In the latest edition of the “Smashing Security” podcast, hosted by cybersecurity veterans Graham Cluley and Carole Theriault, Carole has suffered an injury, we journey back in time to one of our earliest episodes to discuss the perils of passwords, and Rachael Stockton from LastPass drops by for a chat.
0:00
0:00
0:00
0:00
Show full transcript ▼
This transcript was generated automatically, probably contains mistakes, and has not been manually verified.
Smashing Security, Episode 146: Password Secrets and Baking Brownies with Carole Theriault and Graham Cluley. Hello, hello, and welcome to Episode 146 of Smashing Security.
My name is Graham Cluley.
My name is Graham Cluley.
I'm Carole Theriault.
Hello, Carole, how you doing?
Hahaha, you know how I'm doing.
Not so good, eh? What's the problem? You might as well tell everyone.
It's basically, well, it's your fault. Partly your fault.
Not so sure.
I have tendonitis and basically my right hand is fucked at the moment. So no, no, it'll be fine. It's not serious. It is serious. I don't know.
It's serious because I, you know what you can't do when you have tendonitis? Okay, so I'm right.
It's serious because I, you know what you can't do when you have tendonitis? Okay, so I'm right.
I can think of a few things, but why are you saying this is my fault? That's what's really upsetting me. The fact that your wrist is sore.
You came over and I don't know how you were sitting on the sofa.
The normal way, with my bottom, yes.
Well, I guess you scooted off it. You know, I don't know, like a slug.
Charming. Painting a picture.
The entire sofa cover came with it. So you were getting up, sitting down, going up and down, and it kept annoying me.
So every time you leave the room, right, I would go and fix it by shoving my right hand into the sofa crack to get this sofa cover tight again.
And in doing that, I have basically hurt my hand. Not my wrist, not my wrist, the A1 sheath of the tendon. Yeah, I've been doing a lot of Googling research. So anyway, we'll be fine.
It may take a few weeks.
So every time you leave the room, right, I would go and fix it by shoving my right hand into the sofa crack to get this sofa cover tight again.
And in doing that, I have basically hurt my hand. Not my wrist, not my wrist, the A1 sheath of the tendon. Yeah, I've been doing a lot of Googling research. So anyway, we'll be fine.
It may take a few weeks.
No, but what does this mean?
Oh, nothing serious. I mean, I'm right-handed, but you know, things I can't type, I can't open a can, I can't write, I can't paint, I can't draw. I can't unscrew a bottle.
But— Because you regularly unscrew wine bottles, I imagine. Yeah. Go to Waitrose, darling.
I didn't even think about that.
Right?
How will I get into my booze?
Well, this may actually cure your problem. Who knows?
But I can edit a podcast.
How come? How can you?
On a touchpad.
Oh, clever old touchpad.
Yes.
So I'm now researching dictation software because that will make my life a lot easier. So if listeners, anyone has any advice on that for a Mac, I am all ears.
So, so, Carole, I mean, your hand and everything, you keep— it's not Ebola though, is it?
I knew that would bite me in the ass one day.
Now, Carole, we haven't got a guest this week, have we? Or have we?
Well, it's going to be a bit of a different show because of this minor injury, which of course was exacerbated by me going on holiday and not getting it sorted before I went.
So we've done something a little bit different this week, haven't we, Graham?
So we've done something a little bit different this week, haven't we, Graham?
Yes. First of all, we are going to do a rerun from the golden oldie era of Smashing Security.
Those of you who were listening two and a half years ago may remember that there was a third co-host, wasn't there? The wonderful Vanja Švajcer.
Those of you who were listening two and a half years ago may remember that there was a third co-host, wasn't there? The wonderful Vanja Švajcer.
Yes. Who I've just spent a week with, he and his lovely wife, Andriana.
Well, we have dug him out of the basement. We've dusted him off cobwebs and we're going to bring out an old episode all about passwords and we'll replay it to you.
Now, it was only our seventh ever episode.
Now, it was only our seventh ever episode.
I know. So guys, I am not going to listen to this again. I just can't bear it. It's a bit like watching The Office and watching David Brent say something ridiculous.
I hide behind the sofa and cover my head with 18 pillows and just want to die. So I can't go listen to it. So I just hope all the information is accurate still.
I hide behind the sofa and cover my head with 18 pillows and just want to die. So I can't go listen to it. So I just hope all the information is accurate still.
Oh yeah, I'm sure it'll be marvelous. Yeah, it'll be—
You're not going to listen either?
Of course I'm going to listen. I'm on it. I'll listen to my bits at the very least.
Just do what you normally do. Just tune out when I'm talking.
Okay, so we're going to replay an old episode and that takes about 15 minutes or so, and we're not going to do Pick of the Week.
We'll come back with Pick of the Week next week, but you said you got something a little bit extra as well?
We'll come back with Pick of the Week next week, but you said you got something a little bit extra as well?
Yes, so I had a chat with someone we have had on the show before, Rachael Stockton, who works at Lock Me In, aka LastPass, and we chatted about IT people.
So what we talked about were the challenges that IT people face. There's obviously all the ones we know about, but there's some secret ones as well, ones that no one talks about.
So we try and dive into that. And we also talk about what things IT guys can do to get better buy-in from their bosses.
And also, we talk about how people can actually help IT as well. And it's a very cute conversation. She's so much fun.
So, we had a great chat, and you weren't there, which was fantastic.
So what we talked about were the challenges that IT people face. There's obviously all the ones we know about, but there's some secret ones as well, ones that no one talks about.
So we try and dive into that. And we also talk about what things IT guys can do to get better buy-in from their bosses.
And also, we talk about how people can actually help IT as well. And it's a very cute conversation. She's so much fun.
So, we had a great chat, and you weren't there, which was fantastic.
Oh, no, I wasn't actually.
Well, no, it's great.
