Don’t invite the bad guys in.

As a boy, I used to watch the old Christopher Lee Dracula movies on Saturday nights. Dracula and the other vampires in these movies couldn’t enter a house unless they were invited in. The fearless vampire-hunter heroes knew this, but somehow there was always someone in the house who defeated security by helpfully throwing out that smelly garlic and opening up the windows to let in some fresh air. If only they had an effective V.A.T (Vampire Awareness Training) program to share with everyone!

The lesson here is that many security breaches start with the best of intentions. Computer users in your company need to be trained on the possible consequences of a malware infections so that they can understand the need for potentially intrusive or inconvenient security measures. They need to learn to recognize those attempts to be “invited in,” and what to do about them. When everyone is security aware, incidents of malware infection and the resultant fallout drops dramatically.

What’s the “One Thing”?

As a consultant and provider of cybersecurity services, I am often asked by bankers and other business owners what is the “one thing” that they should be doing to secure their businesses from cyberattacks and malware. The answer I give does not involve installing the latest and greatest firewall, using a specific brand of antivirus or making use of a real-time intrusion protection system (although all of these are important components of a secure system). The “one thing” I recommend most is that they implement an effective Security Awareness Training program for all employees.

Here’s a hard truth.

Even with the best firewall, antivirus and fully security-patched systems, you are still vulnerable to malware and phishing attempts. Cybercriminals know that it is much easier to defeat people than technology. All it takes is one ill-advised click on an email, attachment or link to introduce malware onto a local workstation behind your firewall.

Firewalls are intentionally configured to permit certain kinds of Internet traffic inside your network. Each time you check your email client, or open your web browser, you are sending a request to internet resources to send data to your workstation and pass by your firewall protection. Antivirus and antispam programs try to filter out malicious attachments and links, but signatures don’t keep up with new versions of malware released daily.

A 2016 McAfee Labs report shows that ransomware (malware that encrypts your data and only provides a decryption key if you pay a ransom) has increased by 128 percent since 2015. This malware can hide in links in emails, as hidden code in email attachments or even embedded in seemingly safe web sites.

In June 2016, CSO published an article about a Phishme report that revealed a whopping 93 percent of all phishing emails contain ransomware. If technology can’t filter out all of the sources of malware, it is critical to train all employees on how to recognize and avoid these hidden traps. A well-designed Security Awareness Training program turns everyone in your company into a “human firewall.”

The Human Firewall

An effective security awareness training program should illustrate with real-life examples the danger of social engineering and the importance of constant vigilance to avoid malware infections. The training should be attended by everyone in your organization who has access to the internet. The training should be updated and repeated at least annually, and should be part of the standard boarding process for new employees.

To ensure the training “takes,” the program should include regular social engineering tests. The easiest way is to use a service to send your own unannounced phishing emails to see who “clicks.” In the programs that we administer, we typically see about a 15 percent hit rate on phishing emails sent out before training is initiated. This dramatically drops to less than 5 percent after training is completed.

Over time, the hit rate creeps back up, so it is important to refresh training regularly. Monthly reminder emails and postings are a great addition. It also helps that employees know that they are being tested. There’s nothing as embarrassing as being the one employee caught in a phish test. Most importantly, as a provider of managed IT services, we have seen the amount of time and effort that we spend helping our clients recover from malware infections drop dramatically for those that have adopted our recommended program.

Here are a few training tips to pass along to get your program going:

• Do not open attachments unless you are 100 percent certain of: 1) the sender and 2) the purpose of the attachment. When in doubt, pick up the phone and call.
• Never click embedded links in messages without hovering your mouse over them first.
• Look for “fake” domains. Note that www.microsoft.com and www.support.microsoft.software.com are two different domains (and only the first is an actual Microsoft site).
• Always check the email “From” field to validate the sender. The “From” address may be spoofed.
• Do not “unsubscribe” – it is easier to delete the email than to deal with the security risks.
• Do not respond to spam in any way. Use the Delete button.
• Do not open any email attachments that end with: .exe, .scr, .bat, .com or other executable files you do not recognize.
• Always check for so-called “double-extended” scam attachments. A text file named ‘safe.txt’ is safe, but a file called ‘safe.txt.exe’ is not.
• Alert co-workers and friends of suspicious emails.

Remember, even with the best firewall, antivirus and fully security-patched systems, you are still vulnerable to malware and phishing attempts. Proper Security Awareness Training is key to a comprehensive cybersecurity program.