Most will agree that despite the enormous amounts spent on secure Web gateways, anti-virus software, cloud-based malware filtering and the like, users are still the weak link in the security chain. The primary reason for this is that increasingly they are the targets, often supplying the bad guys with the information they need by posting detailed personal information on social media and other sites. Moreover, bad guys can often harvest many of your company’s email addresses and use them to launch a phishing or spearphishing attack against your company’s employees. Smaller organizations are typically most vulnerable to attack because they often lack the budget or expertise to thwart sophisticated attacks.
As just one example of what can happen to a company, a cybercriminal could launch a spearphishing attack against a small company’s owner or other senior executive for the purpose of infecting his or her PC with malware, such as a keystroke logger. The goal of doing so would be to gain access to the corporate financial accounts so that the cybercriminal could transfer money to mules operating elsewhere in the country who would, in turn, transfer the money offshore.
To see how much information I could gather on a senior executive, I chose a company at random in Kent, Washington after doing a quick Google search. I went to this company’s Web site, found an owner of the company, and then did a search for his name on Facebook, where I found him. Although I’m not friends with this individual, a quick look at his wall revealed his former employers, where he went to high school, the fact that he is also a realtor, where he had lunch last Friday, his phone number, information about his Washington State Ferry ride last Tuesday, information about an upcoming company event in early March, the names of two people who gave him gifts in late January, and what he had for dessert on January 13th. A bad guy could have used any of this information to craft a spearphishing email with a subject line that would likely have attracted his attention and gotten him to click on a link to a malware site that would have infected his PC.
KnowBe4 is a Clearwater, Florida-based startup focused on combatting this kind of social engineering attack through a combination of employee training and periodic testing of the effectiveness of that training. Essentially, the company does three things:
- Initially, it conducts a simulated phishing attack against a company’s employees to determine just how vulnerable they are to phishing attacks.
- Then, it conducts individual online training sessions that last 30-40 minutes to educate employees about phishing and spearphishing.
- It then follows up this training with simulated phishing attacks to determine just how vulnerable employees still are after the training.
Part of the effectiveness of this training method is that it provides a feedback loop that consists of testing, training, testing and remediation. Employees who fall for simulated phishing attempts can receive additional training or other remediation efforts designed to help them become more careful when inspecting their email.
KnowBe4 has demonstrated that their training and testing system can reduce employee vulnerability to phishing attempts. While KnowBe4’s solution certainly does not do away with the need for a layered security system at the gateway, server, desktop or cloud levels, it can bolster what is often the weakest link in a company’s security posture—their employees.