Why Rules-Based Training Isn’t Enough: Building Muscle Memory for Effective Phishing Prevention

It’s been quite a while since my last post but I got inspired by a recent discussion about the effectiveness of phishing training for employees. The person I was speaking with was frustrated that no matter how many phishing simulations they did, their employees were still clicking on the next phish.

Phishing attacks can be quite sophisticated, and it’s more important than ever to ensure that employees are trained to spot them. However, simply providing employees with a set of rules or policies or making them watch a video each time they click on a simulated phish is clearly insufficient which got me thinking, how do we help employees build muscle memory and prevent phishing attacks?

I love analogies so please humor me while I try to explain why rules-based training isn’t enough using the example of making a peanut butter and jelly sandwich.

The rules for making a PB&J sandwich are simple: use two pieces of bread, creamy or crunchy peanut butter, your favorite flavor of jelly, and a knife.

But anyone trying to teach a child how to make a sandwich knows the rules aren’t enough. You need to show them the process:

1. Lay both pieces of bread on a plate or paper towel.
2. Open the peanut butter container.
3. Use the knife to scoop peanut butter from the container.
4. Use the knife to spread the peanut butter on one or both pieces of bread.
5. Use a clean paper towel to wipe off the knife.
6. Use the knife to scoop jelly from the container.
7. Use the knife to spread the jelly on top of the peanut butter.
8. Place the two pieces of bread together with the peanut butter and jelly in between them.

As you can see, the process is much more complicated than the rules and even includes decisions about things that aren’t even called out in the rules! The same goes for phishing training. It’s not enough to give employees a stack of policies or have them watch a training video. They need to walk away with a detailed process they can understand and follow to build muscle memory.

To drive this point home, let’s use another analogy. Imagine your child is learning to drive. You give them the rule book from the DMV, and they read it cover to cover. Then, you take them to get their learner’s permit. As you leave the DMV, you hand them the keys and say, “You’ve learned the rules, and you’ve watched me drive for the past 15 years. You should know how to drive, so take us home!”

How well do you think they’ll do? Good luck getting out of the parking lot without hitting something! They need someone to walk them through the process for months until they build enough muscle memory.

The same goes for phishing, teaching a developer how to build code securely, or any other type of training. You start with your policies and standards but if you don’t take the time to build out standard operating procedures, employees are left to figure things out ad-hoc.

Rules-based training is not enough. Employees need a detailed process they can follow to build muscle memory. Only then will you see a real change in behavior and adoption.

Disagree or have another thought? Please let me know in the comments and let’s discuss!

Editing Mozilla Firefox Container URLs

I really like Mozilla Firefox’s container system that’s been out for around a year now. There’s one issue though that’s bothered me on a daily basis and really annoyed me, I just never took the time until now to track down the fix for it. Hope this helps someone else!

I’m assuming that you use Mozilla’s Firefox browser and have already setup container groups and assigned specific websites to always open in container tabs. My issue was, I couldn’t figure out how to edit a URL once I set it up.

Well today I spent 10 minutes & figured out where Firefox stores the file that controls these URLs so you can manually edit them. The file is called storage.js and is stored in your Firefox profile which is typically in your user profile’s AppData folder (reachable at %AppData%). For me, this file is stored in:

%AppData%\Roaming\Mozilla\Firefox\Profiles\<PROFILE NAME>\browser-extension-data\@testpilot-containers

Before editing the file, close Firefox. You can open the file in any basic text editor (I personally use Notepad++ but regular Notepad works too) do a quick search for the offending URL and update it to the URL you want it to be, then restart Firefox and your URL should now redirect properly to the correct container group.

Note that the URL is only the top level domain. E.g. you can change outlook.login.com to live.login.com, however you don’t need to specify https://www before the domain name.

PSA: Microsoft Visio & Project do not AutoRecover by default

Thank G-d, this has never been an issue for me, however a co-worker of mine lost all of her work the other day in Visio because this option was not enabled! In trying to help her recover her file, I learned that unlike in Microsoft Word, Excel, or PowerPoint, Microsoft Visio and Microsoft Project do not have the AutoRecover option turned on by default.

To enable this option in Microsoft Office 2010 and above, click on the File tab, followed by Options in the left-hand list.

Next, select Save and then check the box by Save AutoRecover information every 10 minutes. (I think the default 10 minutes is probably fine for most people, if you’re working on a document with lots of changes you may want to decrease this to every 5 or even every 1 minute).

Click OK to save this setting and exit the Options window.

Hopefully this keeps you from losing all your work next time Visio or Project crashes while you’re working!

~Yosef

Visio AutoRecovery Setting

Help! Why won’t my Excel formula calculate?!

