Enjoy our faster App experience

Staff weakest link in corporate security

The recently discovered Dyre Wolf campaign – a series of cyberattacks that stole more than $1 million from a handful of companies – puts a bright light on the importance of employee vigilance.

Published: Wed 10 Jun 2015, 10:20 PM

Last updated: Wed 8 Jul 2015, 3:15 PM

The onslaught of high-profile breaches over the past year at companies such as JP Morgan, Home Depot, and Sony Pictures forced businesses to spend exponentially more money to protect themselves online.

However, there’s one major challenge to companies’ cybersecurity besides the criminal hackers targeting them: their employees.

No matter how much money companies spend – or what kind of new and advanced technology they implement – they continue to struggle to prevent employees from falling for scams that could leave the door wide open for bad actors to steal customer information, hold critical company information for ransom, or even destroy files.

“The weakest link is people not knowing whether data are critical or intellectual property, or understanding what a suspicious e-mail is,” says Steve Rocco, global cybersecurity specialist at MSA Safety, a safety equipment provider.

The recently discovered Dyre Wolf campaign – a series of cyberattacks that stole more than $1 million from a handful of companies – puts a bright light on the importance of employee vigilance.

Dyre Wolf included malware, but its success relied on their ability to perpetrate an old fashioned scam. The malicious software used in Dyre Wolf was delivered to computers through bogus e-mails sent to company employees. When employees opened the e-mails and clicked attachments, they inadvertently installed a program called Dyre onto their computers.

The program then recognized when users visited bank websites. At that point, Dyre delivered an on-screen prompt indicating the bank site was down and that the user should call the bank directly. When the user called the phone number provided, an English-speaking member of the criminal hacking group took the credit card information.

The scam has been repeated thousands of times, according to the IBM researchers who discovered it. What’s more, it’s hardly the only cyberattack of its kind that involves tricking unsuspecting users. In fact, according to IBM, some 95 percent of all attacks involve human error.

While some security experts say companies must train employees to spot scams and react responsibly, others say only new technologies can protect organizations from the human errors that leave them susceptible to breaches.

Wombat Security Technologies, a company created by a group of phishing researchers at Carnegie Mellon University, is in the first camp. They provide software to companies that focus on training employees to be more aware of their actions and spot which e-mails could be part of a phishing attack, since this kind of attack often targets individuals who are not tech savvy, they say.

In order to get people to start paying attention to the warning signs, Wombat uses a simple scare tactic: mock attacks.

Simulated attacks convince employees they’ve fallen prey to a phishing attack. After opening a link attached to an e-mail that appears to be from a client or colleague, an employee is confronted with a message saying the company’s sensitive data is at risk. The attacks are meant to shock employees into realizing how vulnerable they really are to social engineering.

The company boasts a 46 percent reduction in malware infections among clients.

Despite Wombat’s success, however, some experts say it is almost impossible to train people to identify every single phishing e-mail – especially if the e-mail has been crafted specifically to trick that person.

Since they know their employees will make mistakes, the savviest companies are building systems that can survive cyberattacks, Lieberman points out. One example, he says, is to say “anything sensitive needs to go through a proxy that monitors the traffic.”

Yet regardless of which technology a company chooses, Lieberman says he is convinced that training employees is not enough. “Statistics say people make mistakes,” he says. “You need to make fundamental changes in the way the company operates.”

The Christian Science Monitor

More news from OPINION