francen: Four out of five are stressed by something at work. Now, that’s kind of somewhat I think normal, 33% of americans one third say they typically feel stressed out during the work day. That’s again, as long as it’s not like this, count this this thing where there’s no relief, right? Um You know, if they if they don’t see the end of uh they don’t see the light at the end of the tunnel. You know like a lot of people were seeing for a long time with Covid. How often did you hear, you know, we don’t know how long this is gonna last. We don’t know when you’re gonna be able to come back to the office. We don’t know. You know, so nobody could see the light at the end of the tunnel.

[00:37:02] Brad Nigh: Yeah. You need that hope.

[00:37:04] Evan Francen: Right? My church actually put a um, a sign in my yard which is um, it’s all about hope. I can’t remember. I can’t remember what it says now. But it was it was about hope. Right? I mean hope we are there is light at the end of the tunnel. None of us know when or where what it looks like. But you just know right. The spanish flu, the last pandemic we dealt with, you know, on any scale near this one we got through it.

[00:37:40] Brad Nigh: Yeah. And you know, you mentioned that, I think part of it too is, you know, they’ve got that we were completely ties together. It’s like the anxiety, stress and pressure pressure for 24 7. Right? You just never had a break. It’s also also like that with the news now. You just never get a break regardless of what they’re talking about. There is just constant bombardment and you know, it’s I don’t think they’ll just

[00:38:07] Evan Francen: see them defund the news.

[00:38:10] Brad Nigh: Well, you know it’s that 24 7 news cycle that is valued to the news and journalists and yeah, there’s a lot of there can be value there there’s no question. But I think with the fact that now you have to they have the need to have ratings and fill 24 hours a day of content. It’s just like over and over and over. It’s just it can’t be healthy to just be constantly hammered with with this stuff

[00:38:41] Evan Francen: when you can’t get you can’t I don’t think it’s possible today to get news without bias. Right? So then that leads to more and more conflict. Because if I’m watching Fox News and you’re watching MSNBC. Yeah. No, we’re diametrically opposed.

[00:38:59] Brad Nigh: Yeah. That’s a that’s a whole nother

[00:39:02] Evan Francen: right? But that’s just that’s more serious, right? Because you know, I’m I don’t stick to any one news source but you know and I don’t I honestly have disconnected from news more than I ever have.

[00:39:17] Brad Nigh: I’m I’m with you. It’s just I when it when this first started I couldn’t get enough of like what’s going on and trying to understand it and now I’m just like I no I will check in the morning, make sure there’s no major things going on. I’ll check in the evening and that’s it. I don’t, you just have to disconnect,

[00:39:36] Evan Francen: right? Yeah. So you know all that stress, man, I mean it’s a and I like your articles to, I mean how to keep your mental health in check when you work from home,

[00:39:46] Brad Nigh: the best part of that one is it’s okay not to be okay. Right. I mean it seems so simple, but it really is a very powerful statement.

[00:40:00] Evan Francen: Yeah. So what does it mean when it’s okay to not be okay?

[00:40:06] Brad Nigh: I think so.

[00:40:10] Evan Francen: Uh huh. Does that mean that it’s all the stuff going on that it’s acceptable to not be okay indeed to accept it and then get help for it? That’s okay. Right. It’s okay to get help.

[00:40:27] Brad Nigh: Well, it’s okay to feel this way to feel like things are out of control. You don’t have to try to, you know, justify it. It’s okay. Yeah. Um Yeah, it was anyway. I thought it was really important and and that that how to give your mental health has some really good uh gifts and means on the how to keep yourself healthy. So that helps to kind of try and have some fun, right?

[00:40:59] Evan Francen: One truly a if you are, if you’re work causes you so much stress, uh you know, quit. Yeah. You know, and I know that might cause even more stress because now you need to figure out a way to pay your bills and everything else. But uh well you find another job. I mean it you will suffer, man.

[00:41:26] Brad Nigh: That’s it’s a it’s a very uh we’re in a tough situation.

[00:41:32] Evan Francen: Yeah. I think if you’re an information security person or something, you know, I’ve told other security people often that if management just doesn’t get it and you have crappy management that exists, right? There is crappy management.

[00:41:44] Brad Nigh: Oh

[00:41:44] Evan Francen: yeah. Leave not hitting your head against the wall and find executives that really will embrace information security because they are out there. Mhm.

