New case study reveals that Training can reduce your Vulnerability to Cybercrime

Internet safety tips from the Ascentive team

New statistics published by Internet Security Awareness Training (ISAT) firm KnowBe4 indicate that formal training can substantially reduce an organization’s vulnerability to cybercrime. The findings, which are based on a case study of three KnowBe4 clients, revealed that between 26% and 45% of employees at those companies were susceptible to phishing emails. Implementation of ISAT immediately reduced that percentage by 75%; with subsequent 4-week phishing testing resulting in a close to zero phishing response rate across all three companies.

“As cyberheists continue to make headlines, it’s become clear that Small and Medium Enterprise underestimate the prevalence of cybercrime and the ability of cybercriminals to hack into their networks and bank accounts,” said Stu Sjouwerman, founder and CEO of KnowBe4. “Many executives erroneously assume that their IT departments and antivirus software will identify and block any cyberheist attempts. The fact of the matter is though, that all it takes is one employee clicking on a phishing email gives the bad guys a backdoor to your network. Cybercriminals use that weak link (employees) to bypass your antivirus software and gain full access to your systems. Our research has proven that Internet Security Awareness Training can close that hole; but organizations need to take the initiative to implement a formal, company-wide program.”

KnowBe4’s recent client case study showed that between a quarter to a half of employees were phish-prone before receiving Internet security training. If a cybercriminal had targeted any of those companies prior to their implementation of ISAT, there could have been serious implications. The initial test involved sending a simulated phishing email to employees before the first ISAT session to see how many would fall for a phishing attempt. The results were alarming; KnowBe4’s phishing statistics revealed an average 36.67% click rate among the three companies:

•   Company A (28 users):  45%

•   Company B (95 users):  39%

•   Company C (76 users):  26%

Following the preliminary free phishing security test, KnowBe4 conducted company-wide training. After that 30-minute on-line training, a series of five different simulated phishing emails were sent to users. The emails and the order in which they were sent varied by company; and the simulated phishing attacks encompassed a number of different topics, which ranged from bank account unauthorized access alerts, to Twitter notifications, to requests that appeared to be sent from the companies’ own IT departments. After the first email in the post-training test campaign, Company A’s Phish-prone percentage dropped to 28%, while Company B and Company C had a 0% click rate; resulting in an average of 9.33% across the three organizations. That represents an immediate overall 74.55% reduction in phishing susceptibility after the first training session.

Supplemental training decreased the phishing response rates even further. The second email in the campaign netted only a 7.10% response rate from Company A, while Company B and Company C held steady at 0%. Following the third email in the series, Company A had joined Company B at 0% phishing susceptibility, while Company C had a 1% response rate. The fourth email in the campaign – a message that appeared to have been sent from the companies’ own IT departments – fooled some employees at Company A (3.5%) and Company B (10%), while Company C had no clicks. By the fifth email in the test campaign, all three companies had achieve a 0% Phish-prone rate; representing a full 100% reduction in susceptibility to phishing tactics.

Sjouwerman noted that the initial pre-testing phishing response rates are indicative of phishing susceptibility among small and medium enterprises (SMEs) as a whole, making these businesses especially vulnerable to cybercrime. “The media often tend to focus on high-profile cases, like the recent hacking incidents at Sony and Lockheed Martin. Cybercriminals target smaller companies and non-profits all the time; it’s just that those cases don’t always make national news. As a result, many SMEs have a false sense of security, thinking that nobody is going to bother going after them with so many larger, more successful targets out there. The reality is that cybercriminals know SMEs are less likely to have effective security measures in place – and they’ll go anywhere they can find an easy way in. We recently published a case study about an attempted $150,000 cyberheist at a Boston branch of the United Way. If someone at the charitable organization hadn’t been especially vigilant, those funds would be in the hands of overseas criminals instead of helping local citizens in need. My point is that cybercrime can – and does – happen everywhere. That’s why Internet security awareness training is so important.”

Clutterfreepc news: British Royal Navy Attacked!

Direct from clutterfreepc:

The British Royal Navy has been successfully attacked – by malware.

The Royal Navy’s website was recently shut down temporarily while military officials repaired the vulnerability. In addition to the website’s motto, which ironically reads “Modern and Relevant,” users saw a message telling them why they couldn’t access any information on the website during repairs.

“Unfortunately the Royal Navy website is currently undergoing essential maintenance. Please visit again soon,” the website read.

Meanwhile, in true cyber criminal fashion, the hackers responsible for the attack celebrated and boasted on anonymous blogs throughout the web. A cyber criminal known only by the moniker TinKode took credit and received praise for the attack.

