America Back to Work Ep 7: Shaun McAlmont, NINJIO

The number one reason employees fall for cyberattacks is they don’t want to let down their boss when they ask for something. The hacker learns who communicates with the executive team at a company and mimics the position of authority—it’s called spearfishing.

Training employees in cybersecurity is one thing, but making sure they actually learn from it is another. On the first episode of America Back to Work of 2023, we’re bringing out our top security resources to discuss this important topic and provide cybersecurity education tips and tricks to help secure your organization.

Shaun McAlmont—president & CEO of NINJIO Cybersecurity Awareness Training—joins host Arnette Heintze (a former CIA Agent for the U.S. Secret Service) on “America Back to Work” Episode 8—Why Employees Are the Biggest Cybersecurity Threat to Companies.

Watch Why Employees Are the Biggest Cybersecurity Threat to Companies

Listen to Why Employees Are the Biggest Cybersecurity Threat to Companies

Resources

About America Back to Work

Subscribe to America Back to Work in your favorite podcast player so you don’t miss an episode. You can do that by clicking here.

S2Verify is one of the leading, privately held, pre-employment background screening companies in the United States. 

Arnette Heintze is co-founder and chief strategy officer at S2Verify. Before establishing S2Verify, Arnette spent more than three decades working at the highest levels of federal, state, and local law enforcement. 

He served more than 20 years in the United States Secret Service as a special agent and senior executive where he planned, designed, and implemented security strategies to protect U.S. Presidents, world leaders, events of national significance, and our nation’s most sensitive assets, including financial infrastructure.  

After retiring from the Secret Service, Arnette focused on building the growth and performance of innovative start-ups and SMBs. In 2004, he established Hillard Heintze, a globally recognized strategic security risk management and investigations firm.

In 2009, along with Bill Whitford and Jim Zimbardi, Arnette established S2 Verify with an approach and methodology that delivers fast, accurate, compliant, and affordable background screening insights crucial to better managing insider risks, threats, and vulnerabilities.  

The Why Employees Are the Biggest Cybersecurity Threat to Companies Transcript

Arnette Heintze

Welcome to America Back To Work, brought to you by S2Verify. I’m your host, Arnette Heintze.

Today, our guest is Dr. Shaun McAlmont, President and CEO of industry-leading cybersecurity awareness training company NINJIO. He is considered a pioneer in the online education industry and has served at both publicly traded companies and high-growth private firms. Fun fact: he was also an NCAA and international athlete. 

Shaun, welcome to the show and thank you for joining us today. Before we jump in, would you mind giving our audience a few more details about your background—education and professional life—and why you were excited to join NINJIO as their new leader?

Shaun McAlmont

Yeah, Arnette, thank you so much, and I’m so happy to be a part of this, um, this, this podcast, uh, my background spans, uh, workforce development, education, technology, and as you mentioned, online learning. Um, but most importantly, I, I’ve got a focus, uh, over the last 10 years or so on adult learning, at corporate training. And so with, with that, uh, as you also mentioned, I, I’ve led public and private companies and in all aspects of, of training and workforce development. Um, I’ve got a bachelor’s degree, uh, from b BYU in, uh, psychology, a master’s degree in education, and I’ve got a doctorate from the University of Pennsylvania in, in higher education and adult learning. Uh, you know, at ngo, I think one of the reasons that I was, uh, sort of led and interested in this particular field is that o originally lots of cybersecurity awareness efforts, uh, related to the technology side.

You know, how do we develop a, a great, uh, technology, uh, platform that, that has great security, that protects it and, and a firewall. And, and that’s where a lot of the, the original efforts, um, uh, began. I think what we learned very quickly is if a firewall lets certain, uh, elements of breaches go through, there are employees on the other side that become, at that point the weaker link. And so my efforts have been related to creating a human firewall if you’ll Yeah. You know, strengthening the, the, the individual employee and, and helping them understand what, what a risk is, uh, how they could personally, uh, you know, put themselves their families or a company at risk. And so I, I’ve taken essentially my, uh, you know, learning and training and how adults learn, and we’re applying it to how we, uh, train a workforce to reduce risk.

Arnette Heintze

Yeah. You know, at S two Verify, one of the key, um, services we’re providing to our clients is insight on a particular candidate. And, um, you know, there are oftentimes behaviors and, and, and criminal activity that might suggest problems in this area, but as we look at the broader context of, uh, employees, you know, what is the number one reason why employees fall prey to these, you know, scams and these, uh, attacks? And because as I fully appreciate it, it’s the employee that really kind of opens the door. And why don’t you share some insight about that?