Note: These instructions are based off Excel 2010 but are applicable for Excel 2007 through Excel 2013 (Office 365).

Has someone sent you a spreadsheet or perhaps you’re working on one and all of a sudden your formulas look like formulas and won’t calculate? Here are the top solutions I have come across for fixing this common error.

1. Cell text formatting is set to “Text” – If the formatting of the cell has been set to Text instead of General or some other format, the cell will not calculate because it assumes that anything in the cell is text and not a formula. Change the formatting of the cell by pulling down on the drop down in the Number section on the Home tab of the menu ribbon





2. Show Formulas (Ctrl + ~) has been selected / pressed – If the Show Formulas option has been selected, calculations will show their full formula and not show the calculated results. To toggle back and forth, you can either use the hotkey combo Ctrl + ~ or select/deselect the Show Formulas option in the Formula Auditing section (I highly recommend learning to use all tools in this section when troubleshooting Excel problems!) on the Formulas tab of the menu ribbon.



3. An apostrophe (‘) has been placed before the equals (=) sign – Typically someone will have done this on purpose, however placing an apostrophe before a formula will make the cell mimic the first solution listed above where the cell formatting is set to Text. Remove the apostrophe to force the cell to calculate.



4. Automatic calculation of the worksheet / cell has been turned off – If you’ve been sent an Excel sheet that’s very large, sometimes people will turn off automatic calculations so that the spreadsheet doesn’t break your computer upon opening it. To turn on or off automatic calculations within your worksheet, click on the pull down menu of the Calculation Options in the Calculation section of the Formulas tab on the ribbon bar. Alternatively, this setting can be reached by going to the File tab, selecting Options, going to the Formulas tab and then setting the Calculations options there.

Hope this helps when you get stuck! I would appreciate hearing if anyone has come across other solutions to this common complaint?

~Yosef

How to Hide Pivot Chart Filters

(Directions below are for Excel 2010)

I recently built a simple dashboard using pivot tables with corresponding pivot charts. I was asked by my client if I could remove the filters from the pivot charts so that they would have a cleaner look for presenting. I had never worried about this before and didn’t know how off the top of my head so I did a couple of quick Google searches & couldn’t find any references on how to hide the filters! I was very surprised that I couldn’t find anyone else asking the question so I thought I would share how to easily do this. Luckily it’s pretty simple – I just didn’t realize these options existed!

Here’s a Pivot chart with the usual filters visible:

To remove these filters, click the “Field Buttons” (or drop down for more control) button on the Analyze tab of the PivotChart Tools section of the menu ribbon (only visible if the chart is selected):

You can then choose which (if any) filters to display so that your chart looks nice & clean:

Hope this helps!

~Yosef B.

Excel: Checking for Errors or Duplicates in your Data

A question I am frequently asked is how to quickly identify errors or duplicates in Microsoft Excel data.

I will show you how this can be done very quickly and easily.

First, I assume that you don’t want to simply remove all duplicated data – if you do, you can use the “Remove Duplicates” tool in the “Data Tools” section of the “Data” tab along the Ribbon.

If you want to keep your data, and simply identify where the duplicates are, here are a couple of tricks:

Assume you have the following data:

Excel Example Table

1. Order your data by the column that you wish to identify the duplicates in. (e.g. in the example above, sort by column A “Letter”
2. After you have ordered your data, create a third column with a formula that checks if the cell one line above matches the cell one line below. There are many ways to do this, for example:
3. 1. =A1=A2 – This will return TRUE if the data in cells A1 & A2 match, or it will return FALSE if they don’t
   2. =IF(A1=A2,"Duplicate","Unique") (Same check as above but gives a user friendly message)
   3. Alternatively if duplicated data is an error you could write: =IF(A1=A2,"Error","OK")
   4. =IF(A1=A2,1,0) – This is my preferred method because you can select the entire column and see if the sum of the column is greater than 0. If it is, than you know you have duplicates/errors which you then can quickly sort for and find.

Questions? Other tricks/tips? Not what you were looking for? Let me know below in the comments and I’ll get back to you as soon as I can.

Thanks for reading!

Social Media 101: Content & Consistency

I have been running the social media strategy team for my company for a little over two years now. During that time, we have:

• Doubled the amount of traffic to our website
• Set up a consistent presence on four social media channels
• Played with another two social media channels
• Attempted to optimize our website for SEO
• Set up processes for:
  • Content generation
  • Content publication
  • Channel strategy
• Implemented a response plan
• Promoted social media for internal communications – including launching two new tools, Yammer and Lync
• Created & delivered Social Media training to the entire firm
• Helped a non-profit organization develop their Social Media strategy

Given all of that experience – I have been thinking a lot about Social Media and here is what I conclude works: Content and Consistency.

