LISTEN to the Mindwhirl Marketing Podcast Ep 42 – Cybersecurity Training That Works with Craig Taylor of CyberHoot
WATCH The Mindwhirl Marketing Podcast Ep 42 – Cybersecurity Training That Works with Craig Taylor of CyberHoot
Podcast Transcript
Shelly Miller 00:07
Welcome to the Mindwhirl Marketing podcast, your source for B2B business building information where we talk sales and marketing, and give managed service providers and IT service companies, the insider secrets you need to know to grow your business. We want to help you attract leads and sales and show you how to align sales and marketing. So you get more sales faster with less cost. I’m Shelly. And this is Mike. And today we have a special guest Craig Taylor from CyberHoot! Hi Craig.
Craig Taylor 00:33
Hi Shelly. Hi Mike.
Mike Miller 00:35
Thanks for joining us on the Mindwhirl Marketing Podcast. We really appreciate it. We’ve been looking forward to speaking to you because you’re such an expert in the cybersecurity industry. And I was wondering if you wouldn’t mind sharing a little bit about your experience and help the listeners, you know, realize, who this expert we’re talking to actually is
Craig Taylor 00:55
Sure, yeah, before we get into CyberHoot, let me just give a little bit of my background. So I’ve been doing cyber security. Since before there was an internet as you all know it. I know my young skin makes me look young, but I’m 50 years old, and I’ve been doing this for at least 25 years. So I started out when I could type faster than the monitor can keep up writing emails on text based console things of that nature. And since then, I’ve worked for geez along the way, a couple of msps. I’ve worked for multinational companies like Computer Sciences Corporation, vistaprint, and JPMorgan Chase. So I’ve been exposed to a lot of the SMB market and MSP space and the big business and multinationals in the cybersecurity organization and experiences been audited about 100 times I’m familiar with, you know, CMMC, DFARS, ITAR, HIPAA, PCI, ISO, NIST, all the different standards. So I come at this from a big picture perspective. And I boil it all down and decided to found CyberHoot to boil it all down into bite sized chunks that MSP business owners and your your audience can really take actionable steps to protect themselves from compromised. That was the the nature of why I created CyberHoot because there’s a gap between what the enterprises of the world get for tools and technology and training, and what the SMB market and the MSP the 11 to 100 person shop needs for to help them avoid being a victim of cyber security or cyber attack.
Mike Miller 02:35
Wow. Okay. So yeah, deep experience, and you’ve created a remarkable company. Yeah. And, you know, like, we see the difference, and the uniqueness of it, which is special in this industry. Would you mind sharing a little bit about CyberHoot? And what makes you so unique and special and different?
Craig Taylor 02:58
Yeah, thank you. So CyberHoot was created to eliminate a lot of the friction that occurs when you’re trying to educate your employees. on cybersecurity. It’s got a number of unique features that we think separate, separate it from a lot of the other platforms and training modules on the market. So what is it in in essence, CyberHoot is a learning management system. It controls the delivery of training videos, policies, phishing tests, to your employees, in order to automate and ensure a high compliance to the training program. And what makes it unique is, you know, many of the tools on the market when you go out to train your own employees. They get it once a month, they have to remember where do I go to login? Where do I what was my password, I don’t remember to have to reset my password. So I have to wait for that. And by the time that’s all done and said, There’s no time left to do your training. And so compliance plummets. Our tool is passwordless from the start, so any employee that you decide you need to train on cybersecurity topics, or, as we’ll hear in the future product, like teams, or LastPass, or any of these tools, they get an email in their inbox. And when they have that little window of five minutes, once a month, they click the link in the email, they’re instantly on CyberHoot training. In a website that is actually branded for you the MSP. There’s no CyberHoot reference other than the domain name, it could be branded with your logo or the client’s logo. Your colors are the clients colors, from a scheming perspective so that everything looks as though it came from your own company or that of your MSP and you’re instantly training. And so that’s number one. First and foremost, we eliminate friction from doing training for the end user. The second unique is that we’re an open platform And what that means is we can curate and pull in training and videos on cybersecurity from a lot of different sources, including our own, we, of course, produce our own videos. But when we survey our end users that use our product over others on the market, they consistently tell us 60% of them have said, they would