J. Peter Bruzzese is an InfoWorld columnist and five-time-awarded Microsoft MVP (current technical expertise Office 365, previous four years Exchange). He is a technical speaker, author with more than a dozen books sold internationally, the cofounder of ClipTraining, and the creator of ConversationalGeek.com. He just wrote a great column that is worth reading. He started out with:
To keep company information and systems safe, IT needs to blend user training with technology defenses.
Phishing as an attack vector is nearly old as the Internet, spearphishing (targeting individuals via individually crafted emails meant to fool them into revealing information or downloading spyware) has been a favored attack technique for a good decade, and targeting senior executives (who have the most valuable information and access, after all) in what is called whaling has been an established technique for years.
Despite the long history of phishing attacks, employees -- even top executives -- keep getting fooled. There’s no real technology solution to this issue -- maybe you’ll catch a spyware attachment, but it’s nearly impossible to detect from an email link that inject spyware. Once a person has been fooled, the criminal is in. In the case of whaling, the attacks are few and targeted, so they typically don’t get flagged by tools like OpenDNS and filtering that rely on seeing a swarm of suspect emails or entry attempts to identify a possible phishing attack.
Worse, criminals are good at mining social networks like LinkedIn and a vast array of both open source and private intelligence tools and databases. Thus, they get the right information to craft convincing but spoofed emails from people an employee is likely to know and trust.
Even in 2015, it’s essential to train executives about the risks of using social media sites like Facebook, Linkedin, Twitter, and Instagram. Although they might not change their usage pattern and degree of sharing about their personal lives, such training might convince them that better use of social networks’ security and privacy settings can help ensure only people with a real relationship with them can view the content.
I recommend you supplement such training with red-team testing, where you create fake phishing emails and send them to your employees to see who gets fooled. That’ll tell you who needs extra attention and may pose a greater security risk. Services that can help include KnowBe4, Phishme, and Wombat (although Phishme and Wombat are pricey). The rest of his column is at InfoWorld and warmly recommended.
Security Awareness Training is really needed for every employee in any organization. It allows you to put in place a more effective human firewall and protect your corporate and financial assets. Find out how affordable this is for your organization and be pleasantly surprised.
