Employee cybersecurity training often missing piece, say experts

THREAT DETECTOR: Michael Carmack, a cybersecurity analyst with Rite-Solutions in Middletown, assesses security threats.
THREAT DETECTOR: Michael Carmack, a cybersecurity analyst with Rite-Solutions in Middletown, assesses security threats.

It’s safe to say most companies are aware of the threat of cyberattacks and damage that can occur from data breaches and have taken steps to address them.

But overall, businesses in Rhode Island, southeastern Massachusetts and beyond are still falling short – not with system protections, necessarily – but in employee training, say local experts in government, education and the industry.

“When you look at solving this problem, it’s about people, processes and technology,” said R.I. Cybersecurity Officer Mike Steinmetz, adviser to the governor on homeland security. “If you focus on just one, you have people doing things they shouldn’t be doing or not doing what they should.”

According to a 2018 Verizon Data Breach Investigations Report, employees are the main weakness in global corporate cybersecurity. Specifically, employees are still falling into financial pretexting and phishing scams.

- Advertisement -

These attacks make up 98 percent of social incidents and 93 percent of all breaches investigated, according to Verizon. The main entry point, in almost all cases – 96 percent – was employee email.

“Companies are nearly three times more likely to get breached by social attacks than actual vulnerabilities,” according to the report’s findings.

Steinmetz is the state’s first-ever cybersecurity officer, appointed last year. A former employee of the National Security Agency, he’s tasked with developing a cybersecurity strategy for the state and its more than 8,000 employees, including training.

“You can have the best software in the world,” but in the absence of training, breaches will continue to infiltrate companies, he said.

Impressions are the same in the private industry when it comes to employee cybersecurity training.

“Absolutely,” said Michael Carmack, a cybersecurity analyst with Middletown’s Rite-Solutions. “It’s a big sticking point for companies that haven’t done it in the past. It’s like having the best alarm system and locks but not telling someone they have to shut their door first.”

Protection that includes employee education for maximum efficiency is especially important with constant new risks emerging. With new threats “almost minute to minute,” Carmack says team education needs to come from the top down and be a cultural change, “a corporation initiative – not just for [information technology] – and especially for the C-suite.”

Carmack has a uniquely broad perspective, having earned industry-related degrees from Salve Regina University, which has a cybersecurity initiative at its Pell Center for International Relations and Public Policy. He trains Rite-Solutions employees in online safety, and now teaches it in university settings as an adjunct professor.

He said information is truly power when it comes to cybersecurity.

USB and phishing hacks, for example, are common threats to which companies can fall victim if their employees are not property trained, said Carmack.

In the case of USBs, hackers will put them in the path of a computer user – perhaps using a USB to share a PowerPoint presentation or snuck into a swag bag at a business conference, or anonymously dropped in a parking lot. If it’s inserted and the computer isn’t properly protected, said Carmack, the hackers are in.

“As soon as they have compromised the machine, it pings back to the server. They can send an infected host and they are into your network. And they didn’t have to go through a firewall,” he said.

‘Companies are … more likely to get breached by social attacks than actual vulnerabilities.’

Voice phishing – where a hacker pretends to be someone else on the phone to access sensitive information – and dumpster diving, where unshredded paperwork that could give clues to information on potential targets is swiped from the trash – are other areas where employee training can go a long way, said Carmack.

“When they understand their role, they are more equipped to help,” rather than hinder, security, he said.

And it isn’t always a case where any cybertraining will do.

Annette Niemczyk is a senior systems engineer with Envision Technology Advisors in Pawtucket. She points out that cybersecurity employee training should be customized and updated regularly as new threats emerge.

“This training … should not just be some canned online videos that everyone is mandated to watch,” she said. “A company should start by rolling out baseline security training for all employees … because every company has employees with different levels of experience.”

Steinmetz has seen Rhode Island focus on cybersecurity more over the past few years under Gov. Gina M. Raimondo. She won a 2017 SANS Difference Makers Award for bringing cybersecurity career opportunities to light with her CyberStart program and scholarships and seeks to broaden the industry. Steinmetz says the progress is crucial to the business community and a curve he hopes will continue its upward track.

“Employees are companies’ strongest supporters and advocates,” said Carmack, “when they are aware of the threat.”