By Mark Gibbs
You know Bob who works for your organization? That's right, Bob, the CFO. Nice guy. Organized, always on time, gets the job done. Good guy (except when he got tanked at the Christmas party but let's not talk about that). Well, there's something you might not know about Bob: He's incredibly dangerous to your business. He's potentially a one man wrecking crew who could put you out of business and you know why? It's your fault; you haven't trained him.
Sure, Bob's trained to do his job but has he got a clue about security? And Bob isn't the only one. There's also Frank and Doug and Sheila and everyone else in your organization who isn't an IT nerd. In many small businesses that includes everyone; it probably includes you, too. You're all liabilities because even if your organization has its digital defenses in place – by which I mean a firewall, anti-malware, locked-down servers, etc. – if your staff isn't trained you'll have security holes that any passing ne'er-do-well could drive a truck through. Sideways.
This is all about behavior and before we consider digital safety, let's do a quick check on your physical security: If a visitor walks through the office, will staff challenge them? When someone comes in dressed as a plumber, telephone technician, or some other service person, will they be checked to ensure they are whom they say they are and that they were scheduled to come and do whatever they claim to be there for? Do you have a clean desk policy? Do you shred your paper documents when they're tossed out? Do you lock filing cabinets when they're not in use? Do you lock them at night? Do your computers require passwords? Do they go to sleep after a timeout and when a staff member returns to their desk, require passwords when they wake up? Are you using "strong" passwords (see last week's missive). All of these provisions ensure your data stays physically secure and stop potential leakage but they rely on your staff being aware and proactive. Without teaching them what's risky, what's expected, and what must be done to stay secure, safe behavior will not happen.
So, let's say you've got your physical security nailed down (though I'm not sure many of you would pass a Gearhead Security Survey), what about the way your staff behaves when using their computers?
Let's say Bob, the CFO, gets an email from the CEO that says something like "Bob, please transfer $250,000 to account such-and-such." What are the chances that Bob will do as requested? If you think that it's unlikely that Bob would do such a thing based on a simple email, think again, my friend. Consider that back in April last year, the FBI warned about an increase of 270% in what's become called "CEO Fraud."
Contrary to how the phrase might be interpreted, CEO Fraud is not when the CEO embezzles but rather due to what's called a "spear-phishing" attack. "Phishing" is an unfocussed attack where email is sent without any particular knowledge of the recipient but spear-phishing relies on targeting individuals based on some degree of knowledge about who they are, who they work for and with, and whom they know. So, for example, a bad hombre researches your organization and using information gathered on the Internet or from a compromised company email account (intelligence gained from a hacked account is far more effective), the perp* crafts an email to look as if it comes from the CEO and sends it to Bob hoping that he'll not question the order and do as requested.
"Meh" you might mutter, "Who's dumb enough to fall for such a simple ruse?"
The answer, my friend, is enough people that the FBI estimates that from 2013 to 2016, the losses due to CEO Fraud, which the FBI calls "Business E-Mail Compromise" or BEC, amounted to a remarkable – nay, staggering – $2,300,000,000**!
But that's not the only kind of phishing attack that Bob might fall for. Any email that asks him to open a file, particularly an executable, or tells him to visit a Web site, could spell ruin for your organization should he blindly do as requested. Without training, Bob (or Frank or Doug or Sheila) is a sitting duck for any and all types of attacks.
There are several companies that teach users security awareness either through online or in-person courses. Winn Schwartau, founder of The Security Awareness Company says that training is "as low as $1 per person per year for a simple, basic awareness program and up to about $10 per person per year for the King Kong of comprehensive programs. What you need depends on lots of factors such as how your company is organized, what kind of services you use, and what kind of risk profile you have."
So, go and think about your staff and consider what could happen if Bob, without any security education, gets spear-phished and how catastrophic the consequences might be. Security awareness training is a low cost way to ensure that you stay in business.
Next week, the Internet of Toys.
* Sounds cooler than "perpetrator."
** That's way more dramatic than writing $2.3 billion.
About Mark Gibbs
Mark is the author of four best-selling computer networking book titles and was a syndicated journalist and columnist for 24 years writing for Network World, Computer World, and other IDG publications.