A cyber thief once tricked an employee into transferring millions of dollars from the employer’s account into the thief’s account. How? By mimicking the employee’s CEO’s distinctive writing style. This wasn’t an attack on the company’s IT network. It was something far darker.
“It was an attack on people’s emotions,” says cybersecurity expert Kip Boyle.
The company’s firewall didn’t fail. The attack required no sophisticated technology — it was a simple email scheme that’s succeeded for many years despite improving cybersecurity technology.
These attacks still work because companies don’t give employees effective cybersecurity awareness training, Kip says. And it’s just as critical for small to medium-sized firms to offer this training, because they’re more likely than a big company to fold from a single cyber attack.
Kip Boyle is the CEO of Cyber Risk Opportunities and author of “Fire Doesn’t Innovate: The Executive’s Guide to Thriving in the Face of Evolving Cyber Risks”
Why Many SMBs Lack Effective Cybersecurity Awareness Training
Kip owns Cyber Risk Opportunities in Seattle, and works with corporations of various sizes on assessing their cybersecurity risks and creating cyber risk management game plans. Here are some common reasons that SMBs drop the ball when it comes to cybersecurity training.
They believe cybercrime is strictly a technology issue.
Kip describes the CEO-mimicking scam in his book, “Fire Doesn’t Innovate: The Executive’s Guide to Thriving in the Face of Evolving Cyber Risks.” It used to be called the “fake president” email scam — now it’s an example of a broader category called “business email compromises.”
“…none of the company’s technological defenses or controls were compromised. It was an attack on a person — and a process, not technology,” Kip says.
The company could have avoided this catastrophic loss by teaching employees to recognize this type of scam, and by establishing a dual-authorization process for large transfers.
They mistake regulatory compliance for cybersecurity.
“Compliance does not equal security,” Kip says. “When you study cybercrime loss history, you’ll find that most victims of cybercrime — even large organizations like Target and The Home Depot, or government orgs or Equifax — they’re all usually compliant.”
So why did they fail?
Because compliance doesn’t equal security. For example, tools like cybersecurity checklists are created but aren’t updated often enough. Compliance teams tend to be more reactive than proactive — IT security pros can’t afford that mindset.
Compliance with cybersecurity regulations is, of course, critical — as financial services firms know. And some cybersecurity checklists from regulators can be effective when used correctly.
But checklists can become outdated quickly, Kip points out. Your cybersecurity game plan must be built to adapt to new threats.
Their “training” is a once-per-year snorefest.
Marching your employees through an obligatory annual online cybersecurity training program, or bringing in an expert speaker once in a long while, usually does next to nothing to protect your company’s data.
You need to gain your employees’ ongoing buy-in, engagement, and accountability. (More about that below.)
They don’t think they’re a target.
Many companies seek cybersecurity training only after being hit by ransomware, a fraudulent funds transfer, etc. Until that moment, they probably believed their current cybersecurity protections were working just fine.
Or maybe they simply thought they weren’t a juicy enough target for cybercriminals.
Kip says it’s dangerous to think your IT assets have nothing of value. Cybercriminals breaking into your network may find a dormant PayPal account they can use to launder stolen money, for example. Or they’ll find your insurance policy information and file fraudulent claims. And so on.
Every size of company is a target for today’s cybercriminals, Kip says, especially with the proliferation of the organized crime model run by hacker networks based in Russia and elsewhere.
They can’t afford it.
When I’ve recommended training programs for TechGen clients, such as the phishing awareness program through KnowBe4, they’re often surprised at how affordable it is.
The cost of outside expertise is only one side of the expense equation — the other side is the potentially catastrophic cost of not investing in your staff’s cybersecurity awareness.
Not all cybersecurity training requires outside expertise, however. Kip’s book lays out a game plan designed for non-IT experts to follow. Here are some key elements from the book and our discussion with Kip that pertain especially to SMBs (particularly those in financial services):
5 Things To Create an Effective Cybersecurity Awareness Training Program
1. Make cybersecurity part of every employee’s job description
Cybersecurity can’t be solely the responsibility of an IT staff or vendor. Every employee is a potential gateway for cyber thieves, so every employee must be aware of cybersecurity risks and how to address them.
Kip recommends that business owners set up a continuous program of cybersecurity education, measurement, and improvement.
