T Security Expert and KnowBe4 Founder Stu Sjouwerman Explains How Internet Security Awareness Training (ISAT) Can Overcome Weak Link of Human Error
CLEARWATER, Fla., August 15, 2011 – New IT security statistics support the previous findings of Internet Security Awareness Training (ISAT) firm KnowBe4, revealing that a significant percentage of organizations do not follow network security best practices with regard to training. Enterprise key and certificate management (EKCM) provider Venafi and IT security research firm Echelon One surveyed 420 enterprises and government agencies to determine how well they implemented IT security best practices, and found that 77% of respondents fail to perform quarterly security and compliance training.1
In an interview with Infosecurity, Venafi CEO Jeff Hudson elaborated on the IT security survey results, explaining that “humans are the weak” link in matters of information security. “What was surprising was the poor state of training for those humans. … Since humans are the weak link, they are not getting trained very well, and turnover is high, the problem only gets worse.”2
KnowBe4’s own research confirms that many organizations do not appear to have formal Internet security training programs in place; and as a result, their employees are more likely to be Phish-prone™, or susceptible to phishing attacks. In an experiment it dubbed as the FAIL500 project, KnowBe4 sent non-malicious simulated phishing emails to employees at more than 3,000 companies featured in the Inc. 5000; and at 485 of those firms, one or more employees clicked the email. Furthermore, a case study of three KnowBe4 clients showed that prior to training, between 26% and 45% of employees were Phish-prone. Implementation of ISAT immediately reduced that percentage by 75%; subsequent testing and retraining over a four-week period brought the Phish-prone percentage close to zero.
“The Venafi/Echelon One IT security research supports everything we’ve been seeing and warning against,” stated cybercrime expert Stu Sjouwerman (pronounced “shower-man”), founder and CEO of KnowBe4. “Companies are not investing in Internet security training; and as a result, they’re exposing their networks to potential cyber attacks. Many think they’re protected by anti-virus software or IT departments; others simply think it won’t happen to them – until they find out the hard way it can, and does, happen to companies of all types and sizes.”
Sjouwerman explains that for most enterprises, their greatest susceptibility is well-meaning employees who haven’t been trained to recognize and avoid social engineering and phishing tactics. “Cybercriminals have become very skilled at developing seemingly legitimate emails that trick employees into responding. Individuals will click a link if they think a request is coming from a vendor, government agency, bank or colleague. And all it takes is that single click for cybercriminals to bypass all security measures and install malware directly on the user’s system. From that point, they can gain open access to the entire network.”
In light of the potential costly repercussions of a cyberheist, the question remains: why do organizations fail to provide IT security training? “I recently read a white paper by Cormac Herley of Microsoft Research; and from his perspective, companies deem it unnecessary based on a cost-benefit analysis,” said Sjouwerman. “Herley suggests organizations feel it takes too much time for the perceived benefit, especially considering the cost of user time. However, I don’t quite agree with that. Our ISAT solution requires only 30 minutes per end user to protect against phishing attacks, and has the potential to reduce a company’s Phish-prone percentage by 90% or more in a matter of weeks. I honestly believe that small and medium enterprises will find our training system to be the best IT security money they ever spent, delivering the highest return on investment in the shortest time.”
KnowBe4 offers free cybercrime education resources and case studies to increase awareness of cybercrime tools and tactics. Sjouwerman also encourages executives to take advantage of KnowBe4’s free phishing security test, which can help them determine their employees’ susceptibility to social engineering. In addition to the valuable information on the KnowBe4 website, Sjouwerman provides further ammunition in the war on cybercrime in his book, Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. Cyberheist investigates the business of cybercrime, analyzes a series of case studies and provides practical advice for cybercrime prevention.
For more information on KnowBe4’s cybercrime research, resources and training solutions, visit http://www.knowbe4.com. To learn more about Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com.
About Stu Sjouwerman and KnowBe4:
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. For more information on Sjouwerman and KnowBe4, visit http://www.knowbe4.com.
1 Venafi, Inc. and Echelon One. 2011 IT Security Best Practices Assessment; July 2011. <http://www.venafi.com/Collateral_Library/2011_IT_Security_Best_Practices_Assessment_Executive_Overview.pdf>
2 “Most organizations do not follow security best practices, survey finds.” Infosecurity; July 28, 2011. <http://www.infosecurity-us.com/view/19737/most-organizations-do-not-follow-security-best-practices-survey-finds/>