Shaun McAlmont

Yeah, you, you’re absolutely right. Arnette, you know, employees are susceptible to receiving information or prompts and acting on that. You know, we, we always ask for immediate response, uh, from our employees. And, and depending on who’s sending the prompt or the email or the text, we respond in different ways. So some, uh, employees are motivated by power or a fear of power. Uh, you know, your boss sends you something at four o’clock and says, get this done right away. Click this link below for more information, and you click that link. Um, some are motivated by financial, um, you know, prompts and an opportunity to, to earn more or learn how to earn more. And so whatever those prompts are, it forces and, and employee at times to make a decision to, to click these links and respond to emails that could be fraudulent. Uh, this can also happen, happen at, at your home. So I think that, um, ultimately the, the reason employees fall for these attacks is, is some personal motivation to respond to a, a prompt that looks familiar to them. Mm-hmm. <affirmative>. And so I, I believe that’s how bad actors or cyber criminals, if you will, are, are in inducing employees, uh, to, to open up the, the, the firewall if you’ll, uh, for bad

Arnette Heintze

Actors. Yeah. You know, a couple of years ago, um, I know there was a, a, a, a prevalent scam where they would target the CFOs of industries and they’d send a note, um, as it was coming from the c e o or leader of the company and say, Hey, I, I, I need, uh, you know, 5,000 sent to this account right away, or, or some scam like that. And to your point, you know, unsuspecting employees in these positions that have that authority to grant access and transfer funds, they believe they’re doing the right thing to accommodate a need of the business, and in reality, they just get sucked into the scam itself. So

Shaun McAlmont

Yeah. Are, are that a absolutely, that, that’s called spearfishing, right? So what, what what ends up happening is a bad actor will get into your system and they’ll go dormant. They’ll just watch the interaction between employees in the, in the background. So they learn who communicates with the cfo, who actually has access to the bank accounts and can, you know, uh, generate wires and, and then they’ll, they’ll mimic, um, those positions of authority. And so that type of very focused, um, spearfishing is extremely prevalent. And, and now those numbers are up in the millions. So they’re, um, sending a note from the cfo, employees then are sending wires in the millions of dollars. Uh, luckily at times banks catch that, but sometimes they don’t. Yeah. And so it is really an issue that’s getting worse.

Arnette Heintze

Yeah. So is, you know, as we look at the, the world of cyber crime in cyber criminals, you know, is there a, is there a profile or a, a framework that you can offer our audience about, um, these individuals and, and frankly, what is the most common way you’ve seen where they try to penetrate organizations?

Shaun McAlmont

Yeah. You know what, I, I, I, these are bad actors. Um, they’re out for financial gain in one way, shape, or form, and they’re taking a shortcut. Uh, they, they, they’re not really worried about the, the ramifications of their actions, and they’re finding that, that, um, you know, people are sometimes paying the ransom or they’re able to, uh, as we said earlier, induce employee to do something fragile with this said, I think one of the ways they get in is by guessing passwords. Yeah. You know, they, they really are figuring out, uh, sometimes through social media what the world is around an employee and, and guessing. And so if the password is too simple, like it’s your name and your date of birth or your, you know, uh, mom’s name and data, but what, whatever it is, those combinations are really easily guessable today. So, you know, uh, employees are now encouraged to, um, have past phrases versus passwords and, and those past phrases.

It, it could be something like, I love walks in the park 45% and using a variety of, uh, character variations, uppercase, lowercase, and, and other, uh, types of punctuation. And so, um, it’s very difficult to guess a past phrase, uh, versus past words. And so they, they’re getting smarter and smarter. And, and so I think even, even the most common ways that they’ve been in, uh, to systems are getting more complex and, and, you know, it’s, it’s, it’s really detrimental. I, there, there was a breach recently at the, uh, Los Angeles Unified School District, and we, you know, I, I’m not sure how they got into the LA Unified system, but they wanted a Ransom LA Unified said, we’re not paying the ransom. And so they released information of all of those young people, uh, into the dark web, um, and middle schoolers who haven’t even started living their life yet. So, so these folks, they’re out for financial gain and they don’t have a, a conscience about what they’re doing. It’s very, very important components to, to remember here about their motivation.

Arnette Heintze

Yeah. So in the context of cybersecurity and given your expertise, um, what do you think the difference between training and learning those two, um, uh, issues there? What, what, what, what can we share with our audience about what’s the best approach here?