I've been having chats behind my back. Okay, stop it.
Chats behind your back.
Oh, I do that a lot. I do that a lot. Do you think I'm ever quiet for more than 1 minute?
Okay, let's hear from our sponsors and then we'll hear the old episode about passwords and then we'll come back to you for your chat with Rachael. Cool.
Whatever your industry, Detectify can help you stay on top of security and build safer web apps.
Just enter the name of your website and Detectify will run over 1,500 security tests against it, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 hand-picked ethical hackers.
The service can even help you discover web assets like unknown subdomains and determine if they're vulnerable to hostile subdomain takeover. So what are you waiting for?
Go hack yourself. Take a 14-day free trial at www.smashingsecurity.com/detectify. Detect with an -ify on the end. And thanks to them for supporting the show.
Whatever your industry, Detectify can help you stay on top of security and build safer web apps.
Just enter the name of your website and Detectify will run over 1,500 security tests against it, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 hand-picked ethical hackers.
The service can even help you discover web assets like unknown subdomains and determine if they're vulnerable to hostile subdomain takeover. So what are you waiting for?
Go hack yourself. Take a 14-day free trial at www.smashingsecurity.com/detectify. Detect with an -ify on the end. And thanks to them for supporting the show.
Don't you love a win-win situation? Imagine if you could have both enterprise-wide password management with single sign-on.
What is single sign-on?
Well, Graham, let me dazzle you. Single sign-on is designed to connect employees to high-priority apps, all without needing the user to log in at every single hurdle.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
Now, by combining these two services, our friends at LastPass may have just revolutionized security at the enterprise level. Learn more at lastpass.com/smashing.
You don't need to say the forward slash.
Ah. Smashing Security, splinter episode: Passwords, with Carole Theriault, Vanja Švajcer, and Graham Cluley.
Hello everybody and welcome to Smashing Security, a very special episode of Smashing Security.
It's our splinter episode where we are talking today about tips on how you can better protect yourself online.
And one of the things which I think we should chat about, because people are always asking me what they could be better doing about it, is passwords.
They're a bit of a problem, aren't they?
Hello everybody and welcome to Smashing Security, a very special episode of Smashing Security.
It's our splinter episode where we are talking today about tips on how you can better protect yourself online.
And one of the things which I think we should chat about, because people are always asking me what they could be better doing about it, is passwords.
They're a bit of a problem, aren't they?
They're pretty awful.
We all hate them. I don't know anyone who thinks passwords are fun, but they're kind of a necessary evil, a bit like dandruff shampoo, isn't it?
And you know, we all remember life before passwords. We're all of an age where I don't think I started thinking about passwords until I was in my teens.
And you know, we all remember life before passwords. We're all of an age where I don't think I started thinking about passwords until I was in my teens.
Right.
To be honest, I don't even remember what happened yesterday, let alone life before the passwords.
Poor old Vanja. He's got to that point.
He's so old.
He's so old. He's so old these days. And yeah, I mean, passwords, they are a nightmare, aren't they?
Particularly for the frailer, more elderly generation, people like Vanja, who are finding it hard to keep track of all of these things.
And of course, people are expecting you to remember lots of passwords, aren't they?
Particularly for the frailer, more elderly generation, people like Vanja, who are finding it hard to keep track of all of these things.
And of course, people are expecting you to remember lots of passwords, aren't they?
Well, that's it. You know, I mean, I have hundreds and hundreds of accounts.
And I, of course, use a unique password, which we're going to talk about why that's important in a second.
But I have to, you know, in my head, I wouldn't be able to remember all those.
And I, of course, use a unique password, which we're going to talk about why that's important in a second.
But I have to, you know, in my head, I wouldn't be able to remember all those.
Of course you wouldn't.
That's why you can always have one password for every site. You choose a nice password, you remember it, right?
Oh, I see. You're thinking you just come up with one strong password and use that everywhere.
And if you could remember that, well, excellent security advice there from Vanja Švajcer.
But I would argue that maybe choosing a password like EnricoJoyouslyLeopards79 isn't such a good idea because, of course, if you get hacked in one place, if your password spills out in a data breach, what's the first thing the hackers are going to do?
And if you could remember that, well, excellent security advice there from Vanja Švajcer.
But I would argue that maybe choosing a password like EnricoJoyouslyLeopards79 isn't such a good idea because, of course, if you get hacked in one place, if your password spills out in a data breach, what's the first thing the hackers are going to do?
Well, they'll try again. Yeah.
They'll try it again. And they'll try and unlock your email or they'll try and unlock your PayPal account or your Amazon or who knows what. Exactly.
It's going to be absolutely horrendous, isn't it?
It's going to be absolutely horrendous, isn't it?
Yeah, Mark Zuckerberg earlier this year, his LinkedIn password got hacked.
And had he used that same password on other social accounts, he would have had a real disaster on his hands.
And had he used that same password on other social accounts, he would have had a real disaster on his hands.
He was using it actually. He was using it on his Twitter account.
Oh, that's right. That's right.
Instagram.
That's right. And now, interestingly, he didn't use that particular password. By the way, it was a very dumb password. It was DADADA, D-A-D-A-D-A.
He didn't use that password on his Facebook account, probably his most important account, I imagine, because his security team had said, "Hey, buddy, you've gotta have a really strong password on your account because you are a prime target." You know what, though?
He didn't use that password on his Facebook account, probably his most important account, I imagine, because his security team had said, "Hey, buddy, you've gotta have a really strong password on your account because you are a prime target." You know what, though?
You're making a super good point that not all websites or accounts, you know, where they demand a password, actually teach you how to make a secure password.
So some of them might accept something like dadada, right?
And that is, you know, it might give you a false sense of confidence that, you know, that they know what they're doing, but actually you need to kind of take ownership of how secure you make your password.
So some of them might accept something like dadada, right?