[00:41:56] Brad Nigh: I mean, we’ve got a huge shortage apparently. So there should be plenty of jobs. Finally you you’re happy with, right? Yeah. Let’s wanna we’ve talked about it where I quit a job where it just it wasn’t worth it, right? And I didn’t feel good about what I was doing and right, you know what the company did like it just felt like I was selling out for a paycheck and it’s not worth it. No. Now

[00:42:30] Evan Francen: we have a lot of reformed people here don’t really like like you and Oscar and

[00:42:35] Brad Nigh: well that’s the end. Everybody that comes here is always like this can’t be real. The culture cannot. We’re okay wins it when 10 shoe job. No, but you know, it starts from you, you’re the you’re the first reformed one, right? Yeah, you’re like, I’m not doing this and it’s funny, you know, people gravitate to that and right. Yeah, every every every member of leadership has been in that position and is like dead set against ever getting there like that ever happened, there would be an uprising against that person.

[00:43:14] Evan Francen: We’re like the the home for misfit toys or something, you know what I mean? Because we got pain man, I mean, you have pain from previous jobs. I have pain from previous jobs. Like you said, most of us here, you know, we’ve got pain for most previous jobs and so we really try hard to never have that pain here. You know what I mean?

[00:43:39] Brad Nigh: Yeah. Yeah. And I think it, it shows in the employees. Oh my gosh, I just lost the word, um, loyalty like that. But yeah, their commitment, their dedication. Yeah. You know, and you’ve got, you know, guilty that that really does look out and care for people and you know, it makes a difference.

[00:44:07] Evan Francen: Well it’s certainly easier to do security in an environment like that, you know, in an environment where you have a culture where people do care about each other. And um, if people are stressed out, we really want to do something about it. We don’t just give you lip service. You know, that creates a culture where it’s a more like family. And I think the people, when you have a culture like that, the people want to do the right thing. Even if I’m stressed out, I’m less likely to lash out at my coworkers because they’re like my brothers and sisters.

[00:44:39] Brad Nigh: Oh yeah, well from the security, I’ll tell you the amount of, hey I got this email or this came in that we get from the non security side of things were a security company, but we saw sales people and marketing and fine and all those, the amount of like awareness is incredible. And I think it goes to exactly that right there. They’re engaged. They have a feeling of ownership of the program. They want to be part of this and do the right thing. And when you can get your employees doing that man, it’s awesome.

[00:45:17] Evan Francen: Right? Yeah, totally is. And so that’s a, that’s a cool thing from a social perspective is how do you foster a culture like that? And again, if you have just crappy management, you have a Ceo or president or executives who honestly don’t care about their employees and you can sort of tell those types right money, but it’s always money before mission. That mission before money.

[00:45:44] Brad Nigh: Right. That’s what I put in there with the cynical and cold. Yeah. If they are not happy, I can’t get deliver. Well, okay. Yes, technically that is a truth, but that’s the wrong way to approach it

[00:45:56] Evan Francen: totally. So you know, these, these things about, you know, how do you manage stress working from home one I think, and these articles are all really good, but recognize that you’re going to have more stress, right? That maybe that’s part of the, it’s okay to be not okay.

[00:46:18] Brad Nigh: Uh,

[00:46:20] Evan Francen: I mean, everything changed. It’s gonna take a little bit of time to cope with it to process it. To think it all through two get comfortable with. Everybody keeps saying the new normal, the new normal, the new normal. It’s like crab man. I liked the old normal. I don’t want a new normal. So now that I’m kind of getting force fed and new normal, it’s gonna take me a little while to get it to adjust to the new normal.

[00:46:48] Brad Nigh: Yeah. You know, and so that’s, and that’s

[00:46:53] Evan Francen: and that those feelings are normal,

[00:46:56] Brad Nigh: right? And so yeah, how do we protect people as there dealing with this and distracted?

[00:47:06] Evan Francen: Yeah, I think watch out for, you know, watch out for people.

[00:47:10] Brad Nigh: Yeah. Well they’re the first line. So I think, you know, that’s how it all ties together. How do we protect people? Help them?