“TinKode doesn’t need sophisticated weapons to disarm an army. He just need a PC,” an anonymous post on TinKode’s blog read.

Another hacker gave him a pat on the back. “Nice dude, really nice. Good job,” a hacker name Sirarcane added.

Cyber security authorities across the globe have discussed the implications that may come as a result of the attack on the British Royal Navy’s website. Graham Cluley, senior technology consultant for security firm Sophos, said the event is “embarrassing” for the British military’s cyber security, and said the country is fortunate TinKode didn’t use the hack for more malicious purposes.

“We can all be thankful that Tinkode’s activities appear to be have been more mischievous than dangerous,” Cluley wrote in a recent NakedSecurity blog post. “If someone with more malice in mind had hacked the site they could have used it to post malicious links on the Navy’s JackSpeak blog, or embedded a Trojan horse into the site’s main page.”

In fact, TinKode, who is believed to live in Romania, has a history of pointing out glaring web security flaws within networks that many users may have previously considered secure. According to Clulely, “TinKode has revealed security holes in NASA’s website, and published information about SQL injection vulnerabilities in sites belonging to the U.S. Army.”

Just as government cyber security has rebounded from these past attacks, Cluley hopes the British Royal Navy can limit the damage from TinKode’s attack and use it to prevent future issues.

“Hopefully efforts are in place now to secure any vulnerabilities and reduce the chances of such a serious security breach happening again in the future,” Cluley wrote. “It is to be hoped that the ultimate impact of this attack will be egg on the face of the Ministry of Defense – and better security practices in the future – rather than a more significant assault on a website presenting the public face of an important part of the armed forces.”

A number of other recent attacks have highlighted the importance of anti-malware software in government networks, including the Stuxnet virus’ successful infiltration of Iran’s energy infrastructure.

If the British Royal Navy can be attacked, anyone can!  To protect your PC, please visit ClutterFreePC at www.clutterfreepc.com.

 

 

Bad Santa: Holiday Malware “Gifts”

Internet Security Update  from PC Prima:

Just as retailers are preparing for the influx of online shopping in time for the holidays, cyber criminals are launching a growing amount of email-borne malware attacks aimed at less tech-savvy online shoppers, according to recent Google research.

Google studied spam email during the third quarter this year. Although overall spam was down from the previous quarter, the study showed a 10 percent increase from the same period last year.  Officials attribute much of the overall decline to increased government pressure on cyber crime.

A recent case in Russia eradicated the world’s leading email spam provider, Spamit.com, bringing the global spam count down significantly. Spamit.com was the backbone for most spammers, offering a service that sold code and email spam tools to bombard inboxes with false pharmaceutical messages. After Russian authorities launched the investigation, the website’s ringleader went missing and is believed to have fled the country.

Also, an international sting on botnets has eliminated some of the most dangerous spam attacks in the world. More than 100 cyber criminals in Europe and the U.S. were arrested last month, temporarily eliminating the source for the massively successful Zeus botnet.

However, the profit potential for scamming the vast number of unsuspecting, and typically uneducated, internet users that shop online before the holidays was too much for cyber criminals to ignore. Google’s research indicates that new scams have emerged to replace those that have been arrested, and new techniques will make email spam and viruses more elusive.

“New botnets have sprung up to take their place. And, if the volume of spam was lower, it was also dirtier than in 2009,” a Kaspersky Labs report reads. “That may indicate a push to build out bot networks in advance of the holiday season, when many users go online to purchase gifts, and spammers are more likely to find success pushing their own wares.”  PC Prima, a German anti-malware provider, reports that this international problem requires constant attention and updates to existing internet security solutions.

Among the new trends include using  recycled emails for spam messages carrying malware. According to the research, this trend has been successful because spam filters on most email products use an automated system to recognize text typically found in spam messages. By using emails that were initially used for other purposes, spam messages get their messages around these roadblocks, attaching a malicious link to target an unsuspecting user.

Other, more recent research has found that Google is cracking down on email borne cyber crime. Web Host Industry Review studied Google’s response to an influx of malicious sites, revealing a more strict policy on malicious sites found on the company’s search engine.

“To this end, we’re finding that Google is putting sites on the black list for a longer period of time,” Jason Remillard, founder and president of the Web Host Industry Review, wrote on the company’s website. “We’re seeing the same results with the other SEs and the requisite browser instances of the blacklist tables.”

Because cyber criminals have evaded international legal authorities’ anti-malware efforts, they are just as likely to avoid Google’s restrictions. To safely shop online this holiday season, security experts advise consistently updating antivirus software to protect against the latest cyber crime developments.

To update your anti-virus software, visit Clutter Free PC, or try our new German internet security solution, PC Prima.