Ignore Solution to Phishing, Spearphishing Risk at Your Peril

Kachina Shaw

What Doesn’t Work Anymore

“SMEs haven’t confronted the fact that cyber criminals have gone pro,” says Sjouwerman. “They seem to think they’re small fish, and that it’s not going to happen. But one criminal can rob 500 banks.”

Firms are not up to date, he warns, on the realities of cyber crime and the weakness of existing defenses. Anti-virus software, for example, is generally six hours to two days behind on malware. Cyber criminals, though, are very well-funded, have their own labs, and have current versions of filters and firewalls. “They test it, change malware, change strategies until they get through, then send it.”

Defense in Depth

Sjouwerman strongly recommends companies familiarize themselves with the defense in depth concept, which calls for multiple layers of protection. “Don’t have simply a security policy, procedures, then training only once a year -- death by PowerPoint.”

A recent survey carried out by Osterman Research and sponsored by KnowBe4 found that almost 80 percent of responding organizations see no improvement in the phishing problem. A third say the problem is getting worse. Only 22 percent reported getting “good” results from training users on phishing threats.

These results can be turned around, says Sjouwerman, with a layered strategy that includes a human firewall on the outer layer. Without it, the perimeter is porous, full of vulnerable mobile devices and data and inconsistent users. With it, the organization becomes a hard target, and the attackers move along to easier ones.

His firm offers a three-step approach to training on phishing and spearphishing. All employees, including IT, go through the same steps:

  1. Baseline test: The initial tests indicate how many people in the organization are click happy, often 15 to 20 percent. This is the company’s “oh crap moment.”
  2. Training: Covering “30 years in 30 minutes,” everyone is trained on what phishing and malware are and how to evaluate messages with an educated eye. Sometimes, IT plays fast and loose, and they need to understand what everyone else got in training, says Sjouwerman.
  3. Reinforcement: Training is followed by frequent simulated phishing attacks, one or two per month. Integrated training and phishing tests are the key to success, says Sjouwerman. Once per year training, as for compliance requirements, doesn’t hack it. Employees receive immediate feedback if they click on a test message that they shouldn’t have, and a dashboard tracks click-prone employees.

Training is always advancing, says Sjouwerman, based on both technology (mobile devices, texting, voice calls), new varieties of attacks, and current events that phishers are utilizing. Anything from the Apple Watch to notices of child predators in a neighborhood can be fruitful in phishing attacks.

Investing in hands-on, ongoing training for employees, the first line of defense in phishing and spearphishing, is much more cost-effective than dealing with the consequences of a data or financial loss, Sjouwerman notes, as the attacks just keep coming.

Kachina Shaw is managing editor for IT Business Edge and has been writing and editing about IT and the business for 15 years. She writes about IT careers, management, technology trends and managing risk. Follow Kachina on Twitter @Kachina and on Google+

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


Add Comment      Leave a comment on this blog post

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.

Subscribe Daily Edge Newsletters

Sign up now and get the best business technology insights direct to your inbox.