Shaun McAlmont

Uh, you know, it’s interesting. Uh, I, I think we, we learn about new concepts. So, so we, we teach people and then we, as you know, end users or individuals learn a new concept. And so we understand the, the why and the how, something we learn about the benefits and risks. And it’s all contextual. So it’s, it’s just like in, in athletics, you know, we, we typically talk about tr athletic training, but the training comes after you learn about the concept. So a coach might say, look, we’re gonna learn about a new concept today in whatever sport it is, and, and here’s why. Here’s how it benefits you and the team, and then we’re gonna train on that element. So it, it’s really similar in that we, we sometimes provide a context for the employees so they understand the risks to the company and their individual role. And the difference becomes how we train them to, to become better in that context. We, we train them, uh, to build strength in that understanding, and then we practice the new habits ultimately trying to change their behavior. So again, learning is broad, training becomes specific, and it’s all about changing behavior over time.

Arnette Heintze

Yeah. And I, um, I also, uh, recognize how you, um, just talked about the, uh, athletic side of things. It’s also my understanding from your early background, you were quite the athlete yourself. And, uh, what area did you, uh, work in?

Shaun McAlmont

You know, I, I was in, uh, I, I went to a school called BYU Bergham Young University Uhhuh, uh, as a, as a student athlete. So I went on a scholarship, uh, uh, for, for track and, and football. But I ended up just being on the track team. And I, I ran also internationally, um, uh, in track and field and, and, and I, I was a hurdler sprinter. So it’s very, very, uh, it, uh, you kind of similar here in terms of learning and training. You know, training about how to clear a barrier at full speed, uh, was very, very important. You can learn the concept, but you have to train on that to, to really get the behavior down Yeah. To become expert in it. And that’s the same thing we’re doing here.

Arnette Heintze

Exactly. So the, it’s interesting that the frequency and consistency of training for an athlete transcends to that for what you’re trying to teach employees of cybersecurity, because there needs to be frequency and consistency in the training. Talk about that a little more about why that’s important in this space.

Shaun McAlmont

Uh, it, it, it’s, thanks for making, uh, that, that connection. We’re, we’re not, we’re not born natural cybersecurity experts. And, and, you know, some athletes are, are not born with, you know, all the speed in the world or all the strength, but, you know, we, we, we can, we can teach and train to gain best practices. And so frequency is really, really important. Many of us, and, and are not, you, you, you might agree with this or not. Some of, we don’t like to do the corporate training. You know, what we’re, we’re through schooling. We get to work and all of a sudden we’ve gotta take, you know, more, uh, tests and assessments and, and we don’t like it. Um, so companies are sometimes offering that training once a year. You see it coming on your calendar. It’s a one or two hour training on cybersecurity or sexual harassment or, or workplace behavior.

And, and you’re, you’re regretting it. So sometimes you take it, um, you keep the, the window open to do your assessment and training, but you’ve got another window open on your computer where you’re actually doing work. You, you figure out what the minimum to pass is. And that’s how we’ve gotten through corporate training for many, many years. But you can imagine you’re not really learning and you’re not practicing it at, at that moment. You’re just trying to get through it. That’s not changing behavior. So what we’ve done at NIO is we’ve provided an approach that is, it’s episodic. So that means we, we send an episode, uh, every month it’s five minutes. Uh, we’ve got a Hollywood writer, so we add drama to it, they’re animated. And so we try to keep engagement, we keep frequency, and most importantly, we tie it to a real cyber security issue, breach or risk in the industry. So as adults, we learn through case studies, like, tell me what happened so I can learn from that and move, move forward. And so we try to do that in those short episodes. But the most important part is we send one every month, keeps somebody frequency, uh, someone’s frequency of learning up.

Arnette Heintze

Yeah, I understand. That is a best practice of monthly training and education. And you know, that I, I recently saw a Gallup poll that talked about employee engagement rates and that they are, uh, dismally low right now. You know, they’re somewhere just a little over 20%. What perspective do you have on how workplace education can bring these rates up?

Shaun McAlmont

Some, sometimes, I’ll tell you, you know, engagement comes sometimes after a breach, unfortunately. So, so, so sometimes there’s a, there’s a hard lesson learned that that forces a company to do something more aggressive in their training. But, but I think sometimes the, the message needs to come, uh, from the, the top, uh, this is from the board, the C-suite, et cetera, that, that, because technology is so pervasive, it’s a part of everything we do. Uh, we have to see breaches or technology, uh, risks as a major risk to all organizations, families and individuals. So I really think it needs to become mission driven and, and align in every part of the organization. Uh, it’s almost gotta be an initiative for a company for their long-term success. And so, you know, every part of the organization plays a role. I think sometimes the, the IT or the chief information officer or the, even the chief Information Security office, you know, it, it really comes from the entire organization top down.