miss our assignments, our extra work, if it went away a little or a lot, they would miss it a little or a lot. And that was that’s because I think because we have such an interesting set of videos, you never know, what kind of format you’re going to get is it going to be a caricature is it going to be a person walking down the street or something else. And so we have a very interesting set of videos that all give the same message around cybersecurity topics like phishing, passwords, social engineering. So those are two of the big ones. I guess on the third, I will just summate on the third one is that, you know, the msps that use our product don’t have a lot of time. And we eliminated as much friction from the work effort to both set it up, set up a new client that’s done literally in 20 minutes or so to also the compliance obligations, our msps don’t hire anyone to run this tool, it runs itself. It’s all email driven. If the employee doesn’t do their training, there, they get a reminder. And then their boss gets a reminder that the employee hasn’t done the training. And guess what, that leads to 90 plus percent compliance on the majority of, of the clients that I’m familiar with that I support directly. And that’s unheard of in the industry, for you to have 90% of your employees just do their training without someone placing a call holding them accountable. And yet, we do allow for that too, because we send every manager of report on Mondays that says here’s who is compliant and who isn’t, could you follow up with them. So that’s all done automatically. The MSP really doesn’t do much of anything. So those three things combined to make a very powerful, automated, high compliance product that is interesting to the end users avoids the boredom, friction and the friction of not getting into the tool to do your training.
Mike Miller 07:15
Wow. Okay.
Shelly Miller 07:16
That’s amazing. I mean, that 60% you know, that has to tell you how entertaining and educational and enjoyable that your you end users are.
Mike Miller 07:28
I mean, the training Yeah, of
Shelly Miller 07:29
the training. I mean, I don’t know you don’t get those numbers.
Craig Taylor 07:32
Remember, rarely ever. We’re talking about cybersecurity training right? topic in the planet. If I said to you, I’ve made a lawn tractor That is so cool. You’re gonna miss not mowing your lawn. Like, that’s what we’re talking about the kind of thing of Geez, I gotta go mow the lawn again. Oh, I miss it. But I actually enjoy it because the tractor is so awesome. Now, the training is so interesting. And the employees learn so much, that I think they just want to continue to watch the next video next month to see what they need to know.
Mike Miller 08:03
Yeah, so they, they must be fun and really entertaining. And I’m assuming not 45 minutes.
Craig Taylor 08:10
Now they’re two to three minutes. I didn’t mention that. But most of you know, there’s, there’s not a lot of attention span for long drawn out training, especially on cybersecurity. So our, you know, our studies and our research shows that two to three minutes is the length of time you’re going to have someone’s attention. And then a very short set of questions that aren’t really, you know, a and b but not C. These are like regurgitating the content of the video in words so that you can get another learning opportunity, which we then email to you. So you can read it at your leisure. We even explain why we ask questions. Because sometimes if you’re a teacher, you know that to have your students understand why the question is asked is almost as important as the material itself, so that you get a deeper understanding of the cybersecurity topic in question.
Mike Miller 09:04
Yeah, and correct me if I’m wrong, but aren’t Aren’t you a social psychologist?
Craig Taylor 09:12
My training Yeah, my background is not in computer science. You’re correct. I have a degree in psychology and I studied the psychology of people and learning and education and as my degree, and it helped me in cyber security because I’ve spent a career trying to convince people to do the right thing from a cybersecurity 25 years ago, believe it or not, it was you need a firewall to plug your company into the internet because it’s not as safe as you thought. Right? I was the argument then, years after that it was Everyone needs antivirus and a spam filter because there’s bad stuff coming in. And then now it’s Everyone needs training, because they have never been taught these cybersecurity skills. Every human being on the planet has gone through college, high school, whatever they grow From, and they’ve had zero cyber security awareness training. But all of us, in our daily jobs have to use a computer most likely have to work in email, and have passwords everywhere. And so how can we haven’t taught people how to do that safely and securely? That is another reason I created CyberHoot, because it’s not rocket science. These are simple concepts, but no one has ever had the time has taken the time to teach you how to do it properly. And so that’s what we do at CyberHoot.
