ITIC’s coverage areas continue to expand and evolve based on your feedback. We will now feature Q&As with industry luminaries and experts discussing hot industry trends and technologies.
Longtime security professional, Stu Sjouwerman is the founder and CEO of KnowBe4.com a “New-school” IT security firm based in Tampa, Florida. It specializes in on-demand Internet Security Awareness Training (ISAT). The company’s goal is to enable organizations to quickly solve the increasingly urgent security problem of social engineering and avoid attacks before they occur. Sjouwerman also publishes an Electronic newsletter called Cyberheist News.
Prior to founding KnowBe4.com, Sjouwerman was president, CEO and founder of Sunbelt Software – now ThreatTrack Software which makes the VIPRE security package, originally developed by Sjouwerman and his team at Sunbelt Software. For 17 years he was also the editor of the popular WServerNews electronic newsletter which had a worldwide distribution of 400,000. ITIC recently sat down and interviewed Sjouwerman about security threats, how companies can defend themselves and avoid common mistakes.
ITIC: Tell us about KnowBe4:
Stu Sjouwerman: We are the “new school” or next generation security awareness training. Old style security tactics and training don’t cut it anymore. In the Digital Age of sophisticated and dangerous Ransomware and increasingly dangerous and prolific Cyber attacks, it’s not enough to follow dos and don’ts. KnowBe4 offers training and advice to assist businesses in combating the latest threats. For example, we will perform fully automated simulated phishing attacks. This lets corporations identify who the culprits are in advance of an attack. It’s proactive and preventive. We train people to be well aware of all of the latest threats from Ransomware to Internet of Things (IoT)-based Denial of Service (DDoS) attacks to phishing attacks that are out there. Our main focus is on phishing attacks but it’s not our only focus.
ITIC: Ransomware attacks are happening with alarming frequency and the Wanna Cry attack on Friday, May 12th was the worst yet. To date it’s infected corporations in 150 countries and over 200,000 machines worldwide. Surprisingly, Security firms have stepped in with fixes and sound advice, but the threat of Wanna Cry and other Ransomware attacks still persists. What’s KnowBe4’s position?
SS: Ransomware reached diabolical growth rates in mid-2014 and it’s been on an steep growth ramp ever since. Ransomware, criminal extortion and IoT-based Denial of Service (DDoS) attacks are the Bogeyman of IT and they’re here to stay. Customers are defending the best they can. But how do you defend? In my wheelhouse, you train the users but you still have to buy devices – especially for DDoS mitigation. You have to have the appropriate security mechanisms and training and your firms have to have up to date computer security policies and procedures and back them up with strong enforcement.
ITIC: From KnowBe4’s vantage point, what does the Cybercrime landscape look like?
SS: Money talks. Cybercrime is truly big business on a global scale. It’s everywhere, but it’s especially proliferating and flourishing in Eastern Europe and Russia and now as we’ve seen with the Wanna Cry Ransomware attack, there’s a very high probability that it originated in North Korea. Really the threats can come from anywhere. But we must be cognizant of the fact that these threats are much more sophisticated and there are real professionals behind them, to a much greater degree than 20 or 30 years ago. There are many are ex-KGB agents who have teamed up with the local organized crime; they have a very well developed and broad criminal economy. There are social networks for cyber criminals and tons of technical support sites for malware. Business is booming: it’s at least a $1B a year industry and growing every day. It’s very easy and very profitable to be a cyber criminal.
ITIC: You’ve been in the security business for over 20 years now. How have the security threats changed and evolved?