Arnette Heintze

Yep. Yep. So, you know, in, in that area, uh, that, that’s a great point, which is the education in this ar in this space should not be just dedicated to the senior people or to, to people with just that use the computers most, it really should be, uh, targeted to every single employee from the receptionist to the C e O. Um, what’s your perspective on that?

Shaun McAlmont

I, I agree 100%. You know, the, the, the, the window that’s opened, I think you mentioned it, like you open the door into your, your company’s technology, uh, backend. It, it’s indiscriminate, but whether it’s the c o that does it or the, or a receptionist, uh, so I, I, I, I reiterate, I think leadership has to make it a priority. Um, I, I believe that, you know, with employees working remotely and VPN access and all of those things, it’s becoming even, uh, more prevalent. I I think that, um, sometimes the C-suite can be the worst offenders. They don’t always go through the training, they don’t always understand all of the details and, and they can click some of those links faster than anybody. So it, it really is, uh, across the board. And I think sometimes you can change that culture by making admission driven, having reward and recognition and keeping it positive, um, but also having the engagement high.

Arnette Heintze

Yeah. So you, you, and, and that leads right into the next question I had, which was around culture of an organization. How do you, what’s the best way to instill, uh, cybersecurity into the culture of the organization? And what are kind of core requirements around that?

Shaun McAlmont

You know, it, I think almost every time a A C E O or leader of a company stands up to speak, they can talk about the fact that, you know, the, the, the technology’s changing the way we operate tied to that is reducing the risk that technology advancement can bring. And, and that needs to be critical because it can bring a company to its knees if you’re not really looking at it that way. So, so culturally, um, it’s an, it’s a level of awareness of the risks. Um, and, and the, the pros and cons of doing this, right or or wrong, in addition to that, going right back to ongoing training, frequency and engagement is critical. Uh, I think a regular reporting of how the company’s doing, how employees are doing in, in their efforts, and, and just that hierarchical flow through the organization of that information.

So they’re always hearing it. They know it’s important to leadership. They know it’s important to their own manager, and they can be recognized for their, their positive efforts. And, and by the way, it’s, again, it’s what we’re trying to do with ngo, with, uh, reporting, you know, how we identify, uh, actions on the part of employees based on the simulated phishing that we do mm-hmm. <affirmative> they responding to and why. And then can we tie the training to those responses or those profiles of behavior and then reporting on it over time, so we see how the risk is reduced. But I think that’s how you change the culture of an organization around

Arnette Heintze

That. Wonderful. Wonderful. Well, Sean, thank you so much for your useful insights and perspective today. I know many of our audience members are probably changing their passwords now, trying to get ’em to a phrase, but before I let you go, I have one more question, and I wanna know if S two verify were to run a background check on you today, what would be our most surprising discovery?

Shaun McAlmont

Oh, man. I, I’ve had a lot of background checks done over time, Arnette, and, uh, you know, I, but I, I think it’s a part of life, career, uh, you know, professionalism, et cetera. And I think for me, the background check might show some interesting places I’ve lived. Um, but I think it, it probably also shows a commitment to lifelong learning. You’ll see that, you know, I’ve got a bachelor’s degree, master’s and doctorate done over a 20 year period. And so I, I think that, uh, you know, I kind of put my money where my mouth is in terms of education and training, and you’d see that in the background for

Arnette Heintze

Sure. Well, that’s, that’s wonderful. So tell our audience where they can find more about you and specifically NIO and how they can learn more about the great service you guys are bringing to the industry today.

Shaun McAlmont

You know, Arnette, thank you. I, I would just go to NINJI.com and you can take a look at some of our episodes, um, how we do things. You’ll learn more about the company, uh, myself and, and our founder. And, and I think it’s a great place to start. But more than anything, I appreciate this opportunity to talk about cybersecurity awareness and training in particular. I think it’s becoming more of a regular part of our lives and work, and I think what you’re doing here is a service to everyone. So thank you.

Arnette Heintze

Thanks again, Shaun for joining me today! What a way to kick off the New Year! And thank you to all of you listening, watching, or reading. Please tune in to our next episode, where I will be Ryan Cleaveland from Spotter Staffing.

Subscribe to America Back to Work

Join America Back to Work, a weekly podcast, video, and blog series that covers timely and relevant topics affecting the labor market and workforce with industry experts. The series includes recruiting, hiring, retention, employee satisfaction, customer service, background screenings, and more.