And that is, you know, it might give you a false sense of confidence that, you know, that they know what they're doing, but actually you need to kind of take ownership of how secure you make your password.
Right, so let's step back a little bit and think about passwords, because when I speak to regular civilians, what am I talking about?
People outside the computer security industry who have sort of accepted that they do need passwords, but aren't necessarily sure quite how they should be dealing with them.
They say all the time, well, what makes a strong password? You know, what should my password be like?
And I've got a couple of rules and maybe you guys can chip in if you can think of any others. But I think one of them is what we've just mentioned. You need a unique password.
You need different passwords for different accounts. But you also need a password which is hard to guess.
And one of the mistakes that some people make is they will make their password the name of their dog or their favorite soccer team or their mother's maiden name or something which is fairly easy for someone to determine if they know that particular individual.
So you might have someone close to you or a work colleague who's then able to work out how to get into your accounts.
People outside the computer security industry who have sort of accepted that they do need passwords, but aren't necessarily sure quite how they should be dealing with them.
They say all the time, well, what makes a strong password? You know, what should my password be like?
And I've got a couple of rules and maybe you guys can chip in if you can think of any others. But I think one of them is what we've just mentioned. You need a unique password.
You need different passwords for different accounts. But you also need a password which is hard to guess.
And one of the mistakes that some people make is they will make their password the name of their dog or their favorite soccer team or their mother's maiden name or something which is fairly easy for someone to determine if they know that particular individual.
So you might have someone close to you or a work colleague who's then able to work out how to get into your accounts.
Yeah, even if it's a phrase from a song or a book, you know, those are not very difficult to guess.
So, Summer of '69 is not a good choice for a Canadian.
Okay.
No matter how great this song is.
No matter how great this song is.
It is a fantastic song. Let's face it. It's one of the best. But those sort of phrases, no good at all. And similarly, password is no good. And 1, 2, 3, 4, 5 is no good.
And qwertyup is no good. Because we've seen that all before.
And qwertyup is no good. Because we've seen that all before.
1Q2W3E4R. That's not good either.
Yeah. And I think people do this, though, because they don't see the importance of the data they're protecting as being valuable because they're just starting off the account.
So what you have to remember is that you're going to be probably using this account for something. That's why you're setting it up.
And you're going to be putting in data and information that if it did get out, it could prove to be harmful to you.
So what you have to remember is that you're going to be probably using this account for something. That's why you're setting it up.
And you're going to be putting in data and information that if it did get out, it could prove to be harmful to you.
Right. So we're saying your password needs to be unique. It needs to be hard to guess, but enough—
It must be long. It has to have lots of characters.
It can't just be 5 characters. Length matters. So the longer the password—
I would, of course, say length matters.
Normally, that makes it stronger. Not always.
Not just the length, of course.
It's not just length. It's also the complexity of the password. So we would recommend that you have lowercase and uppercase. You have numbers.
Ampersands, special characters. Yeah.
Any stuff that you can shove in there, it's gotta be good.
And this will help make your password hard to crack because one of the things which the hackers are doing is they are using dictionaries.
They have dictionaries of the most common words and the most common passwords, which they will use against a password database in order to try and crack your password.
And this will help make your password hard to crack because one of the things which the hackers are doing is they are using dictionaries.
They have dictionaries of the most common words and the most common passwords, which they will use against a password database in order to try and crack your password.
Also, if you use passwords and you exchange some of the letters for numbers instead of E, use 3, or instead of L, use 1, that's also easily guessable.
Right, so for instance, if your password, let's just use a really dumb example to explain that.
If you've got the word password, don't just change the A to a 4 and the O to a 0, because, you know, that's no protection at all against a modern attacker trying to crack your password.
So it needs to be better than that. But all of this stuff, right?
The length, the complexity, the uniqueness, all comes down to one central problem, which is how on earth is Carole's puny brain, which is simply full of Bryan Adams lyrics, how is it going to be able to cope?
How is it going to remember all of these puzzles? Ask me.
If you've got the word password, don't just change the A to a 4 and the O to a 0, because, you know, that's no protection at all against a modern attacker trying to crack your password.
So it needs to be better than that. But all of this stuff, right?
The length, the complexity, the uniqueness, all comes down to one central problem, which is how on earth is Carole's puny brain, which is simply full of Bryan Adams lyrics, how is it going to be able to cope?
How is it going to remember all of these puzzles? Ask me.
Ask me how I manage it. Ask me.
Carole, how can you manage this impossible task with your feeble female mind? That's a bit sexist.
Whoa, whoa, whoa!
I was just doing that for effect. LastPass, guys.
Yeah, okay.
Yeah, we all know, we all know you're not really female. Come on.
So I use a password manager. There's a lot of reputable password managers, and there are a few out there that maybe are less reputable, so choose wisely.
But what a password manager will do is basically keep all your passwords in one place, and all you need to remember is one master password, which you make, as Graham said earlier, unique hard to crack, holding lots of characters, and I'm talking over 12 characters to be long.
Now, some go up to 20. I mean, that's a minimum. And then you have this one password to access everything.
It proves very useful, and you don't even have to make them memorable that way. So they're not as easy to crack. They're very random because they're automatically generated.
But what a password manager will do is basically keep all your passwords in one place, and all you need to remember is one master password, which you make, as Graham said earlier, unique hard to crack, holding lots of characters, and I'm talking over 12 characters to be long.
Now, some go up to 20. I mean, that's a minimum. And then you have this one password to access everything.
It proves very useful, and you don't even have to make them memorable that way. So they're not as easy to crack. They're very random because they're automatically generated.
Yes, they're automatically generated, and they are stored in a safe and secure way.
So even if they get compromised, they wouldn't be, you know, the hackers wouldn't be easily guessing their passwords.
So even if they get compromised, they wouldn't be, you know, the hackers wouldn't be easily guessing their passwords.