[00:47:17] Evan Francen: Right. Yeah, truly truly partner alongside them. Pay attention, show love, show caring, show compassion, show empathy. You know, just because you’re not struggling doesn’t mean other people aren’t and it doesn’t mean that they’re right and you’re wrong or vice versa, right? Got different perspectives. I live in. I mean, just take like, I mean, this whole thing kind of fits in the social injustice stuff too. Right? I live in suburban Minnesota small town. Different perspective. There are different stresses there than there is in downtown Minneapolis right

[00:47:59] Brad Nigh: there. So,

[00:48:00] Evan Francen: so some of your employees live in downtown Minneapolis. Some of your employees live in victoria or Laconia and just because I’m not stressing doesn’t mean about something and they are right, uh, there’s nothing you don’t, you don’t put them down. You don’t say, you know, buck up, you know, get your crap together. No, no, no, no. You know, they’re struggling with something and but that same thing plays a security, right? If if somebody clicks a link and causes damage to your company, you know, try to understand where they’re coming from, try to understand why they clicked on the link. Are they, did they just not know where they stressed out where they distracted were they, you know, it’s stuff like that. I think there’s some, there’s such a huge need for psychology in our industry. I think we’ve only scratched the surface of that.

[00:49:01] Brad Nigh: Yeah, I agree.

[00:49:04] Evan Francen: And of course you can always use the S to me, right? I mean, the s to me is meant to be a non

[00:49:11] Brad Nigh: and I’m stressed. It’s an educational,

[00:49:13] Evan Francen: right? It’s not no pressure. Nobody sees the results, but you,

[00:49:17] Brad Nigh: it’s non confrontational. Yeah. Yeah. That is with me. That’s what you do.

[00:49:25] Evan Francen: That’s one of the reasons why we created it was, you know, realizing that people care about their stuff when they care about your stuff. I mean the same thing like when you lend your tools to a friend, he’s a good friend and he really means or she, I suppose really means well and doesn’t intend to treat your tool like crap, but people just treat other people’s stuff more like crap than their own stuff, you know? So if you can figure out a way to truly build those good security habits on protecting my stuff, protecting my family, protecting me and then leverage that for your own company. That’s one way And it’s not the only way, but that’s one way to not add more stress. Mhm, potentially.

[00:50:17] Brad Nigh: Yeah, I was that was a good conversation.

[00:50:20] Evan Francen: Yeah, I have so much. Yeah. You know, I hate, I hate it man. I hate seeing people suffer. I hate it.

[00:50:31] Brad Nigh: Hopefully it helps someone.

[00:50:34] Evan Francen: I hope so.

[00:50:36] Brad Nigh: Yeah. Don’t be afraid to ask for help. Don’t be afraid to talk about it.

[00:50:41] Evan Francen: You can email me directly if you’re ever like in a bad spot. I mean email me. No, I mean there’s, there’s nothing wrong with that. What kind of jerk? What kind of jerk would say? I can’t believe this person who is, you know, what kind of asshole? Excuse my language. What kind of jerk does that? I’m swearing all kinds.

[00:51:02] Brad Nigh: It’s all that caffeine.

[00:51:04] Evan Francen: No, I think it’s from a security shit shot too. You know, you’re not going to make this one explicit kids. Don’t listen to security stuff. No, No,

[00:51:16] Brad Nigh: this will be the week my daughter’s listening. Come and go. I know, right.

[00:51:20] Evan Francen: What’s with Evan? He’s a

[00:51:21] Brad Nigh: jerk. All right. So a couple of news stories real quick to wrap this up like this was interesting to follow up from two weeks ago, The North Dakota contact tracing app data share with four square. So it took, you know about a week, a week or so for that to uh push back to happen and for them to stop it. So nice wrap up of closing the loop on that.

[00:51:49] Evan Francen: Yeah. And I know these, I know North Dakota really really well. Um you know the State C. So the State C. I. O. Really good people but there’s a lot of things, you know, a lot of moving pieces in a state government collapsed politics as you would imagine. And then um it’s funny I was the Nasa, the National Association of State C. I. O. S. I’m on the cyber security committee. Very cool. Yeah. And they had, the last committee meeting was about contact tracing the apps and you know um States are considering making this almost mandatory. Right?

[00:52:31] Brad Nigh: Yeah. I mean yeah, we’re gonna have to do something like this to understand what’s going on. Mhm. Right. Like open things back up.

[00:52:41] Evan Francen: And so who do you think they invited to come talk to all the state C IOS and state Csos

[00:52:47] Brad Nigh: by that guy from North Dakota

[00:52:50] Evan Francen: now is google.

[00:52:51] Brad Nigh: You

[00:52:53] Evan Francen: know the one company that I just oh man, I just twist me up about, they say privacy privacy privacy but no, no no they have so much data and they are every bit of

[00:53:08] Brad Nigh: it. Yeah.

