Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

11/18/2013
12:29 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

KnowBe4 Says Lack Of Security Training Equals Serious Legal Liability

Although the number of cybercrime victims declined in 2013, the cost per victim has increased 50 percent

(Tampa Bay, FL) November 18, 2013--Cybercrime has been branded the number one threat to United States security--although the number of cybercrime victims declined in 2013, the cost per victim has increased 50%, bringing the global total to a staggering $113 billion (1). As the costs of data breaches continue to skyrocket--and businesses expose themselves to potential class-action lawsuits on behalf of third parties--Internet security awareness training firm KnowBe4 (http://www.knowbe4.com/) warns small and medium-sized enterprises (SMEs) to effectively arm themselves against cyber-attacks before litigation ensues; KnowBe4 says that security awareness training triples the chances of an organization being able to decrease its phishing problems.

Recent studies show that over the past four years, cybercrime costs have climbed by an average of 78%, while the time required to recover from a breach has increased 130%:

● In the United States alone, the annual cybercrime cost seen by the 60 businesses studied ranged from $1.3 million to more than $58 million and averaged $11.6 million per company--an increase of $2.6 million from 2012.

● The average cost of cleaning up after a single successful attack was $1 million (2).

But the costs of correcting data breaches are no longer the only cause for concern--the legal consequences, such as class-action lawsuits on behalf of third parties affected by such cyberattacks, are a growing worry of business owners. Businesses--specifically those that guard individuals' personal information, such as banks and data brokers--have become a likely target for consequential litigation in the aftermath of security breaches.

Case in Point:

Identity thieves posed as customers to steal more than 160,000 consumer records from data broker ChoicePoint. After the information theft was publicly announced, ChoicePoint paid out some $45 million as a result of the breach, and in the process effectively created a new source of liability for organizations nationwide (3).

Stu Sjouwerman, founder of KnowBe4, maintains that businesses can effectively bypass the financial burden of data breaches by implementing Internet security awareness training (http://www.knowbe4.com/) designed to teach employees to recognize and avoid potential "hack-attacks."

"Antivirus software cannot keep up with the sophisticated tactics of professional hackers, and should not be depended upon as a reliable means of defense," Sjouwerman said. "Internet security training has proven to work by lessening the chances of a successful cyberattack."

Sjouwerman says that the best defense is to think like a hacker, as phishing and social engineering tactics become increasingly sophisticated and difficult to detect. KnowBe4 collaborated with Kevin Mitnick, once known as the "World's Most Wanted Hacker," to develop Kevin Mitnick Security Awareness Training (http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/), a product designed to help organizations defend against even the most advanced network security breaches.

But even as cybercriminals constantly refine their techniques, KnowBe4 recently announced that an upgraded Kevin Mitnick Security Awareness Training program is in the beginning stages, and will be unveiled in 2014. The program is interactive and web-based, with case studies, live demonstration videos and short tests.

Sjouwerman's authority was confirmed by a study conducted by Osterman Research, which specializes in conducting market research for IT and technology-based companies. Sjouwerman classified five types of security awareness training that organizations commonly implement:

1. The Do-Nothing Approach: The organization conducts no security awareness training.

2. The Breakroom Approach: Employees are gathered during lunches or meetings and are told what to look out for in emails, web surfing, etc.

3. The Monthly Security Video Approach: Employees are shown short videos that explain how to keep the organization safe and secure.

4. The Phishing Test Approach: Certain employees are pre-selected and are sent simulated phishing attacks; IT determines whether they fell prey to the attack; and those employees receive remedial training.

5. The Human Firewall Approach: Everyone in the organization is tested; the percentage of employees who are prone to phishing attacks is determined; and then everyone is trained on major attack vectors. Simulated phishing attacks are sent to all employees on a regular basis.

The research found that KnowBe4's security awareness training (http://www.knowbe4.com/products/kevin-mitnick-security-awareness-training/) program, categorized as a "human firewall approach, not only increased confidence in employee capability to distinguish phishing attempts and malware, but also nearly tripled the chances of an organization decreasing its phishing problem."

KnowBe4's client base is comprised of over 300 customers, 42% of whom are banks and credit unions, and all of whom have successfully reduced the rate of employees clicking on spear-phishing links by up to 80% or more.

For more information about KnowBe4 and its services, contact KnowBe4 online at www.knowbe4.com.

About Stu Sjouwerman and KnowBe4:

Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Security Awareness Training to small and medium-sized enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc. 500 company Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced security awareness training. He and his colleagues work with companies in many different industries, including highly-regulated fields such as healthcare, finance and insurance. Sjouwerman is the author of four books, with his latest being Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How to Better Secure Your Microsoft 365 Environment
Kelly Sheridan, Staff Editor, Dark Reading,  1/25/2021
Attackers Leave Stolen Credentials Searchable on Google
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4682
PUBLISHED: 2021-01-28
IBM MQ 7.5, 8.0, 9.0, 9.1, 9.2 LTS, and 9.2 CD could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization of trusted data. An attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 186509.
CVE-2020-4888
PUBLISHED: 2021-01-28
IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker co...
CVE-2020-13569
PUBLISHED: 2021-01-28
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit babec93f600ff1394f91ccd512bcad85832eb6ce). A specially crafted HTTP request can lead to the execution of arbitrary requests in the context of the victim. An attacker can...
CVE-2021-20620
PUBLISHED: 2021-01-28
Cross-site scripting vulnerability in Aterm WF800HP firmware Ver1.0.9 and earlier allows remote attackers to inject an arbitrary script via unspecified vectors.
CVE-2021-20621
PUBLISHED: 2021-01-28
Cross-site request forgery (CSRF) vulnerability in Aterm WG2600HP firmware Ver1.0.2 and earlier, and Aterm WG2600HP2 firmware Ver1.0.2 and earlier allows remote attackers to hijack the authentication of administrators via unspecified vectors.