So what we're recommending everyone does, right? Everyone who listens to this podcast, I think, has got an interest in doing this, in properly protecting themselves.
We would recommend, for the vast majority of people, run a password management program on your computer which stores your passwords securely and encrypted, protected by one strong master password.
And that master password, if you find it hard to remember all that complexity, maybe you could create a passphrase, whereas you have a sequence of random words.
So it could be something I don't know, suspects38plague21rots or something like that. It's quite a long phrase. You've got some numbers in there as well.
You could add an exclamation mark somewhere in there or an ampersand.
We would recommend, for the vast majority of people, run a password management program on your computer which stores your passwords securely and encrypted, protected by one strong master password.
And that master password, if you find it hard to remember all that complexity, maybe you could create a passphrase, whereas you have a sequence of random words.
So it could be something I don't know, suspects38plague21rots or something like that. It's quite a long phrase. You've got some numbers in there as well.
You could add an exclamation mark somewhere in there or an ampersand.
But no one should use that one. No one use that one.
No, don't use that one. In fact, I've already forgotten it. But if you memorise your master password, then that will be your key to your password management programme.
And the beauty of this is that when you try to log into online accounts, you can actually have your password manager pop up and say, "Oh, I know the password for this site.
And the beauty of this is that when you try to log into online accounts, you can actually have your password manager pop up and say, "Oh, I know the password for this site.
I'll type it in for you." Some good ones even say to you, "Ooh, your password for this site is actually quite weak.
Let us help you make that a stronger password." Which is wonderful service.
Let us help you make that a stronger password." Which is wonderful service.
Yeah, it's fantastic. So I think passwords are pretty much here to stay, but also password stealing is here to stay as well.
And the bad guys steal your passwords through phishing attacks where they try and lead you to bogus websites trying to trick that, by the way, is another way in which password managers can protect you because they won't pop up if it's a bogus site.
They should only pop up if it's the real site and offer to enter your password.
But you can also have your password stolen through keylogging malware, maybe even keylogging hardware or through a data breach.
And the bad guys steal your passwords through phishing attacks where they try and lead you to bogus websites trying to trick that, by the way, is another way in which password managers can protect you because they won't pop up if it's a bogus site.
They should only pop up if it's the real site and offer to enter your password.
But you can also have your password stolen through keylogging malware, maybe even keylogging hardware or through a data breach.
There's tons of ways.
Lots and lots of ways to do this. Yeah. But generally our advice is have unique passwords, make them hard to crack, hard to guess, and run a password manager.
What else can people do to better protect their accounts though?
What else can people do to better protect their accounts though?
So you can, we haven't mentioned 2FA or two-factor authentication or multifactor authentication as it's also known.
You're nerding me out right now, right?
I'm sorry.
With this terminology. What is this 2FA and multifactor authentication? What's that bringing me that passwords don't bring me?
Well, you have this additional factor. I mean, passwords are something you know, while the second factor is something you have.
So you can have these sort of unique generators of numbers, which when you authenticate, it really proves that it's you that's trying to log on to a particular system.
So it's not just the password, but an additional number that you have.
You either receive it through an SMS message or you have an app on your phone that generates a number for you, or you have some other specialized hardware that allows you to enter and create those numbers.
So you can have these sort of unique generators of numbers, which when you authenticate, it really proves that it's you that's trying to log on to a particular system.
So it's not just the password, but an additional number that you have.
You either receive it through an SMS message or you have an app on your phone that generates a number for you, or you have some other specialized hardware that allows you to enter and create those numbers.
So it's a bit like your bank account, for instance. Right? It's like your bank account. You're using a kind of token to generate an automatic number.
So it's like a physical device, in some cases, like hardware.
So it's like a physical device, in some cases, like hardware.
Yeah, it's exactly like that.
Right. Okay. So we would recommend, and many websites are now beginning to offer this kind of additional level of security.
We would recommend that people do this, enable it in order to harden their accounts.
And if you do that, even if your password does get stolen, Lord forbid that it happens, but if it does get stolen, the hackers shouldn't be able to access your account because they have that extra hurdle to get past.
A good tip there for everybody. Well, I think that's about all we have time for this episode. We very briefly covered passwords.
I'm sure we'll be coming back to passwords again, but I hope that's been some useful advice for most people as to how to create stronger passwords and how to remember their passwords rather than using their puny human brains.
All that's left for me is to apologize to Carole, first of all, for making the rather sexist comment earlier and to recommend that if you like us— Carole, do you forgive me?
We would recommend that people do this, enable it in order to harden their accounts.
And if you do that, even if your password does get stolen, Lord forbid that it happens, but if it does get stolen, the hackers shouldn't be able to access your account because they have that extra hurdle to get past.
A good tip there for everybody. Well, I think that's about all we have time for this episode. We very briefly covered passwords.
I'm sure we'll be coming back to passwords again, but I hope that's been some useful advice for most people as to how to create stronger passwords and how to remember their passwords rather than using their puny human brains.
All that's left for me is to apologize to Carole, first of all, for making the rather sexist comment earlier and to recommend that if you like us— Carole, do you forgive me?
No.
Oh dear. I just did it for a cheap gag. I didn't really mean it.
We'll see how this develops in next episode.
That's right.
Okay, so I didn't listen to that. What was it like, Graham?
It was wonderful. Well, my bits were fantastic. Oh, of course. Well, no, it's good. It's fun going back and listening to your old stuff, isn't it? No. I think— Oh, okay.
Nope. Now onwards, onwards, onwards.
We're now going to show our featured interview with Rachael Stockton from LogMeIn, and hear all her little secret tips on how you IT guys out there can make your lives easier.
And I'd really be interested in seeing if you agree with everything we chat about. So, get in touch, Twitter, Reddit, you know how to get in touch with us. Take a listen.