[00:53:11] Evan Francen: All right. Anyway. Well I guess it’s good that North Dakota is no longer doing data sharing with four square because I don’t think foursquare would ever need this data to begin

[00:53:21] Brad Nigh: with. So good. There’s some positive news. Uh less positive news. Nuclear missile contractor hacked in May’s ransomware attack. This is not ideal. Um, West Tech international confirmed has been hacked and computers have been encrypted. The Attackers already leaking sensitive information, including payroll and emails. Um, they’re threatening to publish all files and they have a lot of uh sensitive information. It looks like

[00:53:59] Evan Francen: well here. Yeah. So you have been a client list for West Tec Army Air Force Navy Joint Services, Joint Service agencies, Commerce Department, Energy Department, General Services Administration booz Allen Hamilton. Who by the way, happens to be the largest information security consulting company on the planet. General dynamics Information technology Lockheed martin. You would think that, I mean, I don’t know part of me, my mind is kind of going down. Do these guys do vendor risk management. Yeah. You know, booze Allen Hamilton would probably, I don’t know.

[00:54:44] Brad Nigh: Yeah. Well, this is where like, you know, see MMC versus D. Fires where itself done right. And maybe they just answered their exhaust our questionnaire and there was no validation.

[00:55:03] Evan Francen: Dow man.

[00:55:06] Brad Nigh: Yeah, that’s that’s not good though because that potentially there’s a lot of uh negative consequences that could happen there.

[00:55:17] Evan Francen: Well, these are usually, I mean that’s something like this is it’s weird because maize ransom where I don’t think it’s been known to be nation state has it? Mhm

[00:55:30] Brad Nigh: uh I don’t know. I don’t think so. I don’t remember seeing any about that. I mean obviously, I think, yeah, anybody could use it, but usually the Nation state stuff is a little bit, isn’t the uh, it’s not that the box take and stuff.

[00:55:47] Evan Francen: Yeah. Omits Yeah. This news story should go on for a while. So if you’re into that setting up google alerts, okay. Like I was talking about earlier, set one up for West tech in Aaron a ransomware and following the story for a while.

[00:56:08] Brad Nigh: It says the one thing I think with that is uh, they West Tec provides critical support for the United States. Minuteman three nuclear deterrent through North of roman. So you know, what exactly did they find? Did they get nuclear secrets and how these things work? That that could be bad. I’m cool. Last gun is pony final somewhere.

[00:56:39] Evan Francen: If that would be the case, that would even be beyond C M M C because C M M C and D fars is classified. Uh, I’m sorry. Um,

[00:56:49] Brad Nigh: Oh yeah. See what, yeah,

[00:56:53] Evan Francen: unclassified

[00:56:55] Brad Nigh: confidential and classified information or whatever you want.

[00:56:59] Evan Francen: Yeah. Beyond that. Yeah. Right. It’s nuts. Man. Uncle

[00:57:06] Brad Nigh: uh, last one pony final ransomware targets enterprise server than by exits time. I thought this was an interesting one. It’s very different than what we typically say. Uh, you know, java based ransomware, so you don’t see that very often. Uh huh. But yeah, so basically they get brute force attacks to get into the systems and then playing a BB script to run power shell Rebecca shell to perform data dumps and a remote manipulator system to bypass event logging. But it does require java runtime environment to run. So they’re either installing java runtime or they’re attacking systems that have it. And that is where if you don’t need it, don’t have it on and then, you know, things around access controls and not being able to install.

[00:58:09] Evan Francen: Yeah, at least ponies are cute.

[00:58:12] Brad Nigh: Yeah, threat posed by that’s it. That’s a cute picture of a pony on this top. They’re so cute pony when I

[00:58:18] Evan Francen: saw that I was like, oh I would

[00:58:20] Brad Nigh: click and then you really do. It’s like, oh

[00:58:25] Evan Francen: yeah, not a pony.

[00:58:27] Brad Nigh: There you go. Yeah, I don’t

[00:58:30] Evan Francen: and I don’t know how widespread this is. Uh

[00:58:36] Brad Nigh: I do like that. They’ve got some indicators of compromised um listed in there. Right? So uh M. S I file looking for you, you BNC install underscore installed at that, which creates a scheduled task named java update er and then calls run task at that which runs the final payload. So you you’re out there like I shared this with the I. R. Team will be able to put alerts on those types of things. Right? So if if you they’ve got indicators there, this is a good example of start monitoring for this, right?