Stu Sjouwerman: In the last two decades years we’ve seen six generations of threats. Today’s security hacks and attacks have evolved; they are not the work of amateurs. It used to be that teenaged hackers did it for the thrill or to make a name for themselves and get hired to work for a security firm. Ten or fifteen years ago, hacking was a means to an end. Today hacking is the end game. The hackers have gone pro. And the security threats are much more professional and stealth-like which makes detection more difficult. Many organizations and individuals don’t find out until after the fact and it’s damaged their networks. Back in the “good old days” or dark ages circa 1995, a company’s worst case scenario was a DOS attack which caused the server to go down and applications to be unavailable. In 2017, there are many more threats and the threats are much worse. And with the adoption of IoT, there are many more potential entry points to access the network. Organizations are facing several types of damage. The first is stolen customer data, Intellectual Property, corporate designs etc. Once it’s stolen, highly sensitive data oftentimes ends up for sale to the highest bidder on criminals’ social media networks. The second, very pernicious threat is that hackers frequently install a stealthy Trojan/key logger and at regular intervals it will send the information e.g. accounting information to the hackers. They literally take control of the account and transfer out the money in small chunks usually $10K at a time. It’s then forwarded on to their “money mules” and organizations lose monies. Once a company has been the victim of a cyberheist, recovering the money, tracking and prosecuting the hackers is difficult, time consuming and expensive.
ITIC: How aware are companies of these threats and do they take them seriously?
SS: Every organization: the largest businesses, small Mom and Pop shops, academic institutions, non-profits and religious institutions are all at risk. Nothing is sacred and no one is safe. The large enterprises like banks and brokerage houses, usually have good proactive defenses in place to minimize risk, delay and thwart attacks and to alert them when an attempt to penetrate the perimeter or network occurs. Ironically, the biggest threat facing companies – particularly SMBs – is a false sense of security. Many small businesses, non-profits and churches are operating under a serious misperception that they’re too small to be of interest to hackers and thus they won’t be targeted. The Fortune 500 firms know they’re targets and have relatively good defenses in place. But these small businesses often do lag behind a bit in security awareness training unless they’re forced by SOX or HIPPA regulations to do security awareness training because they get audited. Some organizations just do it perfunctorily to pass a required audit and that just won’t cut it.
ITIC: What’s your advice to businesses?
SS: If you are a corporation, cyberheist victims are generally NOT insured. The FDIC does not insure corporate accounts; they insure personal accounts. So the banks and insurance companies won’t refund your money UNLESS you purchase specific cyberheist insurance policies. Otherwise you’re out of luck. If the theft is big enough, many SMBs could find themselves out of business. The hackers are also not confining themselves to SMBs – they attack non-profits, local and municipal governments and churches with equal impunity.
ITIC: What proactive measures should organizations take to protect their businesses?
SS: Cover your bases. Start with the basics. Make sure that you have good quality anti-malware and keep it up to date; companies also need a strong firewall and then make sure you perform good quality security awareness training. Don’t just install security mechanisms and forget about them. KnowBe4 recommends regular testing – at least once a week is optimal. The weakest link in any organization will be the users. The security perimeter has been broken thanks to mobile and remote users, who are careless or simply ignore security warnings and fail to implement available security mechanisms. The network and the firewall used to be the perimeter but the consumerization of IT has changed that. The hackers are now professional. All of the attacks – Ransomware, Spear phishing, Bots, cyberheists, identity theft and DDoS attacks are extremly sophisticated.
ITIC: What should organizations and individuals look for?
SS: This sounds mundane, but never open an attachment that you didn’t ask for or one that came from an unknown source. That is still one of the top reasons that organizations fall prey to Ransomware, malware, Bots etc. Human error remains the number one source of infections.
Be suspicious of all your Emails, even those from so-called trusted sources and friends because their accounts may be spammed or hacked. This includes things like direct messages from people you know and are friends with on the various Social Media sites like Facebook, Twitter and Yahoo. Pay very close attention to how your Email looks e.g., be on the lookout for spelling and grammatical errors and missing elements or things that just don’t appear right.
ITIC: Do you have any last insider tidbits for our readers?
SS: Yes, be aware that currently there are very few banks that automatically insure business accounts from cyber criminals and cyberheists; JP Morgan Chase is one of them. That said, there are now close to 70 cyber insurers. And as with any insurance provider, each one has different provisions, terms and conditions. Do your homework; decide if your firm needs cyber insurance and then shop and compare to find the policy that best suits your company’s business and technology needs.