We're now going to show our featured interview with Rachael Stockton from LogMeIn, and hear all her little secret tips on how you IT guys out there can make your lives easier.
And I'd really be interested in seeing if you agree with everything we chat about. So, get in touch, Twitter, Reddit, you know how to get in touch with us. Take a listen.
It's not gonna be boring, is it, Carole? Seriously, is it gonna be boring?
Are you just saying that because you're not part of it? You know, Graham, I'm pretty funny, even when you're not around. I'm pretty engaging.
Okay, okay, I'll listen. I'll listen.
Don't play chess at the same time, right? Don't leave the room to go make a cup of tea. That doesn't count. I'm going to ask you questions about it afterwards.
Oh no, are you?
Yeah, yeah, I'm going to. What did I say at 5 minutes 12?
Oh, for goodness' sake, just play the tape.
So today we have a chat with Rachael Stockton, Senior Director of Product Marketing at LastPass. Or is it LogMeIn now, Rachael?
It's LogMeIn, and LastPass is our identity and access management solution.
Thank you a squillion times for coming on the Smashing Security show to do this special interview.
Not only do I and Graham appreciate this professional insight, but many of our listeners want to get to know our sponsors better. So it's really great that you're here.
Not only do I and Graham appreciate this professional insight, but many of our listeners want to get to know our sponsors better. So it's really great that you're here.
Hey, thanks for having me back.
Now, first, before we get into this, how have you been doing? Has the summer been really busy or have you been able to just focus on future plans and that sort of stuff?
Summer has been so busy personally and professionally. Yeah, but here at LogMeIn and LastPass, of course, July 1st we release our new identity and access management product.
So that creates an incredible amount of opportunity for us to really help people solve problems around securing access.
So we have been busy the past 2.5 months really helping our customers figure out what's going to be best for their employees, their companies, so that they can manage security and secure identities.
So that creates an incredible amount of opportunity for us to really help people solve problems around securing access.
So we have been busy the past 2.5 months really helping our customers figure out what's going to be best for their employees, their companies, so that they can manage security and secure identities.
So that's interesting because this is why I chose this topic for us today. You and I both have worked in the tech environment for quite a while.
I was, I don't know, maybe 20 years now. Gosh.
I was, I don't know, maybe 20 years now. Gosh.
Yeah, it's 20 whisper, whisper years.
Time flies when you're having fun. And often the products and services that we create from tech companies make a huge impact on the IT guy's day-to-day life, right?
It can make it more complicated. It can make it more challenging, but it can also make it much easier.
And I thought maybe we could talk about the challenges that face the IT person when it comes to security because some challenges are more obvious than others.
Actually, maybe we should first talk about the key responsibilities facing an IT person just so that we're all on the same page.
It can make it more complicated. It can make it more challenging, but it can also make it much easier.
And I thought maybe we could talk about the challenges that face the IT person when it comes to security because some challenges are more obvious than others.
Actually, maybe we should first talk about the key responsibilities facing an IT person just so that we're all on the same page.
Yeah, it's so interesting. I talk to a lot of IT people. Hey, peeps. All different levels.
And particularly when you're looking at somebody in a small and medium business, my huge takeaway is literally they are a Swiss Army knife. It's more than just security, right?
I mean, they're responsible for everything from tech support to does everybody have a computer? Does everybody have access to the applications?
Are the applications we're using what's needed? Meet our requirements. Hey, the printer's not working.
Oh my gosh, I have to patch my endpoints, let alone how am I making sure that people are getting access to what they need when they need it.
And so it's this plethora, throwing out that 25-cent word, right, of responsibilities that's amazing.
But the craziest thing is to the one, whether I talk to our CISO or CIO here or our sysadmin, is that when you say, what do you do on a daily basis? 99% say, put out fires.
So it's all that base work that I just described on top of putting out fires. I mean, how do you do that?
And particularly when you're looking at somebody in a small and medium business, my huge takeaway is literally they are a Swiss Army knife. It's more than just security, right?
I mean, they're responsible for everything from tech support to does everybody have a computer? Does everybody have access to the applications?
Are the applications we're using what's needed? Meet our requirements. Hey, the printer's not working.
Oh my gosh, I have to patch my endpoints, let alone how am I making sure that people are getting access to what they need when they need it.
And so it's this plethora, throwing out that 25-cent word, right, of responsibilities that's amazing.
But the craziest thing is to the one, whether I talk to our CISO or CIO here or our sysadmin, is that when you say, what do you do on a daily basis? 99% say, put out fires.
So it's all that base work that I just described on top of putting out fires. I mean, how do you do that?
What I've often found when I'm speaking to IT people in that sector specifically, actually also in the enterprise space as well, you have these huge plans that your stakeholders or bosses really want to get off the ground, right?
Maybe it's a sales tool to help grow the company, or maybe it's a marketing tool, and yet you've got to spend your time putting out fires all the time.
You've allocated time to do the big project, but you just can't ever get there.
Maybe it's a sales tool to help grow the company, or maybe it's a marketing tool, and yet you've got to spend your time putting out fires all the time.
You've allocated time to do the big project, but you just can't ever get there.
Yeah, I think it's really challenging. And I think what you just mentioned actually is really important.
It's understanding the priorities of the company and then being able to align your IT strategies and decisions behind it.
So, at least you have that sort of shared common language and idea, but figuring out how you do everything you've committed to while keeping the baseline and your end users and employees happy is really hard.
It's understanding the priorities of the company and then being able to align your IT strategies and decisions behind it.
So, at least you have that sort of shared common language and idea, but figuring out how you do everything you've committed to while keeping the baseline and your end users and employees happy is really hard.
Do you agree with that security triad, the idea that being an IT person security is effectively about ensuring confidentiality, integrity, and availability of files?
Do you think that sums it up or is there more to it?
Do you think that sums it up or is there more to it?
I mean, I think it does, but I think there's a lot more to it.
