As high profile cyber attacks make headlines and spur legislation in Congress, smaller ones are spurring IT officers to work more closely with employees, who are seen as the first line of defense in deterring hackers.
Employees are often tricked by phishing schemes, which use email or social media to disseminate malware. A click on a false attachment sent by a hacker can expose data or give the hacker access to the information on a computer.
National statistics show that about 20 percent of the time, users are fooled into clicking on attachments sent through phishing, said Reid Stephan, associate chief information officer at St. Luke’s Health System, Idaho’s largest employer.
Accordingly, a large part of Stephan’s job is training St. Luke’s 16,000 employees not to be fooled into clicking on something that could expose data.
“Cybersecurity has always been, and is, and always will be, a people problem, not a technology problem,” Stephan said. “The reality is that you could invest significantly in technology, in tools, in appliances, and a single employee either intentionally or unintentionally with a single mouse click can circumvent all that investment in your security controls and have something bad happen.”
Verizon’s 2016 Data Beach Investigations Report, which found 89 percent of reported attacks were prompted by financial or espionage motives, found that phishing is on the rise.
“Apparently, the communication between the criminal and the victim is much more effective than the communication between employees and security staff,” according to Verizon.
The firm’s review of 8 million phishing tests found 30 percent of these messages (up from 23 percent the prior year), which ordinarily carry malware, were opened and 12 percent of users (up from 11 percent) clicked links.
“It’s not a hardware problem, it’s not a software problem,” said Greg Knepper, president of Integrated Coverage Group, a Farmingdale, N.Y. insurance brokerage that offers cyber insurance. “It’s a people problem. The majority of hacks on small businesses are caused by people who work at the business.”
Although disgruntled employees are part of the problem, workers often unwittingly open the door to attacks due to lack of training or simply human nature. While companies have to know what data they possess, who has access to it and where it’s stored, workers need to know what they can and can’t do.
Schweitzer Engineering, a Pullman, Wash. company with 4,600 employees and Idaho offices in Boise and Lewiston, addresses this, in part, with frequent training sessions, said Bryan MacDonald, director of IT and information services for Schweitzer.
“We’re very careful to train people about the risks and about what to do if they’re unsure about email, checking with the source through a different channel or contacting the security department so we can validate that,” he said. “Another thing we do around email because it is one of those high risks for a company, is we do our own internal audits, testing to see how our defenses are and then doing training and follow-up.”
Schweitzer also scans all incoming USBs to make sure they’re not harboring any viruses, said Edmund O. Schweitzer, who founded the company in 1984.
“They’re such a well known cyber attack vector,” he said. “When people come into our company to give a presentation, they have to take them to a scanning station and make sure there are no viruses on it before they plug it into a computer in a boardroom or conference room.”
Lee Noriega, founding member of Melville, N.Y.-based Oxford Solutions, a security provider, said he went in to assess a large hotel’s security practices, only to find that eagerness to answer a customer’s questions led employees to give him information they shouldn’t. Vendors can also be problematic. Target’s data, for instance, was breached through a HVAC company.
“If your customers gave you sensitive data you share with someone else, you need to vet them,” Steven Rubin, a partner at Garden City, N.Y.-based Moritt Hock & Hamroff, said. “Do they have the same five-step plan you should have? Do they have cyber insurance?”
James Tauer, an information technology consultant at Oxford Solutions, said companies increasingly are checking to make sure contractors meet their cyber security standards.
“A lot of our clients are being audited by their clients,” Tauer said. “It’s happening a lot with banks. But it’s trickling down to smaller companies.”
Along with an annual online security class for employees and regular updates, St. Luke’s IT department itself sends its own fake phishing emails to employees to test their skills at resisting the urge to open an attachment from an unknown sender.
“It looks as though it’s coming from an external party, and we use the same kind of social engineering message techniques that an attacker uses, pretend it’s an update on a shipping order, but if you just take a little bit of thought and care about who is the sender, what is the link, you can deduce pretty quickly what is real and what is not,” Stephan said. “We use phishing campaigns to drive home the awareness, and identify those employees who may need some additional training and follow up to make sure they’re knowledgeable about this in the future.”
Robert Peterson, system administrator at Hawley Troxell in Boise, goes one step further. His department created USB drives and left them around the office to see if employees would plug them into a computer and try to open the documents on them. If they had, IT would have been alerted.
“But every one we have tried so far, they have turned them into the IT department saying, ‘I found this,’” Peterson said. “That is one test that everybody passed here.”
The view from Washington
Half a dozen cyber security bills have passed the House of Representatives with two currently before the Senate, typically focusing on voluntary reporting to the government. They seek to provide liability protection for reporting voluntarily without automatically freeing firms of all accountability.
“When voluntarily providing information, they don’t want to be exposing themselves involuntarily so they have to go to court and explain to a jury what their manual looks like,” said New York State Rep. Lee Zeldin. “People want to know that Congress isn’t passing an act that will somehow compromise their personal information, their privacy.”
Passage of the federal government’s Cyber Security Information Sharing Act a few years ago hasn’t led to the partnership some hoped to see.
“The title sounds great,” said Steven Rubin, a partner at Garden City, N.Y.-based Moritt Hock & Hamroff. “The goal there was government and industry should talk to each other. But there is no real sense of immunity there.”
Regulators such as the Federal Communications Commission can go after companies for doing too little. And disclosures of breaches can easily lead to lawsuits, making breaches more expensive and further encouraging a cloak of cyber secrecy.
“If you do have a data breach and disclose it,” Rubin said, “there’s the danger of getting sued.”
While the Federal Bureau of Investigation and other law enforcement officials are focusing on this, Noriega said it’s a challenge for that agency to recruit cyber security experts.
“They can’t pay them as much [as industry],” Noriega said. “They plead to their patriotic duties. Come work for the FBI for a few years.”
Watching the detectives
Europe and the United States have different rules for safeguarding the data that often flows between both.
“It’s very easy for data to migrate out of the United States to Europe, which has very different laws than we do. Europe does not like information sharing,” Rubin said. “In Europe, I may not be able to share that information. By complying with U.S. law, I may violate European law.”
Schweitzer Engineering has created its own security posters to hang in elevators and other public spaces. They’re available to the public, and are such a hit that Schweitzer staffers see them in other businesses and government offices. Edmund Schweitzer said a school district in Dade County, Fla., ordered 5,000 of them for its buildings.
Despite these precautions, the company does face hackers. One recent one involved a person who claimed to be from the company’s own HR office who called up asking for private information about some Schweitzer employees. Edmund Schweitzer said it was a recruiter trying to obtain more information about people in certain positions.
But this mini-attack is par for the course, said MacDonald.
“Ninety-nine percent of the internet traffic coming in here is malicious or dangerous spam,” he said. “ We’re under attack every day. Everybody is. We have a number of different layers of security, because one single layer, screening your users or your e-phishing filters or your security gateway, none of those by themselves are going to be enough.”
Claude Solnik of Long Island Business News contributed to this report.