Cybersecurity | Employee Training Is First Line of Defense

Developing a company culture that values security can help mitigate cybercrime threats

By Lorie Hailey

Employees can be one of the biggest threats to a company’s cybersecurity, but with the right training, they can be armed with the tools to form a frontline defense against cybercriminals.

Internet crime is one of the fastest growing security threats in the United States. The FBI’s Internet Crime Complaint Center (IC3) received more than 460,000 complaints in 2019, with a reported loss of more than $3.5 billion. Kentucky had more than 3,000 victims of internet crime in 2019, and a loss of more than $17 million to cybercriminals, according to the FBI’s 2019 Internet Crime Report.

In 2018, more than 446 million records were exposed in 1,244 data breaches. The number of breaches worldwide has steadily climbed over the past eight years as cybercriminals have grown more savvy and the threats have become more sophisticated.

Businesses put themselves at risk by not performing adequate cybersecurity risk assessments and taking action to mitigate them, and by failing to regularly train their employees to recognize threats.

“The greatest cybersecurity risk to businesses is their own untrained, unprepared staff. Over 90% of all breaches go back to a bad email attachment, malicious link or other employee mistakes,” said Tracy Hardin, president and founder of Next Century Technologies, an IT consultant and managed services firm in Lexington.


  • IT’S FREE | Sign up for The Lane Report email business newsletter. Receive breaking Kentucky business news and updates daily. Click here to sign up

Untrained employees are a “huge risk,” agreed Craig Willard, chief operating officer of SimplifIT, a Frankfort-based managed services and cybersecurity firm. When it comes to cybersecurity, “ignorance is not bliss,” he said.

Employees make their companies vulnerable to a cyberattack in several ways: using their work computers for personal email or web surfing; placing too much information about their employers on social media; and not taking personal responsibility to educate themselves about cyberthreats personally and professionally, said Joe Danaher, chief information security officer for The AME Group, formerly Integrity IT.

But the real responsibility lies with company owners and executives. Company leaders must set the tone for the entire company by offering frequent cybersecurity training sessions to employees and practicing good cybersecurity hygiene themselves, Willard said.

A company’s management team must “show employees that cybersecurity is important … by creating a culture of cybersecurity,” Danaher agreed.

Threats are more sophisticated, more difficult to spot

“There are a hundred different ways hackers can get into your system,” said Jim Kramer, IT consulting team leader at MCM CPAs and Advisors, which has offices in Lexington, Louisville, Jeffersonville, Cincinnati and Indianapolis. From posing as the IRS during tax season and sending emails about lost packages at Christmastime, to impersonating  executives asking an employee for immediate action, hackers are working constantly to fool employees, get access to their networks and wreak havoc, he said.

Years ago, hackers sent thousands of generic and crudely written phishing emails and hoped a small percentage would fall for them. Scam emails from Nigerian princes wishing to share their wealth and long-lost relatives with inheritances to bestow are a thing of the past. Today’s cybercriminals study their targets – using information readily available online – and tailor their scams to specific companies and individuals.

“Phishing is becoming more sophisticated,” Danaher said. “Compromised (Microsoft) Office 365 accounts from people you know are sending malware in attachments. Secure attachments are being used to trick users into downloading malware and giving up their passwords to sites like Office 365, Amazon and Google.”

A busy employee who receives an email that appears to have come from the CEO, asking them to quickly pay an invoice or purchase items for clients, may not take the time to question the authenticity of the email.

“A poorly trained employee or one who is easily distracted, tired or overwhelmed with work is more likely to open a bad attachment, wire money to a criminal or give out their email address and password to any popup that looks somewhat legit,” said Hardin of New Century Technologies.

While the technique has become more sophisticated, the Nigerian prince scams of the past and the spoofing methods used now have at least one thing in common: the cybercriminals who send them rely on exploiting the basic human traits of being helpful and curious, Danaher said.

In 2019, the most prevalent cybercrime types reported to IC3 were phishing (or vishing/smishing/pharming), nonpayment/nondelivery, extortion, and personal data breach. (Phishing/vishing/smishing/pharming refers to unsolicited email, text messages and telephone calls purportedly from a legitimate company requesting personal, financial, and/or login credentials.)

“The email account is not the only threat,” Hardin said. “More and more cybercriminals are utilizing phone calls to trick staff into thinking the police, IRS, Microsoft or FBI needs to remotely access their system. Such a simple mistake will allow the bad actor on their computer, able to upload ransomware or malware to steal credentials. Texting of malicious leaks is on the increase as well.”