I mean, that makes it sound like 3 checkboxes, but there's so much stuff that you have to consider when you're deciding and choosing a security solution.
And I mean, I think part of it, the biggest part that I've heard from our customers and others is ensuring that you're able to get buy-in and you're able to be successful with the people who are using it.
Because this is not the movie Field of Dreams, right? If you build it, they will not come unless you have the clout to do that.
And in a lot of organizations of all sizes, IT can't do that. So, how you get end-user buy-in, I think, is a huge issue.
And then smaller or medium-sized organizations where the decision maker or the person who really is responsible for the budget isn't technical or isn't an IT person, the other challenge is how do you get them to really understand why you're asking for what you're asking for?
So, I think those are sort of two things that people don't really take into consideration when they're thinking about deploying security in an organization.
Yeah, you have the tools, but how do you get people to use them and how do you get your leadership to buy into funding them?
I mean, that makes it sound like 3 checkboxes, but there's so much stuff that you have to consider when you're deciding and choosing a security solution.
And I mean, I think part of it, the biggest part that I've heard from our customers and others is ensuring that you're able to get buy-in and you're able to be successful with the people who are using it.
Because this is not the movie Field of Dreams, right? If you build it, they will not come unless you have the clout to do that.
And in a lot of organizations of all sizes, IT can't do that. So, how you get end-user buy-in, I think, is a huge issue.
And then smaller or medium-sized organizations where the decision maker or the person who really is responsible for the budget isn't technical or isn't an IT person, the other challenge is how do you get them to really understand why you're asking for what you're asking for?
So, I think those are sort of two things that people don't really take into consideration when they're thinking about deploying security in an organization.
Yeah, you have the tools, but how do you get people to use them and how do you get your leadership to buy into funding them?
Often the IT person almost has the responsibility of going and getting everyone on board.
It's your job to educate the users on security and teach them how to use the tools that you have to safeguard our data and our people.
And yet they're not necessarily trained to be a leader in that area. They're IT guys.
They're not necessarily the person who can be at the forefront and do a presentation or whatever and make people understand the importance of security.
It's your job to educate the users on security and teach them how to use the tools that you have to safeguard our data and our people.
And yet they're not necessarily trained to be a leader in that area. They're IT guys.
They're not necessarily the person who can be at the forefront and do a presentation or whatever and make people understand the importance of security.
Exactly. And particularly when you're wearing so many hats. And let's throw this one in. Security is not easy. Security moves fast.
Yeah.
New threats all the time, new potential ways to solve them.
And even talking to your CEO or COO who may not understand it, they may not even understand that there's a literal industry security of hackers out there who are trying to get into organizations of all sizes in industry.
Right. They have products that they sell. They have pricing strategies. They have tech support. That's what your IT person is battling.
And even talking to your CEO or COO who may not understand it, they may not even understand that there's a literal industry security of hackers out there who are trying to get into organizations of all sizes in industry.
Right. They have products that they sell. They have pricing strategies. They have tech support. That's what your IT person is battling.
So the challenge is, if we do a little bulleted list here, we've got bosses that don't necessarily get the issue or are supporting their IT guys.
There's the users that don't necessarily understand why they have to do the things that they have to do.
And there's the outside threat that's constantly banging at every single door and window of the organization. And their job is to come in 9 to 5 and solve all these problems.
There's the users that don't necessarily understand why they have to do the things that they have to do.
And there's the outside threat that's constantly banging at every single door and window of the organization. And their job is to come in 9 to 5 and solve all these problems.
But wait, there's more. Even just think about how complex their world is now, right? It's not I give you a computer and that's all you have.
And you're bringing in your phone and you're bringing in an app that you can just put on your credit card that I'm sure will make your department run faster.
But may or may not be secure. Oh, and by the way, half of our employees work outside of our company, you know, outside of our four walls. Oh, and another third are contractors.
How do I handle that?
And you're bringing in your phone and you're bringing in an app that you can just put on your credit card that I'm sure will make your department run faster.
But may or may not be secure. Oh, and by the way, half of our employees work outside of our company, you know, outside of our four walls. Oh, and another third are contractors.
How do I handle that?
Do you think comparing enterprises to SMBs— can I use the hospital analogy?
So in a big city, you've got a huge hospital and, you know, maybe even a university hospital with loads of specialists that really understand specific problems.
And maybe the SMB is more like the small health center outside of town where you've got a really good GP, but they have to be kind of trained in everything.
So in a big city, you've got a huge hospital and, you know, maybe even a university hospital with loads of specialists that really understand specific problems.
And maybe the SMB is more like the small health center outside of town where you've got a really good GP, but they have to be kind of trained in everything.
Yeah, you know, it's really interesting. Our IT leader here just gave a webinar actually on sort of 10 things that, you know, IT managers should do to shore up their organization.
And he's been here for years, so he really helped grow LogMeIn.
And one thing he mentioned is, you know, really going from a very small organization full of generalists to LastPass, so Swiss Army knife, wears many hats.
Now we have more than 80 people in IT and 7 different departments. So, you are able to have that specialization. We also have a lot of requirements and things like that.
But I think you're right on. I do think that larger organizations who are well-funded, you are able to get that specialization. But you know what you run into?
And he's been here for years, so he really helped grow LogMeIn.
And one thing he mentioned is, you know, really going from a very small organization full of generalists to LastPass, so Swiss Army knife, wears many hats.
Now we have more than 80 people in IT and 7 different departments. So, you are able to have that specialization. We also have a lot of requirements and things like that.
But I think you're right on. I do think that larger organizations who are well-funded, you are able to get that specialization. But you know what you run into?
Tell me.
Labor shortage. How are you getting qualified people?
Yeah, and that is a big problem.
We've talked about that on the show before, the fact that you've got companies that are asking for specific skill sets and people are desperate to get in the industry, but somehow there's a disconnect.