A key part of that process is engaging employees through questionnaires and/or interviews about your company’s exposure to cyber risks, and scoring the result to establish a baseline.
For a sample questionnaire, see Phase 1 Step 4 of this workbook Kip created as a companion to his book. For further guidance, click here to watch Kip’s video tutorial.
Kip describes one client that improved scores after simply adding a line to all employees’ job descriptions: “Must follow company procedures to identify and report potential breaches to sensitive customer data.”
“It was a seemingly small change, but it was enough to increase their score, improve their Identify function, and enhance their practice of reasonable cybersecurity,” Kip says.
2. Provide phishing training that includes ongoing simulated phishing tests
Verizon’s 2019 Data Breach Investigation Report identifies phishing as the top threat action used in successful data breaches that involve social engineering and malware attacks.
You and your employees can read about how phishing works, but until you actually see phishing emails directed to you, you won’t know what to look for.
Kip suggests this phishing quiz from OpenDNS as an introduction. He recommends a training program that includes simulated phishing emails sent to employees about once per month.
KnowBe4 quantifies the effect of this combination training/simulated phishing program. In its annual Phishing by Industry Benchmarking Report, it measures “phish-prone percentage (PPP): the percentage of employees in a given industry who fall for a simulated phishing attacks.
Here’s a sample of the 2019 benchmarks:
Phish-Prone Percentage (PPP) for Small Firms (1 - 250 Employees)
Initial PPP
PPP After 90 Days of Training + Phishing Tests
PPP After 1 Year of Training + Phishing Tests
Average Small Business
33.5
14.7
1.9
Financial Services
31.1
12.5
1.6
Construction
37.9
16.8
1.8
Consulting
29.2
13
1.8
You can see the vast improvement through training and testing, but Kip cautions that even a 1% to 2% click rate by employees leaves your business vulnerable. You’ll probably never eliminate the risk — what you’re looking for is “reasonable cybersecurity.”
3. Teach a standard procedure for electronic funds transfers
“Business email compromises” is the new term for “fake CEO” in part because this type of electronic funds transfer scam has spread to many other employees at all levels of a company, Kip says.
“Nobody should be able to move money without a second person saying, ‘Yes I agree this is a legit request,’” he says. “But most small and medium-sized companies don’t have these dual controls in place, and that’s why scammers are getting so much money out of us.”
Financial services firms, especially, should train clients and vendors as well as employees on safe funds transfer procedures.
For example, tell your clients and vendors you’ll NEVER simply email them with instructions for wiring money to a different account — you’ll always call them or tell them personally first. And in turn, if a client or vendor emails you with new funds transfer instructions, follow up personally.
4. Make training frequent and specific to your company
One reason Kip’s cybersecurity training process starts by getting employee input is that this feedback can help you design training specific to your company operations.
Training for a mortgage escrow service should be different than training for a financial advisor firm.
You may require expert guidance to create your cybersecurity awareness training program, but don’t settle for a one-size-fits-all approach. I recommend to TechGen clients that brief quarterly training keeps employees aware of cybersecurity threats and best practices.
5. Choose an IT “managed services provider” that specializes in cybersecurity
Kips notes that most middle-sized businesses he works with use what the IT industry calls a “managed services provider” (MSP) or a “managed security services provider” (MSSP). These firms, including TechGen, essentially act as your business’s IT department.
For cybercriminals, these MSPs can be a gateway to a big pool of SMBs, so choose your IT vendor wisely, Kip says. He urges SMBs to choose MSPs that specialize in cybersecurity (including their own), rather than simply on IT installations, repairs, and/or help desk functions.
{One way to see whether MSPs run a cyber-secure operation is to look for the international information security certification called ISO 27001.)
Cybersecurity Awareness is a Leadership Issue
Cybersecurity Awareness is a Leadership Issue
Kip writes in “Fire Doesn’t Innovate:”
As an executive, your bread and butter should be having great people who are trained appropriately and have great processes in critical areas of your business, such as sales, order fulfillment, and accounts receivable. Why would you approach cybersecurity any differently?
The goal of cybersecurity awareness is to create a culture of skepticism — especially about emails — and a culture of continuous improvement. Because you can be sure that cyber criminals are committed to continuous improvement.