Mike Miller 10:32
That’s excellent. And and on that training with that automated training. Now, what are the benefits of it, like, I’m sure that our audience understands why the employees should be trained, right? Small Business employees need to be trained. But if you don’t mind covering that, and talking about the benefits of the training?
Craig Taylor 10:53
Well, as I mentioned, right, every one of us every day has to use a computer. And we have to log into different applications or accounts or software solutions online, we have to read email. And you know, 90% of breaches of companies, SMBs, or even large companies are tied back to human error. That’s a statistic that comes out of many different cybersecurity firms. And it boils down to a social engineering attack that is delivered typically through email, or a compromised set of credentials, or an exposed set of credentials. Because if we’re not using a password manager, we’re reusing are our favorite passwords or the root password. So the benefits of a training learning management system, like CyberHoot is that we can quickly and effectively automate the education of your employees, and do so in a minimum essential amount of time each month. There are companies out there that want you to sit through 30 and 40 and 50 minute seminars once a month. And quite frankly, when I worked at the bank, they gave me three hours of training a month, and they could demand that every bank employee did that amount of training, because they that was the expectation you would be fired if you didn’t. In an SMB, that’s not that kind of power over your employees is not there. And there’s just not that amount of time. So SMBs and msps, need a solution that is quick, effective, minimum essential. And it talks about the most pertinent topics and risks that you face, which is what CyberHoot is boiled it all down to minimum sent minimum essential training, have a finite short duration, sent once a month, augmented maybe quarterly with a phishing test, because our our studies prove that if you don’t test your employees, sometimes they don’t apply their knowledge. They know it, but they don’t apply it. And that’s been borne out in some of our testing. So long story short, you know, you need to train your employees if you’re going to protect yourself from a breach, and you need an automated tool to deploy that. That is low cost, low time involvement. And that’s what cyber houde is for the majority of our msps and SMBs.
Mike Miller 13:17
That’s, that’s awesome. Um, and I think you had shared with us last time we talked that there’s a significant difference between the first time someone is tested for like a phishing attack. And after they’ve gone through your training, and then they’re tested again.
Craig Taylor 13:37
Yes.
Mike Miller 13:38
Do you mind sharing a little bit of that information? Yes.
Craig Taylor 13:40
So there’s a common, there’s a common phenomenon. in, my VISO. So in in my peer group that we talk about when you go into a company, if you do the very first phishing test, we call that a baseline test, and it gets you your baseline click rate. And industries have studied this. And they’ve seen various different companies in different industries that have different rates that their employees will click at. But the general consensus is most companies if they’ve never trained their employees, and never tested them will click on a phishing attack at a rate of between 5% on the low side, and I’ve had rates up to 40% on the high side. So that’s without any training or testing. Now, I have a client. It’s one of our case studies. Hundreds and hundreds of employees trained for three years. And the very first test we ran, seven people gave us their credentials. And they and I were shocked at that we because we hadn’t we had just introduced phish testing a couple years back in our tool, and we were like, What’s going on here? They, you know, they know this. They’ve trained for three years. They’ve answered the questions, what’s going on? So we decided to hold off making any rash judgments or decisions. About let’s add all this more training to the, to the environment and to the users. We just bided our time until the next phishing test. And I can honestly tell you that not a single person has entered their credential subsequent to that first baseline test, even though they had trained for three years. And what it proved to us at CyberHoot and at the company was that the employees had the knowledge, they just weren’t applying it to their email, to their phishing attack, phishing attacks in their email. But after one test, they went to a zero rate of data data submission of their username and password on the landing pages. So well, you need to test your employees for them to really apply the knowledge that they might gain from these videos. And so the baseline went from, you know, I think even with the seven entering credentials, there was so many hundreds of users that it was below 1%. It wasn’t satisfactory to either the company or us. But it’s gone down to a quarter of a percent of people that actually click on the phishing link to go to the fake website, but then they stop, they don’t do anything further. And that’s probably the best you can hope for. Okay,
Shelly Miller 16:10
I’d say so that those numbers, it’s, it’s compelling that you should test your employees.