[00:59:17] Evan Francen: Those damn batch files man, those things on our side, the nineties, So

[00:59:26] Brad Nigh: All right, well that is it episode 83 is a wrap you shout outs this week, kevin.

[00:59:32] Evan Francen: Yeah, I give uh I’ll give a shout out to john harmon President of fr secure. Uh, he got me a new shirt. So thank you, john it’s not my love language gifts, but must be his, it’s

[00:59:50] Brad Nigh: pretty sweet shirt. Uh you know, it’s funny, I was gonna shout out to our senior management team, we had our half day V. T. O thursday and you know, just it’s always there’s always can be very touchy tough talks, tough conversations and after every single one it just reminds me how great a team it is, because you come out of it feeling better, right? Like we’re in this together, even if we don’t necessarily see things the same way are in goal is the same and everybody is in lockstep on where we want to be. It’s just, you know, those conversations on how do we get there that can get a little heated, But everybody, at the end of the day, everyone is just you feel closer tighter with them after those things.

[01:00:41] Evan Francen: Yeah. And from my perspective, you know, I’m proud of you guys, I’m proud of everybody here. You know what I mean? I know we, you know, it wasn’t that long ago, it’s only about a year and a half ago when the smt at least that’s where the blame went. And I don’t know if that’s where it should have gone. But remember that one month or that one quarter,

[01:01:04] Brad Nigh: right? I don’t think they can forget it.

[01:01:07] Evan Francen: But look at how far this team has come. Right. And then we had to have some transition stuff. But yeah, I mean you guys are rock solid and it just propels us for moving the mission forward. So bribery, everything I hear is like awesome.

[01:01:28] Brad Nigh: Thank you. Alright, next week is your show and I think you’re sort of itching to tell us your

[01:01:36] Evan Francen: idea. I had that to

[01:01:39] Brad Nigh: your nose. I

[01:01:42] Evan Francen: was talking to uh Yeah, I’ll be quick. I was talking to Renee thursday thursday’s or when I have my um I think it’s coffee with her and uh I want to do a series on Women in information security and I want to focus on the women in our own company. Awesome. Yeah. I think there’s a story here that I’d like to share just on how awesome it was for me to see women here. Uhh because of the perspectives that they brought right? Starting with Renee and then I figured, you know, we can see if Megan wants to join us. Lord, he wants to join us. Maybe jess

[01:02:26] Brad Nigh: victoria would be a good one coming in kind of as a career change.

[01:02:30] Evan Francen: Yeah. Because I you know, we need more women and we need more minorities in general, right? We need more blacks, we need more asians, we need more and it’s not because they’re black or asian or women is because they bring different perspectives. Oh yeah, anybody who’s a big problem solver knows how important perspective is in different perspectives and creative perspectives. Um so I think, well I was going to run a past you this the first time I’ve talked to you about it right now

[01:03:03] Brad Nigh: I’m in, let’s do it. I’d say I’m thinking of sitting on here and talk to people like I love having Megan kind of is you know that next because she’s brought things up and I’m like, I never would have even looked at it that way.

[01:03:17] Evan Francen: See it’s the perspective ma’am

[01:03:19] Brad Nigh: owe its phenomenal. Yeah, absolutely.

[01:03:23] Evan Francen: People that that don’t focus on this are missing out. For sure.

[01:03:28] Brad Nigh: Yeah. If you turned into a company of yes men where everybody’s the same. It that’s when companies kind of my experience. That’s the downside turn, right, Gotta keep it as diverse as possible. Get as many different outlooks to get coming in and so you keep growing and innovating and staying ahead of things. I’m 100% of

[01:03:55] Evan Francen: Yeah, that’ll be fun. So I’ll start putting that together and run it past you and then we’ll we’ll kick it off. It’ll be fun,

[01:04:01] Brad Nigh: awesome. Great. Well that’s exciting. That will be fun. I actually looking forward to that. I like that idea a lot.

[01:04:07] Evan Francen: Yes. Now you know what I was eating.

[01:04:09] Brad Nigh: Yeah. Alright. Uh, thank you to our listeners. Keep the questions and feedback coming. Send us email at insecurity at proton mail dot com. And your social type socialize with us. I’m @BradNigh. And the other dude is @EvanFrancen and lastly be sure to follow security studio @StudioSecurity and FR Secure @FRSecure for goodies and all kinds of other stuff. That’s it. And we will talk to you next week.

[01:04:37] Evan Francen: All right, good show.