IT Briefcase Exclusive Interview: Security Awareness Training – A Modern Necessity, with Stu Sjouwerman, KnowBe4

There is no doubt that hackers today are getting smarter by the minute. Not only can they infiltrate your email, but with the proper tools and expertise, they can bring your organization to its knees in less than an hour.

In the below interview, Stu Sjouwerman from Knowbe4 (amply named for its purpose), emphasizes the importance of security awareness training, and outlines ways in which organizations can properly arm themselves for the battle against social engineering and malware threats today.

• Q. Hackers today seem to be perfecting the art of social engineering. Can you please explain a little about this ever present danger, and give us some suggestions for avoiding this type of threat? 
  

A. The bad guys no longer bother to try to defeat the antivirus and firewall at the endpoint, and go straight after the end-user which we all know is the real weak point in IT Security.  They manipulate the employee to either click on a link or open an infected attachment.  There are many ways to do this and they have perfected their tactics over time. It’s now a fully professional industry. People in Eastern Europe come to work, punch the time clock, get health benefits, and leave at five, but during their working hours they create criminal phishing attacks.  Security Awareness Training is no longer a ‘nice-to-have’; it is a must for any organization to keep the cyber mafia at bay.

• Q. What, in your opinion, is the ultimate value of Security Awareness Training for organizations today?

A. Good quality training creates a ‘human firewall’ which has two major plus-points: It helps you prevent malware infections, network penetrations and data breach incidents, but also cuts down on operational expenses like support tickets, and the time needed to disinfect or wipe/rebuild end-user workstations.

• Q. What industries do you see as benefitting the most from this type of training?

A. Honestly, cyber criminals do not discriminate. They will go after anyone with 25 grand in their operating account. We have seen cyberheists at local governments, small- medium enterprise, lawyers, non-profits and even churches.  However, they generally go after the sites where the money is…which means financials. The majority of our customers are banks and credit unions.

Q. How has BYOD increased the importance of Security Awareness Training?  

A. Well, BYOD has essentially destroyed your old-style perimeter defense.  The ‘defense-in-depth’ model now needs a much bigger emphasis on the outer layer which is Policies, Procedure and Awareness as every employee that carries a device with access to the corporate network is a potential security breach point.

Q. What is the biggest challenge you face when approaching companies about implementing new security awareness measures?

A. The fact that Owners or C-Level executives are not yet fully informed about the current state of cybercrime affairs.  Up to now, antivirus is a budgeted-for line item that is not being questioned.  That alone is no longer enough, and a new line-item always meets resistance. It is urgent though, that they understand the urgency of stepping all employees through good quality security awareness training. That is why I teamed up with Kevin Mitnick and distilled his 30+ years of first hacking experience in 30-minute training for employees.

Q. How can tools such like your “Email Exposure Check” help organizations defend themselves against cybercriminals?

A. Most organizations are not aware that many of their email addresses exposed on the Internet and easy to find for cybercriminals. With these addresses the bad guys can launch (spear-) phishing attacks on your organization. This type of attack is very hard to defend against, unless your users are highly ‘security awareness’ trained. So what we do is do a proprietary deep-scan and find as many exposed email addresses as we can, including looking into Doc and PDF files on the Internet.  We send monthly lists of addresses found and where we found them. Regularly these Email Exposure Check reports point to compromised credentials that need to be fixed.

Q. Can you please outline ways in which your recent book “Cyberheist” can help SMBs fortify their online security?

A. Ben Rothke, an IT security specialist and author, recently reviewed my book ‘Cyberheist’ and gave it 4 stars. He ended off with: “At just under 200 pages, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008 is not the definitive text or the most comprehensive one on the topic. But for those looking for a brief and easy to read overview of the topic, with a lot of real-world advice, Cyberheist makes for a good read.” It helps owners and executives understand the real dangers out there on the Net.  It is available in paperback at Amazon, as an e-book for Kindle, but you can also register now for your free full copy here: (instant PDF Download)

Stu Sjouwerman (pronounced ‘shower-man’) has been in Information Technology for 30+ years, the last 9 of which were in IT Security. Cyberheist is Stu’s fourth book, he has co-authored three books about Windows System Administration. Since 1996, Stu has been the Editor-in-Chief of WServerNews, a email newsletter that goes to 100,000 IT system administrators and helps them to keep their systems secure, and up & running.

After having been on the software side of security, and still seeing workstations getting infected by malware, Stu realized that the human element of security was being neglected, and decided to start a new company called KnowBe4, that helps organizations train their employees to stay secure on the Internet.