The IC3 received 23,775 business email compromise (BEC) or email account compromise (EAC) complaints last year with adjusted losses of more than $1.7 billion. BEC/EAC is a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business email accounts to conduct unauthorized transfers of funds, according to the FBI report.

Scott County Schools in Georgetown fell victim last year to a $3.7 million BEC scam, but luckily was able to recover its funds.

Superintendent Kevin Hub said the scam was discovered when a vendor notified the district that it had not received payment for a recent invoice. That’s when officials learned that a fraudulent email from a hacker disguised as the vendor had led to the creation of an automated payment account. The email apparently had the school system’s electronic transfer paperwork filled out and attached, asking for the invoice to be paid.

There was no compromise to either the financial data system or student data management system, and that the scam was limited to a specific vendor payment process, Hub told media agencies at the time of the incident.

Kentucky State Police and the FBI investigated the case, and with the help of the two banks involved, the funds were recovered.

“Our internal investigation found no wrongdoing by any of our staff members, but yet we were a victim of this wire fraud,” Hub said.

A lot of companies fall for these kinds of scams, said Gui Cozzi, cybersecurity practice leader at Kentucky-based Dean Dorton, a CPA accounting firm with an IT security/tech consulting division that has locations in Raleigh, N.C., Lexington and Louisville.

The use of cloud computing and remote data access has created new challenges to security. As technology progresses to make things easier and cheaper for businesses, hackers continue to up their game.

Ransomware also remains a big threat to businesses, and the techniques used continue to evolve. Every 14 seconds, a business will fall to a ransomware attack, according to Willard of SimplifIT.

Most commonly, ransomware is downloaded onto a computer by someone who opens an attachment in a phishing spam. Once the malware is downloaded and opened, it takes over the victim’s computer and can encrypt files on the entire network. The files essentially remain locked down until a ransom is paid. Companies with adequate backup systems could get away with not paying the ransom.

But hackers have recently taken ransomware a bit further, not only encrypting the files but also stealing them and threatening to expose the company’s data if the ransom is not paid, Willard explained.

“If you focus your strategy on having a good backup, that’s not enough now,” Cozzi said. “Because if your information is compromised, then it could leak. So you need to think through that and build a program around preventing that from happening.”

Once a hacker has your data, whether you pay the ransom or not, there’s no guarantee that the data won’t be sold to other cybercriminals.

“Once they’ve got your data, they own the data,” said MCM’s Kramer.

‘An ounce of prevention is worth a pound of cure’

To combat cybersecurity risks, businesses should have solid layers of security for protecting the IT infrastructure, Hardin said.

“Best practices dictate using business-class next-gen firewalls and advanced endpoint security products (antivirus) that utilize artificial intelligence to look for suspicious behaviors,” she said.

Unfortunately, many businesses – especially smaller ones with fewer employees and limited budgets – do not feel motivated to invest in cybersecurity protection until a threat has already been made. And by then, it is usually too late. Cleaning up the mess is very costly.

“For small businesses, it is a bit of an investment,” said Danaher of The Ame Group. “The cost of breaches keeps rising. However, many business leaders don’t believe they are at risk so their investment in cybersecurity controls does not reflect their actual risk.”

Many companies think they don’t have data that could be stolen, or think their data is not valuable, Kramer said. The truth is: If you have a business, you have data that could be stolen and sold to cybercriminals on the dark web.

“Businesses will say, ‘Who wants my data?’ But I like to flip the question around and say, ‘Who wants your data? You do, so protect it,’” Kramer said.

Small and large companies should have a cybersecurity risk assessment performed by a reputable IT managed service provider to protect their data, which may include their clients’ information, the company’s intellectual property and employees’ personal information. The assessment will highlight where a business is vulnerable and outline a plan to shore up their defenses.

Alex Tietz, IT manager at Denham Blythe, a design/build firm based in Lexington, said risk assessments are imperative because they can offer insights into best practices that are not always available to small IT departments. It is a good way to close loopholes in security practices, he said.

“You want to get an assessment done from a company that specializes in security as well as a company that did not design your company’s infrastructure,” Tietz said. “An assessment is a good way to provide some checks and balances by having your security work checked. It can also help validate the expenses needed by IT to cycle out legacy equipment or integrate new software.”

“The security assessment has become a necessary tool when anyone wants to do business through the internet,” he added.

