Internet Security Expert Stu Sjouwerman Shares Important Advice for End-Users and System Administrators on How to Prevent Cybercrime
In the wake of recent hacking incidents at Lockheed Martin (NYSE:LMT), SONY (NYSE:SNE) and PBS, learning how to prevent cybercrime has become a priority for organizations of all types and sizes. To that end, Internet Security Awareness Training (ISAT) firm KnowBe4 has issued its top tips for cybercrime prevention, with specific recommendations for both end-users and system administrators.
“Cybercriminals are becoming more brazen. Many of them have graduated from identity-theft phishing emails sent to random individuals to large-scale cyberheists targeting small and midsize enterprises,” explained KnowBe4 founder and CEO Stu Sjouwerman. “They’ve discovered how to slip through the cracks in a company’s data security measures by sending spear phishing emails to gullible employees, using malicious emails disguised as legitimate business correspondence. All it takes is one person to click on a link or open an attachment, and the hackers have found a way into your network. That’s why it’s so important for every employee to understand how to prevent cybercrime.”
Demonstrating how easy it is for cybercriminals to deceive untrained staff, Sjouwerman cites KnowBe4’s recent FAIL500 phishing experiment. The company successfully delivered simulated phishing emails to about three-fifths of the companies featured in the Inc. 5000; and nearly 500 of them had at least one employee who clicked the link within the email. While KnowBe4’s emails had no malicious payload, a 2010 Symantec (NASDAQ:SYMC) survey of small and midsize businesses (SMBs) reveals the potential scope of the problem, with 73% of respondents reporting at least one actual cyber attack in the previous 12 months.*
To combat these external threats, Sjouwerman offers five simple tips on how to prevent cybercrime that can be quickly and easily implemented by both companies and end-users:
1. Change passwords regularly. While employees may balk at being required to change their passwords on a routine basis, it is an important step in thwarting access by cybercriminals. Sjouwerman recommends changing network, email, database and other passwords at least once a month, and not reusing passwords.
2. Enforce strong passwords. Simple words and number strings may be easy to remember, but they’re also easy for cybercriminals to uncover with password-cracking software. Sjouwerman suggests using symbols or numbers in place of letters to make passwords more difficult to crack. For example, the password STOP-PHISHING might be rendered as $T0P-P#!$#!N6. Developing a complex passphrase is another option.
- Think before you click. Cybercriminals have become adept at producing realistic-looking emails. They use familiar logos and email address spoofing to make it appear as if the message is sent by someone known and trusted by the recipient, such as a business partner, bank or government agency. It’s easy to make a hyperlink display a familiar URL when the actual link directs elsewhere. Before clicking any link, hover the cursor over it and check the address displayed in the status bar. If it shows an unfamiliar URL, do not click. Instead, report the suspicious email to a system administrator and then delete it.
- If in doubt, throw it out. This follows from the previous tip. If an email raises any red flags – whether it comes from an unknown sender or contains an unusual request or unexpected file from someone familiar – it’s best to avoid clicking any links or downloading any attachments. A quick call to the sender can reveal if an email is legitimate or if the owner’s email account has been compromised; while a brief Internet search can expose an email from an unknown sender to be a scam. If there is any doubt, it’s best to delete the email, and/or follow corporate policy.
- Implement company-wide Internet security training. Without a formal ISAT program in place, well-meaning employees can be tricked into responding to a cybercriminal’s phishing attempts. KnowBe4 offers a free phishing security test companies can use to determine how susceptible their employees are to social engineering. Those who choose to implement KnowBe4’s ISAT services will receive high-quality, web-based interactive training for all employees, along with a series of scheduled tests to pinpoint weaknesses and determine if free re-training is required.
In addition to the recommendations outlined above, Sjouwerman notes that system administrators can do their part to prevent cybercrime by following these Internet security best practices:
- Ensure that all accounts have unique passwords, which should be unusual and difficult to guess.
- Update the network configuration as soon as vulnerabilities become known.
- Check with vendors regularly for important upgrades and patches.
- Audit systems and check logs on an ongoing basis to detect and trace intruders.
- Train all employees to identify and avoid cybercrime tactics, and instruct them to report any suspected phishing attempts or potential security beaches.
Sjouwerman is committed to educating businesses and individuals on how to prevent cybercrime. Beyond the high-level suggestions outlined here, he provides more detailed information and advice in his new book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. Cyberheist explores the business of cybercrime, dissects cyberheist tactics through a series of case studies and arms readers with proven strategies for thwarting cybercriminals.
For more information on KnowBe4 and the FAIL500 project, visit http://www.knowbe4.com/fail500. Details and complete chapter listings forCyberheist can be found at http://www.cyberheist.com, along with direct links to order the paperback or e-book edition.
* Symantec 2010 SMB Information Protection Survey; June 2010. <http://www.symantec.com/content/en/us/about/media/pdfs/SMB_ProtectionSurvey_2010.pdf>
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.