Longtime security professional, Stu Sjouwerman is the founder and CEO of KnowBe4.com a Tampa, Florida-based security startup that specializes in on-demand Internet Security Awareness Training (ISAT). The company’s goal is to enable organizations to quickly solve the increasingly urgent security problem of social engineering and avoid attacks before they occur. Sjouwerman also publishes an Electronic newsletter called Cyberheist. Prior to founding KnowBe4.com, Sjouwerman was president, CEO and founder of Sunbelt Software – now GFI Software which makes the VIPRE security package. He is also the founder and former editor of the popular WServerNews electronic newsletter which has a worldwide distribution. ITIC recently sat down and interviewed Sjouwerman about security threats and how companies can defend themselves.
Laura DiDio, ITIC: Tell us about KnowBe4.
Stu Sjouwerman: We are next generation security awareness training. That means old style security training doesn’t cut it anymore – it’s not enough to follow dos and don’ts. We do simulated phishing attacks – fully automated – for customers to let them know who the culprits are in advance of an attack. It’s preventive. We train people to be well aware of phishing attacks that are out there. Our main focus is on phishing attacks but it’s not our only focus.
ITIC: What’s the top headline in security these days?
SS: Cybercrime is big business. It’s everywhere, but it’s especially proliferating and flourishing in Eastern Europe and Russia. There are many are ex-KGB agents who have teamed up with the local organized crime; they have a very well developed and broad criminal economy. There are social networks for cyber criminals and tons of technical support sites for malware. Business is booming: it’s at least a $1B a year industry and growing every day. It’s very easy and very profitable to be a cyber criminal.
ITIC: You’ve been in the security business for 15 years now. How have the security threats changed and evolved?
SS: In the last 15 years we’ve seen five generations of threats. Today’s security hacks and attacks have evolved; they are not the work of amateurs. It used to be that teenaged hackers did it for the thrill or to make a name for themselves and get hired to work for a security firm. Ten or fifteen years ago, hacking was a means to an end. Today hacking is the end game. The hackers have gone pro. And the security threats are much more professional and stealth-like which makes detection more difficult. Many organizations and individuals don’t find out until after the fact and it’s damaged their networks. Back in the “good old days” circa 1995, a company’s worst case scenario was a DOS attack which caused the server to go down and applications to be unavailable. In 2011 – soon to be 2012 – the threats are much worse. Organizations are facing two types of damage. The first is stolen customer data, Intellectual Property, corporate designs etc. Once it’s stolen, highly sensitive data oftentimes ends up for sale to the highest bidder on criminals’ social media networks. The second, very pernicious threat is that hackers frequently install a stealthy Trojan/key logger and at regular intervals it will send the information e.g. accounting information to the hackers. They literally take control of the account and transfer out the money in small chunks usually $10K at a time. It’s then forwarded on to their “money mules” and organizations lose monies. Once a company has been the victim of a cyberheist, recovering the money, tracking and prosecuting the hackers is difficult, time consuming and expensive.
ITIC: How aware are companies of these threats and do they take them seriously?
SS: Every organization: the largest businesses, small Mom and Pop shops, academic institutions, non-profits and religious institutions are all at risk. Nothing is sacred and no one is safe. The large enterprises like banks and brokerage houses, usually have good proactive defenses in place to minimize risk, delay and thwart attacks and to alert them when an attempt to penetrate the perimeter or network occurs. Ironically, the biggest threat facing companies – particularly SMBs – is a false sense of security. Many small businesses, non-profits and churchesare operating under a serious misperception that they’re too small to be of interest to hackers and thus they won’t be targeted. The Fortune 500 firms know they’re targets and have relatively good defenses in place. But these small businesses often do lag behind a bit in security awareness training unless they’re forced by SOX or HIPPA regulations to do security awareness training because they get audited. Some organizations just do it perfunctorily to pass a required audit and that just won’t cut it.
ITIC: What’s your advice to businesses?
SS: If you are a corporate cyberheist victims are NOT insured. The FDIC does not insure corporate accounts; they insure personal accounts. So the banks and insurance companies won’t refund your money UNLESS you purchase specific cyberheist insurance policies. Otherwise you’re SOL (shit out of luck) – and if the theft is big enough, many SMBs could find themselves out of business. The hackers are also not confining themselves to SMBs – they attack non-profits, local and municipal governments and churches with equal impunity.
ITIC: What proactive measures should organizations take to protect their businesses?
SS: First make sure that you have good quality anti-malware and keep it up to date and have a good firewall and then make sure you perform good quality security awareness training. You have to constantly reinforce that they need to be tested – we recommend testing at least once a week. The weakest link in any organization will be the users. The security perimeter has been broken thanks to mobile and remote users. The network and the firewall used to be the perimeter but the consumerization of IT has changed that. The hackers are now professional. The spear fishing attacks are very sophisticated.
ITIC: What should organizations and individuals look for?
SS: This sounds mundane, but never open an attachment that you didn’t ask for or one that came from an unknown source.
Be suspicious of all your Emails, even those from so-called trusted sources and friends because their accounts may be spammed or hacked. This includes things like direct messages from people you know and are friends with on the various Social Media sites like Facebook, Twitter and Yahoo. Pay very close attention to how your Email looks e.g., be on the lookout for spelling and grammatical errors and missing elements or things that just don’t appear right.
ITIC: Do you have any last insider tidbits for our readers?
SS: Yes, be aware that currently there’s only one bank that insures business accounts from cyber criminals and cyberheists and that’s JP Morgan Chase.
Based in Tampa Bay, FL.