Stu Sjouwerman, founder of Internet security awareness training firm KnowBe4, classifies the five types of security awareness training amid phishing attempts that play upon Americans' interest in the recent hostility with Syria.
(TAMPA BAY, FL), Sept. 30, 2013 -- Cybercriminals are known to exploit and prey upon the heartstrings of Americans during times of unease or tragedy—the recent Boston Marathon bombing led to an outpouring of scam emails and fake charity websites designed to swindle concerned citizens out of their money and personal information (1). Despite some IT professionals dismissing the idea of security awareness training where individuals are taught to recognize and avoid cyberattacks, Internet security awareness training firm KnowBe4 not only deems security training to be a necessity, but has established the five types of security training and details which is most effective.
As many Americans tend to overestimate their ability to spot phishing attempts and businesses often rely on outdated anti-virus software for protection, Stu Sjouwerman, founder of KnowBe4, says that security awareness training not only guides employees to avoid clicking on suspicious links or opening infected attachments, but also provides them with the knowledge and skills necessary to spot social engineering red flags. Citing a recent fake CNN spam email as evidence, Sjouwerman maintains that the average person would likely fall for the fake email, which was formulated appear as though it were sent from a real CNN Journalist:
The subject line reads: "The United States began bombing," but clicking on it will likely result in the workstation being infected with malware. The spam message is allegedly from the real CNN journalist Casey Wian, and some of the emails even have a photoshopped picture with black smoke over a street scene. The email has a two-sentence lead, and then there is a line for a "Full Story" that triggers a Trojan downloader and other malware. Criminals are attempting to exploit older versions of Adobe Reader and Java. (2)
In a recent study conducted by Osterman Research, which specializes in conducting market research for IT and technology-based companies, Sjouwerman classifies five basic types of security awareness training that organizations can implement to educate employees about phishing and other illegal cyber acts:
1. The Do-Nothing Approach:The organization conducts no security awareness training.
2. The Breakroom Approach:Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.
3. The Monthly Security Video Approach:Employees are shown short videos that explain how to keep the organization safe and secure.
4. The Phishing Test Approach:Certain employees are pre-selected and are sent simulated phishing attacks, IT determines whether they fell prey to the attack, and those employees get remedial training.
5. The Human Firewall Approach:Everyone in the organization is tested, the percentage of employees who are prone to phishing attacks is determined, and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.
End results of the survey found that KnowBe4's security awareness training program—categorized as a Human Firewall Approach—not only increased confidence in employee capability to distinguish phishing attempts and malware, but also nearly tripled the chances of an organization decreasing its phishing problem.
"I commissioned the survey to determine from an unbiased source whether security training should become a key facet in every company's strategy to defend against cyberattacks," Sjouwerman said. "Scammers typically rely on classic social engineering tricks, such as spear-phishing, and these can often be easily avoided by simply knowing what to look for."
KnowBe4 provides an extensive collection of free cybercrime education resources so that executives and system administrators can arm themselves and their staff against cyberattacks. The company also offers a free phishing security testto help business owners and managers determine what percentage of employees are phish-prone™, or susceptible to phishing attacks.
To gain access to the Osterman Research report or for more information, contact KnowBe4 online at www.knowbe4.com.
About Stu Sjouwerman and KnowBe4:
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. He and his colleagues work with companies in many different industries, including highly-regulated fields such as healthcare, finance and insurance. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.
1. "Cybercriminals Exploit Boston Attack, Send Malware through Email." Midlandsconnect.com. N.p., 17 Apr. 2013. Web. 16 Sept. 2013. midlandsconnect.com/entertainment/story.aspx?id=886219#.UjcKfz9AIqM.
2. Twomey, Matt. "Fake CNN Spam Says Syrian Bombing Has Begun." CNBC.com. N.p., 6 Sept. 2013. Web. 16 Sept. 2013. cnbc.com/id/101015224.