What Doesn’t Work Anymore
“SMEs haven’t confronted the fact that cyber criminals have gone pro,” says Sjouwerman. “They seem to think they’re small fish, and that it’s not going to happen. But one criminal can rob 500 banks.”
Firms are not up to date, he warns, on the realities of cyber crime and the weakness of existing defenses. Anti-virus software, for example, is generally six hours to two days behind on malware. Cyber criminals, though, are very well-funded, have their own labs, and have current versions of filters and firewalls. “They test it, change malware, change strategies until they get through, then send it.”
Defense in Depth
Sjouwerman strongly recommends companies familiarize themselves with the defense in depth concept, which calls for multiple layers of protection. “Don’t have simply a security policy, procedures, then training only once a year -- death by PowerPoint.”
A recent survey carried out by Osterman Research and sponsored by KnowBe4 found that almost 80 percent of responding organizations see no improvement in the phishing problem. A third say the problem is getting worse. Only 22 percent reported getting “good” results from training users on phishing threats.
These results can be turned around, says Sjouwerman, with a layered strategy that includes a human firewall on the outer layer. Without it, the perimeter is porous, full of vulnerable mobile devices and data and inconsistent users. With it, the organization becomes a hard target, and the attackers move along to easier ones.
His firm offers a three-step approach to training on phishing and spearphishing. All employees, including IT, go through the same steps:
Training is always advancing, says Sjouwerman, based on both technology (mobile devices, texting, voice calls), new varieties of attacks, and current events that phishers are utilizing. Anything from the Apple Watch to notices of child predators in a neighborhood can be fruitful in phishing attacks.
Investing in hands-on, ongoing training for employees, the first line of defense in phishing and spearphishing, is much more cost-effective than dealing with the consequences of a data or financial loss, Sjouwerman notes, as the attacks just keep coming.
Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+