I always think companies can train smart people in anything. So rather than look for the experience, I think get the brainiacs. But I guess they'd have no one to train them.
We've talked about that on the show before, the fact that you've got companies that are asking for specific skill sets and people are desperate to get in the industry, but somehow there's a disconnect.
I always think companies can train smart people in anything. So rather than look for the experience, I think get the brainiacs. But I guess they'd have no one to train them.
Well, I think that's true, but also you also have to make— now this isn't even about security anymore, it's really about company culture.
Because when you bring somebody in, you do invest and you train them if you're able to and you have that mentor, that knowledge, but then you have to keep them.
And I think that this is actually probably one of the biggest problems that's hitting companies large and small, but you have those smaller organizations that have an even harder time of hiring quality talent because it's just, you know, their offers probably aren't as high, you know, not quite as lucrative, maybe not the ping pong table and lunch every Wednesday sort of thing.
Because when you bring somebody in, you do invest and you train them if you're able to and you have that mentor, that knowledge, but then you have to keep them.
And I think that this is actually probably one of the biggest problems that's hitting companies large and small, but you have those smaller organizations that have an even harder time of hiring quality talent because it's just, you know, their offers probably aren't as high, you know, not quite as lucrative, maybe not the ping pong table and lunch every Wednesday sort of thing.
We can pivot easily right now to the idea that actually this is why security technology exists, not only to help the CEOs have a safer environment, but we also designed them, and LogMeIn designed them to make the IT security guy or gal's job easier on a day-to-day basis.
Yeah, I mean, that's one of our key tenets is ease of use, right? How can we make doing business simple and safe?
You know, part of that has to do with making it easy for the people who are going to be using it on a daily basis, your employees, but also part of it is how do we make it easy for you?
How do we make it easy for you to integrate into your own infrastructure, the infrastructure you have now and the infrastructure that you're going to grow into because you're going to be so successful, right, as an organization.
And how do we make it easy for you to maintain? How do we make it easy for you to know what's going on.
And I think there are these elements of reporting and automation that are really critical because you don't want to have to add resources for every product that you buy to secure your organization.
You know, part of that has to do with making it easy for the people who are going to be using it on a daily basis, your employees, but also part of it is how do we make it easy for you?
How do we make it easy for you to integrate into your own infrastructure, the infrastructure you have now and the infrastructure that you're going to grow into because you're going to be so successful, right, as an organization.
And how do we make it easy for you to maintain? How do we make it easy for you to know what's going on.
And I think there are these elements of reporting and automation that are really critical because you don't want to have to add resources for every product that you buy to secure your organization.
Yeah, I guess it comes down to ROI, doesn't it? The return on investment.
So if I'm going to invest in not only buying this software, but also learning it, it needs to pay back tenfold so that I can see the value of it and I can sell it to my bosses.
So if I'm going to invest in not only buying this software, but also learning it, it needs to pay back tenfold so that I can see the value of it and I can sell it to my bosses.
Yes.
Yes.
But I think that's another thing to talk about is how do you, while doing all of this stuff as an IT person, how do you actually sell what you need to your potentially non-technical leader?
Exactly. So, you need your boss on side. It makes your life so much easier in any job, right? But I imagine in IT it's huge because they hold the purse strings and everything.
Yeah.
So, do you have any advice for that IT guy?
So, if there's an IT guy out there who really wants to invest in a PIM, piece of security software to protect his users or protect the company, how would he go or how would she go about that?
So, if there's an IT guy out there who really wants to invest in a PIM, piece of security software to protect his users or protect the company, how would he go or how would she go about that?
I think it's a couple things, right? One thing is definitely take the time to tie your IT strategy or your priority to the business requirements.
The key piece that I learned being in marketing for 20-something years is knowing your audience and being able to speak their language.
And so that's the other piece is you have to be able to speak the language of your leadership team.
So they may not know the details behind or even the terms single sign-on or federated identity or multifactor authentication.
The key piece that I learned being in marketing for 20-something years is knowing your audience and being able to speak their language.
And so that's the other piece is you have to be able to speak the language of your leadership team.
So they may not know the details behind or even the terms single sign-on or federated identity or multifactor authentication.
Yeah.
But they do understand letting their employees get access to applications anywhere they want, anytime they want, so they can be more productive.
You know, I think that's such an important point because I think that's something that actually most of us learn with age.
Age and experience is actually using big words and complicated thought structures is actually not very smart because it limits the number of people that can actually understand what you're saying.
Age and experience is actually using big words and complicated thought structures is actually not very smart because it limits the number of people that can actually understand what you're saying.
It's true. I mean, the truth is words matter.
Yeah, but when I came out of college and I went into my first jobs, you bet your bottom dollar I was trying to prove to everyone I was smart.
And I did that by trying to make things a bit more complex. So it's interesting. I think you're right.
Knowing what your audience need from you and then catering exactly to that rather than trying to show your skills and you're smart.
And I did that by trying to make things a bit more complex. So it's interesting. I think you're right.
Knowing what your audience need from you and then catering exactly to that rather than trying to show your skills and you're smart.
Yeah, and I think also invest in education.
We talk about educating the end users, ensuring that they understand why security matters, why we're asking you to do things, the impact your behavior can have on this entire organization.
But at the same time, there is an education campaign that does need to happen to senior management.
What is truly the environment that we're in when it comes to the potential of threats. What kind of threats are out there? What are other ways organizations are doing that?
The more they can understand, and then the more you can speak their language, the easier it's going to be for them to be able to not just approve but champion your initiatives.
We talk about educating the end users, ensuring that they understand why security matters, why we're asking you to do things, the impact your behavior can have on this entire organization.
But at the same time, there is an education campaign that does need to happen to senior management.
What is truly the environment that we're in when it comes to the potential of threats. What kind of threats are out there? What are other ways organizations are doing that?
