One of the most successful ways to ensure your organization’s systems and procedures are safe from cybercrime is to have an outside organization test them. And one federal government agency will do just that—free of charge.
Critical infrastructure companies all across the U.S., primarily small banks and energy firms, are commissioning the Department of Homeland Security (DHS) to launch simulated cyberattacks on them, cybersecurity blogger Brian Krebs reported.
The National Cybersecurity Assessment and Technical Services (NCATS) program offers companies two separate services: a “Risk and Vulnerability Assessment” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help organizations understand how their external systems and infrastructure appear to attackers.
The RVA program scans an organization’s operating systems, databases and web applications for known vulnerabilities, and then tests them for weaknesses. The service also scans for rogue wireless devices and tests company employees to see which ones are susceptible to phishing emails. The Cyber Hygiene program includes internal and external vulnerability and web application scanning.
The DHS creates a yearly report based on the information gathered from both programs. The FY14 report included some alarming statistics:
- Manual testing was required to identify 67 percent of the RVA vulnerability findings.
- More than half of the total 344 vulnerabilities found during scans earned a severity rating of “high” (40 percent) or “critical” (13 percent).
- Fully 25 percent of employees targeted by phishing emails clicked on the links.
According to the report, the NCATS program provided support to 53 organizations. Krebs noted that simulated services such as these are typically expensive when they are conducted by private companies, therefore, this service is quite lucrative for companies that want to protect their data but can’t afford to make a big investment.
Companies participating in the program are implementing what Stu Sjouwerman, founder and CEO of IT security firm KnowBe4, calls a “new school” approach to cybersecurity training. Rather than herding employees into a breakroom and showing them a PowerPoint presentation that they forget about by the end of the day, Sjouwerman favors a more direct approach.
“You just test people, you find out how many people are click-happy or what we call phish-prone, and you train them online, in the browser,” Sjouwerman explained, in an interview for AFP’s latest Treasury in Practice Guide. “Then you regularly send them simulated phishing attacks. That works. We’ve seen the phish-prone percentage go down from 16 percent to 1 percent in a 12 month period. But you need to do it and it needs to come from the top down.”
For more tips on how treasury and finance professionals can protect themselves against rapidly evolving cyberthreats, be sure to check out the new Treasury in Practice Guide, BEC Scams: Treasury’s Number One Fraud Threat, due out next week.