Mike Miller 16:16
Yeah. And the difference that CyberHoot able to achieve with the training, and I think it goes back to and I want to ask you a little bit more about, you know, what is that training specifically, and your training library that you’ve assembled. But um, so just to be clear, the really the difference with CyberHoot is the way that you you and correct me if I’m wrong, the way you’ve engineered, socially engineered the training, to deliver memorable training that helps people know or be able to spot this is a phishing attempt. This is a sketchy link, you know, I shouldn’t click it. And then also to test the employees with really sophisticated, official looking emails that would allow them to allow you and the business owner to identify if the training is working or not. Have I summed it up pretty,
Craig Taylor 17:29
You have and you haven’t, I’ll just make one clarification, we don’t have the secret sauce to phish testing or awareness training. There are lots of products and lots of videos online, and we use some of them for our own product, because we’re open that send a good message around how to spot and avoid phishing tests, I don’t think we’ve socially engineered a solution that trains better than other products, with the exception that we’ve removed the friction of getting to the training. If you watch our videos, or some other videos, they’re all probably comparable. But what we’ve done is we’ve created an automation around that a frictionless automation tool that gets high compliance marks, without intervention by the companies that set it up. So when you set up CyberHoot, it just runs in the background and emails flow out to your users. And if they don’t do their training, more emails go out to them, if they don’t do their training managers are notified. And it’s recursive notification so that the head of a company who manages all the managers who manage their employees, he or she sees the compliance all the way down through the organization, and that CEO or CFO can hold their management staff accountable to so it’s a it’s a self fulfilling prophecy of compliant prophecy of compliance in the tool, the way we’ve socially engineered the tool, if you will, the videos themselves are are telling the same story. The beautiful part about cybersecurity training is again, it’s not rocket science. It’s simple things. If you’re getting a phishing attack, is it unexpected? Is it creating a sense of urgency? Are there spelling grammar or punctuation mistakes? Is the sender wrong? Like the who it sent from the from email address? Is it generically addressed? Is it does it have bad links in the in the email that don’t go like if it’s an Amazon email? You have an Amazon personal but the links don’t say amazon. com? And is there a strange attachment? those seven questions if you answer yes to two of them, you’re being phish deleted. I mean, we’re teaching these simple concepts. But that that, in and of itself is what most tools on the market do. What what makes us unique and different is that we’ve eliminated the heavy effort that it takes to set it up to operate it to get high compliance from the employees themselves. That’s really our specialty.
Shelly Miller 19:57
Okay, and you said did you How long does it take to set up in a company,
Craig Taylor 20:02
You can do a new customer in 20 minutes, really. And we tie into Azure AD for user management, or you can do a CSV file, or you can manage it one at a time. You have it client administrators, and then msps have super admin rights in a multi tenant setup. So literally, you log in as a super user of an MSP and you click a button and you become that client that you’re supporting. And you can see their statistics, you can review in a QBR, quarterly business review, you can show how they’re doing, you know, plus 90% compliance, or they need to focus and, and hold more people accountable to get the numbers up. We do more though, than just training because in a cyber program, there’s a little bit more to it, then fish testing and training employees on the common topics. I’d love to say something about policies and governing employees if it’s alright with you.
Shelly Miller 20:56
Yeah, absolutely.
