Former FBI most wanted hacker Kevin Mitnick was set free in 2000 after serving five years in prison. He wasn’t allowed to touch a piece of computer technology for another three. During his time away from computers, he missed the invention of flash, the iPod, the mp3 audio format, the growth of wifi, and the launch of Google.
While American officials believed that their top threat to national IT security was locked away, the real threat was growing across the Atlantic in Eastern Europe. Entire communities supported by underground economies started to emerge after the fall of communism, and these communities continue to threaten the safety of many small to medium-sized businesses in the United States. Now, America’s former most wanted hacker has turned the tables around. He has teamed up with top IT security expert and former president of co-founder of Sunbelt Software Stu Sjouwerman to teach business-owners how to protect themselves against malicious hacking as part of KnowBe4, a Florida-based company that Sjouwerman founded.
You can imagine American hacker Kevin Mitnick and IT security industry veteran Stu Sjouwerman as superheroes who are protecting innocent American businesses from international cyber criminals, because that’s exactly what they are doing.
While most small and medium-sized business owners believe that their data is protected from hackers as long as their anti-virus software is up to date, Sjouwerman and Mitnick know better. They teach business owners about how to protect themselves from a hacking tactic known as social engineering. Social engineering is the art of manipulation to get someone to divulge information that can be used against them. According to Sjouwerman, hackers find their targets by first searching for exposed emails on the web. Then, they craft an email that makes the recipient think that they received an urgent email from a boss or colleague. When the recipient clicks the link in the email, the hacker gains access to the entire business network.
“Think of it like this,” notes Sjouwerman, when explaining how social engineering works. “It’s like a good looking man in a suit coming into your office and telling the receptionist that he is visiting for a job interview. He mentions to the receptionist that he left his resume in his car, and asks to print it from this thumb drive. If you are the receptionist what should you do? Most people forget that if you put that thumb drive into the computer, the man has access to your entire network. He can come back, take thumb drive and disappear with all of you company’s data. That’s social engineering.”
Social engineering, according to Sjouwerman, is the most effective way to gain access to data because hackers can easily manipulate human behavior. “If your CFO gets an email that looks like it is from the bank, just one wrong click of a link puts a key logger on the machine. Then, when the CFO completes a wire transfer, the hacker goes: bingo! This is a real threat. We need to warn people, including nonprofits and churches.”
Close to 80% of organizations do not have a formal security awareness program in place. Why not? These companies are behind the times when it comes to security, warns Sjouwerman. “Security goes in waves. It is a game of chess. Bad guys make the first move. They exploit the hole in the networks of organizations like nonprofits and churches who have not discovered that hackers are attacking the employee rather than the network itself. “We have anti-virus software, so we are good, they think. My mission is teach people that bad guys have moved on, and your employees are under attack.” continues Sjouwerman.
What can companies do to protect themselves? Sjouwerman’s company KnowBe4 offers a product called Internet Security Awareness Training that essentially creates a human firewall within the organization. By training employees to recognize phishing scams, KnowBe4’s subscription-based program helps companies keep up to date with the latest social engineering tactics that hackers are using.
Before each training, KnowBe4 completes an email exposure check to gauge how many emails are published with a company domain name on the internet for hackers to easily find them. Next, KnowBe4 sends out a simulated phishing attack to every employee on the network, to help company leaders understand how effective phishing scams are. “Your employees are the weak link in IT security,” notes Sjouwerman. If business owners don’t believe that at first, the simulated attack wil prove just how vulnerable their company is. For $15 per user per year, KnowBe4 will continue to regularly schedule simulated phishing attacks after completing KnowBe4’s Internet Security Awareness Training with Kevin Mitnick. Over time, the percentage of employees who respond by clicking the link in a phishing attack will dwindle to almost zero.
“Have you ever worked at a place where once a year your company provides sexual harassment training and three weeks later everyone has forgotten about it? You cannot do that with IT security. You need to train people to be alert each day. One click might be enough to compromise a network. With just one wrong click, your customer database with their credit cards can be online for everyone to see,” warns Sjouwerman.
Although Sjouwerman’s warnings about hackers in Eastern Europe harvesting emails and tricking employees into clicking phishing links can seem like a scare tactic to convince business leaders to buy his subscription-based training program, his cautionary tales are not embellished. In Romania for example, the town of Râmnicu Vâlcea has been dubbed “Hackerville” by Wired thanks to most flourishing sector in the local economy: cyber crime. “When an oppressive regime falls, there is always a crime wave. Since the fall of communism in Eastern Europe, ex-KGB members have been teaming up with criminals to create an underground economy where hackers work in teams and sell each other services,” Sjouwerman warns. According to Wired, the issue is so pervasive that even luxury car dealers have sprung up in the impoverished country of Romania to service the newly rich hackers who have accumulated enough wealth from their phishing schemes to purchase brand name vehicles like BMWs.
While small business leaders may assume that hackers only go after Fortune 5000 companies, they are actually the targets themselves. Mitnick and Sjouwerman are on a mission to spread the word that small and medium-sized businesses must protect themselves by training their employees to spot and avoid phishing scams. According to Sjouwerman, training the human firewall is more effective than any firewall that businesses can download and install.