Employees at Trendway Corp. have a reason to be skeptical about suspicious emails that show up in their inboxes.
That’s exactly the way John Waack wants it to be.
In an effort to promote a culture of strong cybersecurity, the director of information technology for the Holland-based office furniture manufacturer uses a fairly popular solution to test employees and their level of interaction with suspicious emails.
Called KnowBe4, the program allows administrators to send out fake phishing emails and track how an employee reacts to the communication.
Genuine phishing emails are some of the most common methods cyber attackers use to extract sensitive information from users, ranging from login passwords to Social Security numbers.
In fact, according to the 2020 Verizon Data Breach Investigation Report, phishing was the number one threat action for a successful breach.
The KnowBe4 software tracks metrics that include who opens a simulated phishing email and proceeds to click on links. Some users are led so far as to download a document or provide sensitive information.
Employees that exhibit haphazard cybersecurity habits will receive customized follow-up training — generally via video — to help them adopt safer practices.
“When they slow down and look at it, they’re like, ‘Oh, yeah; you’re right,’” Waack told MiBiz. “That’s what our objective is: to get them to slow down. Everybody is in a hurry these days, everybody has more work than time.”
Even as a smaller office furniture manufacturer, Trendway — now owned by office technology and accessories manufacturer Fellowes Brands — has seen a variety of cybersecurity attacks.
While nefarious users posing as a Nigerian prince might be a grift from yesteryear, Waack said that employees now receive bogus notifications asking users to reset their Microsoft 365 passwords or even attackers trying to trick the HR department to change the routing number on a direct deposit.
While phishing emails provide a variety of subtle red flags, Waack said that sometimes the best line of defense is for an employee to simply step back and ask whether that communication seems genuine.
“I don’t need you to do 10 levels of interrogation on each email you get, but you really need to think about what’s being requested and what you should do,” Waack said. “Would my team ever send you this message and just ask you to click on it?”
Waack also said that Trendway is making a big push in the next couple of months to brush up its cybersecurity posture in an attempt to find that fine land between strong cybersecurity and easy accessibility to information and systems for employees.
“All of those are a balance to say, ‘I’m going to protect you from doing these sorts of things and the rest we’re going to rely on you,’” he said.
Testing and training has also proven valuable for Grand Rapids-based Precision Aerospace Corp., which is one of three small and medium-sized businesses owned by private equity-backed Tribus Aerospace Corp., which is based in Chicago. As a provider of intricate parts for the aerospace industry — both commercial and defense — Precision Aerospace handles controlled unclassified information on a daily basis.
Thomas Symons, who serves as I.T. manager for all three companies, said up until about nine months ago, Tribus did not have a formal training program in place, but used the growing number of attacks as justification to develop one. With a mix of office and shop floor users, the company showed through initial tests that this training was needed.
Tribus also implements KnowBe4 as a testing and training tool. Symons said the first initial phishing test to its employees revealed a roughly 60 percent hit rate. After providing mandatory training for all its users, only 10 to 12 percent of users fell for follow-up phishing tests.
“(Cybersecurity training) is like exercise: If you don’t maintain it, you lose it,” Symons said. “When you go talk to KnowBe4, they have statistics that show when training is stopped, the number starts to rise with compromises.”
The KnowBe4 tests are a stark reminder that users will always be a liability in the grand scheme of cybersecurity. That’s why Symons spoke to the importance of permissions, firewalls and other measures that serve as a security backstop for when employees make mistakes.
Even further, Symons said to “have a plan to fail.” This includes methods to recover from a breach or successful attack, which could range from cybersecurity insurance that provides rapid response and covers the financial fallout to a concise disaster recovery plan.
“Think of it as an onion: There are always layers to security and you don’t just want one doorway that’s locked,” Symons said. “You need (to protect) multiple doorways to get to your crown jewels.”
Capitalizing on covid chaos
The overwhelming number of employees now working remotely because of the pandemic, coupled with a general public that is thirsty for the latest COVID-19 updates, has laid the groundwork for more successful threats.
As of June 2020, the FBI reported its Internet Crime Complaint Center had already received complaints of 20,000 coronavirus-related cybersecurity threats.
“Where we’ve always seen it is people clicking on links that they shouldn’t,” said Kelly Hollingsworth, a partner at Warner Norcross + Judd LLP who focuses on the general business and information technology industries. “Now, we’re seeing (emails that say) sign up for our vaccine. If it didn’t come from Spectrum (Health) or Metro (Health), probably don’t click it.”
With the shift to more remote workers, users increasingly are relying on their smartphones to read email, where it’s easier to fall victim to a phishing email, Hollingsworth added.
Steven Lauber, owner of Grand Rapids-based I.T. services provider Trailhead Networks LLC, said he has also seen the surge of attacks during the pandemic.
“The attackers were really picking up on that frenzy of things related to coronavirus,” Lauber said. “Maybe there would be a big scam around the stimulus (checks) and trying to get folks to click and fill out their information or a scam outbreak map for COVID-19. It was a curiosity that we all had. They preyed on that.”
Employees working remotely already opened up cybersecurity vulnerabilities, such as working on a personal or shared device.
As well, not physically working in the same vicinity as coworkers can also make it difficult to identify phishing emails.
“In the past, you’re in the same building, maybe down the hall, so it’s a lot easier to get up and go check with them face to face,” Lauber said. “Now, people are out by themselves more and it’s not quite as easy to do that. Maybe a little more out of convenience, they might make that judgment before verifying.”
Trailhead works with small to medium-sized businesses in a range of industries, and offers training as a part of its services.
Lauber stressed that an effective process should be very hands-on for employees.
“It’s got to be a dynamic, interactive type of training,” he said. “You don’t want it to just be a PDF or watching a webinar. A company wants to make sure (its) employees are understanding and comprehending it and that you can actually test that ongoing. It has to be ongoing and changing.”