Craig Taylor 20:57
So, you know, in my experience of being audited hundreds of times, literally hundreds of times by Deloitte and Touche, Ernst and Young, you know, Anderson consulting back in the day, and others, they all want to know, and if you’ve ever answered a cybersecurity questionnaire, they want to know that you’re governing your employees with policies and procedures, in cyber, who does that as well. We have a template library in cyber who for password policy, have written information security plan, how to handle security incidents, how to handle vulnerabilities in patches, and how quickly to patch when there’s a critical risk. We have all of these documents created as templates that an MSP can then turn around and customize for their clients. In relatively little time. Somebody told me once Craig, to make me powerful and productive, put me in edit mode, don’t ask me to create a document from scratch on all these different topics. But if I could edit something, boom, I can get that done in a half hour. And that’s what we’ve done, we’ve created 25 templates that you can easily adopt and edit for your clients sell as a service either as a recurring service or as a one time. And you can govern employees, because you can only put so many technology controls in place to prevent an employee from doing something. When you have a password policy that says you must create 14 character password stored in a password manager, and they go log into Azure AD, you can mandatorily control that you can say, but you didn’t put 14 characters in that doesn’t work. But when they go to Salesforce, or QuickBooks, or any online software as a service and create their own account, you need that governance policy to remind them when they’re making independent decisions to do the right thing and create a unique, long password that’s stored in LastPass, or whatever Password Manager use. So governance policies are a really important part. And it’s something that if you’re in an audit, or you’ve answered a cyber insurance questionnaire, you have to attest to governing your employees. And many of the tools on the market don’t even have that or if they do, it’s not as well orchestrated as we do passwordless access to your policies, that sort of thing.
Mike Miller 23:21
Huh, wow. Okay. And isn’t there other things with CyberHoot So you have the training, you have the templates that help you with the policy, but isn’t there also, like a sales module?
Craig Taylor 23:36
Exactly. Right. So we have a sales module that is free for msps, to use to go after New prospect prospects, and maybe even existing customers, I can tell you firsthand story. I had a client that I was representing the as their CISO, their chief information security officer for this client was in healthcare for many years. And they always push back and refuse to do awareness training. And I said, it’s just a matter of time before you’re breached, if you’re not training your employees, and they said they still push back, they said our users are not ready for that. Well, I finally convinced them to do a phishing test through the sales module, which does a dark web report of exposed account. So if you have used a username and a password in your company’s domain, somewhere on the internet, and it’s been exposed to a hacker, it’s reported in our tool, that plus the phishing test, we ran that sales module against them. And I forget if it was 17 or 10, that entered their credentials. But the very next day, they signed up for awareness training this that we can’t have this right, it just put it front and center for them. The sales module was born of that experience where we create we allow you to load in your domain name of a prospect and do a dark web report on all the exposed accounts in that domain name and also check a few Mail exchange records for the security who can spoof your domain and who can’t and how that works. And you can even do a phishing test, although that may be somewhat challenging if you don’t control their spam filters, because you have to set up allow lists and things of that nature. But it allows you to then bring a pretty robust cybersecurity report card to your prospect and say, we’ve been talking with you about cybersecurity, but here are your users. And how many of them have been exposed online. Here are the people that clicked on a phishing test that we ran, here’s your mail, exchange security, maybe it’s time that we get serious about cyber security and train your users on these topics. And it’s a really useful sales tool, we found,
Mike Miller 25:47
Yes
Craig Taylor 25:48
that’s built in. The dark web reporting is built into cyber, who does well, whether you use it in the sales module, it also comes with all of the users of the tool. And you know, cyber is pretty flat rate, our pricing model is you pay one fee, a minimum monthly, and then you pay a per user charge. And there’s nothing extra there’s no upselling of any extra modules or anything else. It’s just that common flat rate. So that everything is included that we’ve talked about today.
Mike Miller 26:20
Wow
Shelly Miller 26:20
Yeah, it’s like you’ve done everything to make an msps job easy.
Craig Taylor 26:25
That’s exactly right.