During my journey in Social Media, I have read a number of books and countless articles on how to succeed at Social Media and for all the volumes written on the subject, I don’t think it is any more complicated than the two C’s.

There is obviously a lot of thought that needs to go into your content and into your scheduling for consistency but your goal does not need to be any more complicated than trying to consistently publish good content.

Myriads of articles have been written on how to become the next big internet sensation/meme/viral phenomenon/etc. and while it would be amazing to catch that next big wave, in reality your odds are astronomical. It’s like trying to win the lottery – you keep buying lottery tickets but chances are, you’re not going to win. Instead of trying to catch that wave – great accomplishments can be made, simply by trudging along towards the two C’s.

As you may have guessed at this point, there are no secrets to reaching the two C’s – instead, plan and work towards improving your content and set up a publishing schedule to keep you consistent. In addition, most Social Media tools will allow you to schedule your content so you don’t have to put off writing up your awesome content, you just delay releasing it to your adoring subscribers.

Have questions? Disagree? Let me know in the comments below.

Thanks!

Outlook Quick Steps – Improve your workflow

Quick Steps are little automated actions that you can set up in Outlook to improve your workflow. Examples of Quick Steps include:

• Filing steps (moving, copying, deleting)
• Change message status (read, unread, important)
• Categorize, add to tasks & set flags
• Hotkeys for response actions (reply, forward, etc.)
• Hotkeys for creating new appointments
• Hotkeys for dealing with conversation threads

In addition, you can combine actions.
For example, you can set up a hotkey which sends an e-mail to a specified folder, sets the status to important and starts a new appointment dialog window all with one key.

1. To create a new Quick Step, select the “Create New” button in the “Quick Steps” section on the “Home” tab on the ribbon.



2. Enter a name for this new shortcut in the “Name:” box.
3. Pull down on the “Actions” drop down menu and select (for example) “Move to folder”.
4. In the new pull down menu below, choose which folder you want to move the mail to.
5. Select the “Add Action” button if you want to add a secondary action. Repeat steps 3 and 4 for the new action.
6. Choose a shortcut (hotkey) combination if desired.
7. Click “Finish”.

What to do before (and after) you lose your Phone or Tablet

Would you nonchalantly walk down the street holding $600 cash in your hand? Would you forget that same wad of cash on a restaurant table after dinner?

Unless you’re very rich or very foolish, you probably are going to be very conscious of a $600 wad of cash.

How about your $600 iPhone or Android? Most people don’t think of their phone in the same context as a wad of cash, but that’s exactly what it is. The following are some common sense tips to keeping your phone in hand (or pocket).

What to do before you lose your device:

1. Password protect your phone! Yes it’s a bit frustrating to have to enter a pin every time you want to access your phone – consider it paying your insurance premium. If you store any sort of personal information, people’s contact information (including e-mail addresses), directions to your house, favorite stores, etc. or any other personal information – don’t make it any easier than you have to for a thief to get access to your information. Last but not least, don’t! make it something easy like “1234” or your birthday!
2. Use remote protection apps such as BlackBerry Protect from BlackBerry App World, “Find My iPhone”, or “Prey” for Android – these apps can either help you find or wipe phone your phone remotely.
3. Make a record of your phone ESN, IMEI or MEID number – usually found under the battery cover, this will make it much easier to report the lost/stolen phone to your carrier or the police.
4. Backup your data on regular basis! I recommend backing up your phone to your computer at least once a month if not once a week. If you use a service such as gmail for storing your contacts, they are already backed up – but don’t forget your pictures, or any other files you may store on your device!
5. Finally, be careful how you use and store your phone. Be aware of your surroundings, don’t leave your device in plain sight in a vehicle or public space. Be careful about displaying headsets and ear-buds while in public. white iPhone ear-buds are equivalent to posting a “I have $600 cash in my pocket” sign on your back.

What to do after you lose your device:

1. Send text to phone & call it – if it’s lost, someone may find it & return it to you. If it’s stolen – this probably won’t help much.
2. Try using the remote locator application that you (hopefully) installed. You might be able to find your device or track it as someone moves around with it.
3. If your sure your phone is gone, use the remote wipe application that you (hopefully) installed. Most thieves don’t care about your data – they just want to turn your device into cash, but why take a chance?
4. Contact security or authorities – it’s possible that your device might have been found or put in lost & found.
5. Call carrier & report lost/stolen phone – ask to suspend your service (messaging & calls) so thieves won’t be able to use it for expensive international calls.

Think your browser hotkeys are safe? Think again…

Great article on how a hacker can use simple javascript to trick you into giving up your passwords. Become a Security “Thinker” and don’t fall for these tricks!

ArsTechnica: How script kiddies can hijack your browser to steal your password