Cybercrime Prevention Expert Stu Sjouwerman Alerts Businesses to Alarming Implications of FAIL500 Study Findings
KnowBe4 Founder Urges Business Owners to Take Proactive Measures to Stop Phishing, Warning That Percentage of Phish-Prone Companies “Could Easily Double”
CLEARWATER, Fla., June 6, 2011 – Recent phishing study findings released by Internet Security Awareness Training (ISAT) firm KnowBe4 highlight an urgent need for cybercrime prevention awareness among small and medium enterprises (SMEs) – and may only hint at the true scope of the problem. KnowBe4 founder and CEO Stu Sjouwerman previously cited a “false sense of security” as the reason companies aren’t doing more to stop phishing, noting that many erroneously believe antivirus software and a dedicated IT team can thwart all cyberheist attempts. “Our FAIL500 experiment demonstrated that without proper cybercrime prevention training, employees can unwittingly give cybercriminals access to company systems. And while our preliminary phishing study findings justifiably raised concerns about the potential for Internet security breaches, the problem is far bigger than most people realize.”
Sjouwerman’s company conducted a two-phase test designed to identify the percentage of Inc. 5000 companies that are Phish-prone™, or vulnerable to phishing attempts. The preliminary test used a reputable bulk email service to send a simulated phishing email to employees at 81 companies; and of the 79 businesses that had successful deliveries, an alarming 43% had at least one employee who clicked the link. A subsequent test used a one-time mail server with an unknown reputation, which reduced the number of successful deliveries – but still netted a response rate of more than 15% in less than 24 hours. In total, 658 emails were clicked by employees at 485 different companies, which led KnowBe4 to dub its experiment the “FAIL500” project.
“Unfortunately, denial is rampant when it comes to cybercrime. Everyone thinks it won’t happen to them – until they find out the hard way just how easy it is for cybercriminals to find a way in,” said Sjouwerman. “Skilled cybercriminals are able to sneak under the radar; most targets don’t even realize that the link they clicked or the file they downloaded has just compromised their data security. Internet-based crime syndicates invest much more time, money and effort into their phishing attempts than we did, using off-shore servers that are difficult to identify and shut down. If we were to employ similar tactics for our experiment and had a longer timeframe, I believe the percentage of respondents could easily double over the course of six months.”
Sjouwerman also emphasizes that KnowBe4’s test involved phishing rather than spear phishing. Phishing casts a wide net in the hope of landing a small percentage from a large pool, while spear phishing is much more targeted – and therefore more difficult to detect. The stealthy cybercriminals who engage in spear phishing generally target a specific organization and have prior knowledge of the recipients’ business activities and partnerships. Consequently, these perpetrators are able to craft emails that seem legitimate and appear to be sent by a trusted partner, vendor, customer or colleague. Sjouwerman cautions that this is where the real danger lies: “If our experiment used spear phishing tactics, I believe our response rate would have been closer to 75%. That’s why businesses need to provide cybercrime prevention training to their staff if they expect to stop phishing attacks.”
Businesswoman Karen M. McCarthy has first-hand experience with the consequences of cybercrime. She spent 22 years building a successful marketing agency that was poised for a lucrative merger – until Eastern European-based cybercriminals looted her TD Bank account in February 2010. Using the ZeuS virus to gain access to her account information and password, the hackers initiated $164,000 fraudulent wire transfers. Even worse, McCarthy discovered that commercial accounts are not insured against such losses – and her bank denied any responsibility, even though they had not implemented security measures to combat the ZeuS virus. To fight back against cybercriminals and lobby for federal protection of commercial accounts, McCarthy joined forces with other cyberheist victims and Internet security professionals to found the Cyber Looting Awareness and Security Project (CLASP).
“Cybercrime has reached epidemic proportions, and small business owners need to be aware of what they’re up against,” exclaimed McCarthy. “Cybercriminals have attempted to steal more than $220 million from small and medium businesses in recent years, and have succeeded in making off with more than $70 million. When you combine all Internet-related thefts – including large companies and individuals – the losses are in excess of $1.7 billion.”
McCarthy notes that taxpayers also shoulder the burden of cybercrime, as many hackers have begun targeting state and local government agencies. As an example, she cites staggering losses suffered by two organizations in her home state of New York: the Town of Poughkeepsie lost $800,000, while the Duanesburg Central School District lost $3 million.
Sjouwerman maintains that knowledge is the key to cybercrime prevention. To that end, he recently published Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. In addition to providing an overview of the FAIL500 project and examining actual case studies, Cyberheist arms business owners and individuals alike with actionable advice on how to prevent identity theft and cyberlooting, as well as proven methods to stop phishing-related security breaches.
For more details on the FAIL500 phishing study, visit http://www.knowbe4.com/fail500. To learn more about Cyberheist, or to order the paperback or e-book edition, visit http://www.cyberheist.com. Watch for KnowBe4’s next release, which will feature top tips for cybercrime prevention.
About Stu Sjouwerman and KnowBe4
Stu Sjouwerman is the founder and CEO of KnowBe4, LLC, which provides web-based Internet Security Awareness Training (ISAT) to small and medium enterprises. A data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Sunbelt Software, an award-winning anti-malware software company that he and his partner sold to GFI Software in 2010. Realizing that the human element of security was being seriously neglected, Sjouwerman decided to help entrepreneurs tackle cybercrime tactics through advanced Internet security awareness training. He is the author of four books, including Cyberheist: The Biggest Financial Threat Facing American Businesses Since the Meltdown of 2008. For more information on Sjouwerman and KnowBe4, visit https://www.knowbe4.com.
###
Media Inquires:
Karla Jo Helms
CEO and PR Strategist
JoTo Extreme PR
Phone: 888-202-4614
