Recognizing the damaging role that human fallibility can play in cybersecurity, companies are looking to internal and external training to stop their employees from falling for cyber schemes.
“The weakest link has always been the individual,” said Dave Papas, chief operating officer at Fairfax-based Cyveillance, a subsidiary of McLean-based QinetiQ North America. “Once I can compromise one individual within an organization, I then can potentially compromise everyone.”
Despite increasingly advanced cybersecurity protections or firewalls, one naive or uneducated user may click on spam or phishing schemes, creating an opening for cyber intruders and rendering expensive safeguards useless.
“Firewalls don’t work the way we think they work anymore, and you have to have a new way to go about this,” said John P. Jumper, chief executive of McLean-based Science Applications International Corp. , who talked about the issue at a Northern Virginia Technology Council event. “It is not a matter of playing goalie anymore against cyber threats; it’s more about managing them.”
Falls Church-based Northrop Grumman requires all of its workers to attend cybersecurity training as soon as they start work.
They must repeat the training annually and are periodically quizzed through what the company calls “spearphishing exercises,” or e-mails sent to employees that look like they’re coming from outside the company and are meant to raise red flags.
“We’ve refined them over the years,” said Mike Papay, vice president for cyber initiatives at Northrop Grumman’s information systems unit, of the e-mails.
If employees click on the e-mail’s link, they’ll get sent to a site that warns it’s untrusted. If they proceed regardless of that warning, they get a notice that they’ve made a mistake with more information about how to avoid it in the future.
“It’s really just a continuation of the training,” Papay said. “Our guys take great pride in crafting these fake looking e-mails. You want to be credible, but I don’t want to catch 100 percent of the people.”
Over the past two years, Cyveillance has sold a training program to about 80,000 users that teaches people how to avoid falling prey to malware, phishing schemes and other exploits. Last month, the company said it is adding a new “traffic cop” feature that allows company to send employees who have clicked on pieces of malware to a refresher course on good cyber practices.
“If they make a mistake — and users make mistakes all the time — and it’s picked up by the system, they have to do a little retraining,” Papas said.
Thus far, companies in industries as varied as insurance and manufacturing have used Cyveillance’s product.
Papay, of Northrop, said spammers are refining their efforts, making it harder for employees to avoid making a mistake. Papas said the challenge is also in the rapid pace at which companies can be compromised.
“Not only your novice users but your educated users are being victims to what is an ever increasingly sophisticated threat,” he said. “The speed at which these things are allowed to occur these days ... is a big concern.”