Next, employees should receive ongoing awareness training. Think 15 minutes a month instead of once a year for three hours. And they should be tested on what they’ve learned.

Phish testing is a good way to find out which employees are paying attention to the training and which ones need additional help. A company’s managed services provider can send phish test emails to employees to see how many are utilizing the training.

Training should be engaging and consistent, Cozzi said. Many IT service providers offer online, video-based training programs that help keep best cybersecurity practices top of mind. Several Kentucky firms offer free programs to the community and nonprofit agencies.

Tips to mitigate cybersecurity risks

• Limit access to networks. Not all employees need administrator access, for example.

• Keep operating systems and software updated. (“Say bye to Windows 7,” Hardin said.)

• Invest in quality antivirus software.

• Get as many layers of protection as possible. Use multifactor authentication, spam filters and  firewalls.

• Password managers can help employees create and maintain secure passwords that are unique for each account. Passwords are gateways. They shouldn’t be the same for every account, and employees shouldn’t have them taped to their monitors.

• Have a written disaster recovery procedure in place and review it every year, Tietz recommended. “Have a solid business continuity plan that includes a backup of critical data off-site, and test the plan. Don’t just assume it works because a backup report says it was successful,” he added.

Training tomorrow’s tech troubleshooters

The increasing need to secure data and protect companies from cybercriminals in an ever-evolving technological landscape has led Kentucky universities to develop degree and certificate programs to train the next generation of cybersecurity specialists.

Last year, Northern Kentucky University renewed its designation as a National Center of Academic Excellence in Cyber Defense Education (CAE-CDE) for its Bachelor of Science in Computer Information Technology – Cybersecurity Track. The joint designation from the National Security Agency and the Department of Homeland Security recognizes NKU has having one of the top-tier cybersecurity programs in the nation.

NKU became the first institution in Kentucky and the Greater Cincinnati region to receive the designation in 2015. With the reaccreditation, NKU continues to hold the title through 2024.

The cybersecurity track is the highest enrolled track within the university’s computer information technology majors, according to Atley Smedley, NKU public relations specialist. Enrollment has grown 225 percent in the two years since the track first became available. NKU plans to begin offering a bachelor’s degree in cybersecurity this fall.

Bluegrass Community and Technical College, Owensboro Community and Technical College, the University of Louisville and Murray State University also have been designated a CAE-CDE through the year 2024. University of the Cumberlands has received the designation through 2022.

An online graduate cybersecurity certificate program is offered at UofL’s Speed School of Engineering. It prepares students to monitor and identify instances of cybercrime and respond to increasingly more sophisticated attacks against the nation’s information infrastructure. The 12 credit hour program was developed as part of UofL’s Cyber Security Initiative, which aims to deliver more educated and more informed computer science and engineering professionals to the industry.

The certificate credits can be rolled into UofL’s online Master of Science in Computer Science program.

“ … in a world continuously plagued by threats to our expanding databases, cybersecurity professionals are more essential to keeping our information secure than ever before – with jobs expected to grow 28% over the next decade,” UofL says on its cybersecurity program website. “Graduates of this program can apply their knowledge to various careers in areas like network security, risk auditing or management, software security engineering, penetration testing, information security analysis, information forensics, cyberthreat intelligence and more.”

UofL partnered last year with IBM to open the IBM Skills Academy at the university’s Center for Digital Transformation. The academy’s curriculum concentrates on fast-growing technology areas like artificial intelligence, blockchain technology, cloud computing, cybersecurity, data science, quantum computing and more. The partnerships give students and faculty access to leading curriculum, software, industry experts and other educational materials.

The skills academy is the first of its kind that IBM has developed with a higher education institute.

Eastern Kentucky University’s digital forensics and cybersecurity bachelor’s degree program has been recognized as one of the best programs in the nation by Bachelors Degree Center. It is one of the first two programs accredited by the Forensic Science Education Programs Accreditation Commission. Students in the program learn to defend cyber networks, quickly respond to cybersecurity incidents, and examine electronic devices and networks to collect digital evidence that can be used in a court trial.

The University of Kentucky College of Engineering also offers a cybersecurity certificate program to degree-seeking undergraduate students in the College of Engineering. The program, which began in the fall of 2019 and has 14 students. prepares students to understand the challenges of cybersecurity, identify potential threats and design effective countermeasures.


Lorie Hailey is special publications editor of The Lane Report. She can be reached at [email protected]