Can Frequent Security Training Help Thwart "As-A-Service" Attacks? vaeenma/Thinkstock

Can Frequent Security Training Help Thwart "As-A-Service" Attacks?

Ditch the old school training for an approach that keeps employees on their toes, IT security expert says.

The on-demand economy has made life a lot more convenient. But it’s also made it a lot more convenient for the wrong people, take cybercriminals for example, who are able to buy phishing attacks as a service with nothing more than a bitcoin wallet.

Cybercriminals are rapidly developing services that they sell on the dark web, or what KnowBe4 CEO Stu Sjouwerman calls “services by criminals for criminals.”

In recent years, cybercriminals have developed platforms where “every wannabe cyber crim[sic] can just go to that website, pay a fraction of a bitcoin, and send out a phishing campaign in a few hours instead of having to do all of this stuff themselves,” Sjouwerman said. So not only are phishing attacks and ransomware becoming more sophisticated, but they are also becoming much more accessible, making a dangerous combination for ill-prepared organizations.

KnowBe4, which Sjouwerman founded in 2010, offers security awareness training combined with simulated phishing attacks to help prevent employees from becoming victims of social engineering.

“There was old-school security awareness training that was generally done for compliance reasons,” Sjouwerman said. “But compliance is usually once a year, and that’s the old herd them in the break room, keep them awake with coffee and donuts, and then death by PowerPoint. That doesn’t work anymore.”

KnowBe4 said “new school training” is a lot more interactive and engages employees with simulated phishing attacks.  

He said KnowBe4 starts with a baseline test where every employee is sent a simulated phishing attack, where a number of people actually click. “At that point you have the catalyst that allows you to say, ‘OK, if this would have been the bad guys, we would have been owned.’” After this exercise, employees can take the interactive training online; once everyone is trained, you continue with frequent simulated phishing attacks to keep them on their toes, Sjouwerman said. Some cybersecurity experts suggest this testing should happen once a month.

The market for security awareness computer-based training (CBT) is growing, according to Gartner, which said the market would reach $240 million in 2016, after experiencing greater than 55 percent growth from 2014 to 2015. (On a related note, Gartner analyst Perry Carpenter, who covered security awareness CBT for the firm, joined KnowBe4 in May as chief evangelist and strategy officer.)

According to a survey last year by SANS Information Security Training, phishing assessments are the top metric organizations use to measure their security awareness program, followed by security violations and infected devices. 

KnowBe4 is among 25 vendors on Gartner’s Magic Quadrant for Security Awareness Computer-Based Training (CBT). Other popular vendors include PhishMe, which raised $42.5 million last year, and Wombat Cybersecurity Technologies, whose recent survey looked at the things employees get wrong about cybersecurity.

While security must include a technical layer to prevent emails getting through in the first place, such as spam filters and email security, Sjouwerman said more companies are relying on a so-called human firewall to be the last line of defense.

“If an attack makes it through then your employees are the ones who have to make that smart decision and not click that link or open that attachment,” he said.

In addition to phishing-as-a-service, there is also ransomware-as-a-service to watch out for, Sjouwerman said.

“Ransomware is by far the fastest growing revenue source [for cybercriminals],” he said. “There are now websites that allow aspiring cybercriminals to send complete ransomware attacks, which is essentially something that rides on a phishing email…once the end user has clicked, their workstation and network is connected to gets encrypted.”

While WannaCry and the recent Google Doc phishing scam helped create more end-user awareness, there is still not enough awareness of ransomware and phishing as far as Sjouwerman is concerned.

“We are slowly but surely coming to grips with the fact that cybercrime is here to stay and it’s only getting worse before it gets better,” he said. 

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish