Joe Ferrara | April 09, 2015

Industry Insider: Good IT security begins with good employee awareness

Times are changing dramatically in IT security. Cybercriminals have figured out one of the best ways to steal company jewels is not breaking through levels of sophisticated technology, but through the employee behind a keyboard.

Data shows phishing emails are increasingly the entry point of choice for hackers--employees unwittingly clicking on a link in a scam email can unleash malware into a network or provide access to cyberthieves.

Not only is phishing on the rise, but the criminals are getting smarter. As more people wise up to age-old PayPal and bank scams, for example, phishing emails are evolving.  But the attacks have become much more subtle, and dangerous.

For example, the massive data breach at JPMorgan Chase last summer appears to have begun in early June, but wasn't detected and stopped until mid-August. That's when a routine investigation uncovered signs that customized malware was being used to exfiltrate gigabytes' worth of data, including some customer information, from the bank's network.

A Bloomberg report says attackers appear to have exploited multiple zero-day vulnerabilities in their attack, and to have routed stolen data through multiple countries, including Brazil, before finally routing much of it to a large city in Russia. Bloomberg thinks all this began with a phishing email sent to a Chase employee's personal laptop. When the employee logged on to the secure corporate network, the malware that hackers had installed on the personal laptop captured his or her access credentials and used them to enter the network.

As the security industry has developed, some security experts believe that users are "stupid" and the "weakest link," prone to continue to fall for phishing attempts and other scams. Though perhaps we should be faulting the security industry for not providing better education for its workers?

Can you imagine if you were the employee that clicked on the link that contributed to your company's multi-million dollar breach, as in the Sony situation? Perhaps it's time for employees to demand the education they need to stay out of potentially vulnerable situations.

It's actually quite reasonable that employees have a right to be trained and avoid being the reason for their company's downfall. It's not too far-fetched to say employee actions can ultimately lead to National Security issues in companies with critical infrastructure.

Concern about these matters has taken on such precedence that even President Obama is talking about cybersecurity threats and tightening measures as a main point of concern to protect the nation.

It's time to get serious about cybersecurity training so we, as a nation of employees, can guard our data and intellectual property to stay strong in world markets.

Employers should take responsibility to provide effective cybersecurity training, and employees should be asking for help in protecting their employer's information and network, as well as their own data. Every trained employee is safer at home where the tentacles of fraud and national compromise have now reached.

Let's be realistic. Cybercriminals are not slowing down and they won't quit phishing employees--the rewards have been too good for them to quit now. Like burglars, online criminals will always look for the easiest way in. If they find a vulnerability, they will exploit it. And if your employee is the next target, so is your company.

As the proliferation of these corporate breaches occur, the buck will have to stop somewhere and employees don't want to be the fall guys if they happen to be the weakest link.

It's time to raise the bar on cybercriminals by empowering the employee with proper training to stop the attacks.

About the author: Joe Ferrara is the president and CEO of Wombat Security Technologies. Recently Ferrarawas a finalist for EY Entrepreneur Of The Year Western Pennsylvania and West Virginia and received a CEO of the Year award from CEO World. Ferrara has provided expert commentary and has spoken at numerous information security industry events including RSA Europe, the CISO Executive Network forum, ISSA International, and many regional information security conferences.

Read the Article on FierceCIO