The more they can understand, and then the more you can speak their language, the easier it's going to be for them to be able to not just approve but champion your initiatives.
Yeah, and plus, a lot of the skills that you'll be able to share with your users are useful in their personal lives as well.
They all have—
Their houses are riddled with smart devices. Devices as well and IoT TVs and smart home assistants.
And a lot of that education will help them secure themselves in their home environment.
And a lot of that education will help them secure themselves in their home environment.
Oh, definitely. And passwords. I mean, LastPass, we were always about securing the passwords and moving to securing the identities as a whole.
But passwords are still one of the biggest risks and the bane of so many individuals' existence.
And so even just being able to ensure you have best practices around that, at home and at work, that's going to make a huge difference.
But passwords are still one of the biggest risks and the bane of so many individuals' existence.
And so even just being able to ensure you have best practices around that, at home and at work, that's going to make a huge difference.
Yeah. Now tell me, so let's say some of our listeners don't work in IT but have actually heard your words on how actually difficult their jobs are.
What can a normal user do to make the IT person's life easier?
What can a normal user do to make the IT person's life easier?
Oh my gosh, you guys and ladies listening to this must have just shed a tear listening to that question.
That may be the first time those words have ever been uttered: "How do I help with IT?" I'd be so interested in hearing the comments that you get back.
I'd love to know what your audience thinks they would hear. But I think one thing would be read the messages that get sent out.
That may be the first time those words have ever been uttered: "How do I help with IT?" I'd be so interested in hearing the comments that you get back.
I'd love to know what your audience thinks they would hear. But I think one thing would be read the messages that get sent out.
Yes. Yes.
Listen to the communication.
You know, we talk about using the right language, but there is a responsibility from that employee point of view to listen to what they're trying to say.
You know, we talk about using the right language, but there is a responsibility from that employee point of view to listen to what they're trying to say.
I agree.
Yeah, that's number one. You know, just do that.
Yeah.
And I think really understand that, you know, your company's data matters.
Yeah. Because your data is there too, right? You're an employee.
Yeah. And that there really are threats and you may not feel you yourself are a target, but you yourself are an entry point into an organization.
And so because of that, you do have responsibilities. And that's part of being an employee.
And I think if you just really just do those two things: one, realize your responsibilities, and two, listen to what IT is asking for, I think that would really go a long way.
And so because of that, you do have responsibilities. And that's part of being an employee.
And I think if you just really just do those two things: one, realize your responsibilities, and two, listen to what IT is asking for, I think that would really go a long way.
You know what else would help? Maybe Friday brownies, right? Maybe carrot sticks for the healthier ones with a bit of hummus. But yeah, I'd be for the brownies, the brownie crowd.
We have Bagel Wednesdays here.
Oh.
But then they brought in date cookie dough bites. So they're dates that taste cookie dough. So that's our version of healthy too.
That sounds good. Next Wednesday, I'm there.
You're always welcome.
Rachael Stockton, thank you so much for talking with us today.
I think this is an important topic, and I hope listeners, if you work in IT, because we want to know what concerns you and what challenges that you are facing that we may not know about.
And Rachael, of course, thank you for your continued support of Smashing Security. We are extremely grateful.
I think this is an important topic, and I hope listeners, if you work in IT, because we want to know what concerns you and what challenges that you are facing that we may not know about.
And Rachael, of course, thank you for your continued support of Smashing Security. We are extremely grateful.
Our pleasure. You guys are great. I just think you just make security and everything so much more accessible and fun.
Oh, Carole, good job. Nice little friendly chat you were having there with Rachael.
Oh, a little pat on the head from Graham. "Thanks, Graham. Good one." Yeah, good one. Very nice.
No sarcasm at all.
No. By the way, my hand's fine. My hand's totally fine.
Good, good, good. Well, that's important, isn't it? I'm glad. And are you— do you think you'll be better by next week? Are we going to do a regular episode next week?
Well, how do I know? I might have to get amputated.
What, they're going to cut you off from your hand? Well, I guess your hand will be happy.
Anyway, and I really hope listeners feel bad for me and send me some good wishes because this is the quality.
This is the kind of love I get when I am hurt and I still show up to— Anyway, on that bombshell, I'm going to say, don't forget, you can follow us on Twitter @SmashingSecurity, no G, Twitter won't allow us to have a G.
And you can also join us on Reddit if you want. We have a thriving community up there where you can discuss the show.
And you can also join us on Reddit if you want. We have a thriving community up there where you can discuss the show.
I was just going to say high five to all you listeners out there, but that's too ironic for words. So thank you for listening.
I get it. Very well.
Thank you, Patreon supporters. Thank you, reviewers. Thank you, retweeters. Thank you all. See you next week for our regular episode.
Until next time, cheerio, bye-bye, later. Bark! Bark!
Thank you, Archie, I am doing better.
Thank you very much.
I wasn't feeling very well, but your kind bark—
I think the Amazon delivery man has just delivered your replacement robot hand.
Hosts:
Graham Cluley:
@grahamcluley.com
@
/ grahamcluley
Carole Theriault:
Guests:
Vanja Svajcer – @vanjasvajcer
Rachael Stockton
Show notes:
Sponsor: LastPass
LastPass Enterprise makes password security effortless for your organization.
LastPass Enterprise simplifies password management for companies of every size, with the right tools to secure your business with centralized control of employee passwords and apps.
But, LastPass isn’t just for enterprises, it’s an equally great solution for business teams, families and single users.
Go to lastpass.com/smashing to see why LastPass is the trusted enterprise password manager of over 33 thousand businesses.
Sponsor: Detectify
Detectify will run over 1500 security tests against your website, identifying real problems with a list of constantly updated vulnerabilities submitted by a global network of over 150 handpicked ethical hackers.
Go hack yourself! Take a 14-day free trial at www.smashingsecurity.com/detectify now.