Mike Miller 26:27
Yeah. So and and it’s obvious that CyberHoot like the premier Cybersecurity Awareness training tool, you know, on the market, and, you know, it just makes me wonder if there’s anything else that I’m missing or anything else that you want to share about it. Because if you if you think about what most Cybersecurity Awareness training products do, they fall short, like, so they’re just like, we got some training. But they fall short of, you know, helping the MSP sell, helping the the, with the policy, right, so help msps help their clients with their policy and all of that. So is there anything else that we’re missing? Like, like you don’t already have enough?
Craig Taylor 27:16
Well, I can tell you a couple of statistics that we really help but I would always encourage an MSP or somebody listening to your podcast or your your, you know, your session here. Do your own research. You know, we’ve just been recognized by Gartner in the their listing of learning management systems for msps. So Gartner has acknowledged us, if you go and search for LMS, or learning management or awareness training on Reddit, in the MS slash MSP, you’ll see feedback on different tools and cyber houde enjoys some pretty positive comments there. Go to Google review, see what people say do your homework. We can give you a free trial if you’d like. I can tell you we’ve studied msps that have used our tool. There was one MSP that had 50 clients over three years, we studied who, what what happened with the adoption, because they said we’re gonna give it to every one of our clients. And over three years, they got 40 into the tool and 10 refused. 10 just weren’t interested, it was years a couple years back, and the 10 that weren’t in there, they resigned their MSP agreement 80% of the time, so to have 10 left in the three year period, on the 40 that got into CyberHoot, all but one resigned It was a 97.5% resigning of their MSP agreement, okay. And that’s pretty telling to the value that comes with cyber who. And incidentally, the one that left was acquired by another company and that company had its own MSP running the show. So it was just an acquisition that there was no chance for us to, for that MSP to maintain that client. So that what the 60% and and all that means I think the tool just works on its own and it sells itself. When you consider those numbers. There’s some hidden benefits that I would share in the last one that I’ll share with you is that the FBI says that cyber security incidents happen 90% of the time between Friday at five and Monday at 9am. And who has to work on those security incidents, the most expensive resource you have at your MSP your engineers and maybe you the business owner, you have to respond, recover the files, do whatever it is to recover from that cyber security incident. And that means you lose your nights and weekends. And with cyber who even if you avoid one additional security incident like that a month. You’ve got a whole weekend back that you would have lost and what a wonderful quality of life improvement for your MSP. So whether you do CyberHoot or some other product, you need to be doing these things with your clients. You need Cybersecurity Awareness and testing and training and governance. Built into your MSP. It’s a default, like, it’s it’s just the minimum you have to do today to survive online. And it will help you with your quality of life as well as one of my takeaway messages.
Shelly Miller 30:14
Very compelling.
Mike Miller 30:15
Yes, exactly. That’s excellent. Wow. You know, to all the msps listening, CyberHoot is really a premier tool. And that’s why we were so excited when Craig agreed to join us on the podcast, because there’s so much value there. And when you’re trying to separate yourself from your competition, you need something that is better than what your competition offers. Exactly. And so, Craig, really thank you for being a part of the Mindwhirl Marketing podcast and being on today and we really appreciate it.
Craig Taylor 30:53
It’s my pleasure. Thank you for having me, Shelly. I appreciate that. Mike, you guys were great interviewers. I really enjoyed my time here.
Shelly Miller 31:00
Good good, too. And we learned a lot.
Mike Miller 31:02
Yeah, absolutely.
Shelly Miller 31:03
Check out CyberHoot.com.
Craig Taylor 31:06
Thank you.
Mike Miller 31:07
Thank you.
Shelly Miller 31:09
Thanks again, for listening to the Mindwhirl Marketing Podcast. Make sure to subscribe to the podcast on iTunes, Google podcast, Stitcher, Deezer or Spotify. Plus, check out my where on YouTube and subscribe. You’ll find a lot more marketing tips, insights and resources that will help you get your sales and marketing working together and moving in the same direction.
Guest Info ::::::::::::::::::::::::::::::::::
Craig Taylor of CyberHoot – www.cyberhoot.com
Sales: Cameron Strukel
YouTube
Facebook
Twitter
