Here you are, Mr. or Ms. Totally Skilled IT Security Honcho, detecting intrusions before they happen and using cloud-based digital antibiotics to eliminate Windows funguses before they infect your systems, but you still have bosses, and they can be major points of malware infection and other IT insecurities — unless you take the time to train them about baddies who specifically go after them using spear-phishing tactics.

Plain old phishing is bad enough. Spear-phishing is worse because it specifically targets (like a spear; get it?) executives and business owners. This threat is common enough that there’s a guy in Clearwater, Florida, named Stu Sjouwerman who has made a business called KnowBe4 out of dealing with human security problems, including spear-phishing.

A prime example Stu gives us is the fake Better Business Bureau Complaint.

• In this scam, Stu writes, executives will receive an official-looking email that is spoofed to make it appear as if it comes from the Better Business Bureau. The message either details a complaint that a customer has supposedly filed, or claims that the company has been accused of engaging in identity theft. A complaint ID number is provided, and the recipient is asked to click on a link if they wish to contest or respond to the claim. Once the link is clicked, malware is downloaded to the system.

Now, you would spot this phony pitch. But would your sales director? Or your warehouse manager?
• How about this one?

  A Smartphone (pseudo)Security App – With minimal research, cybercriminals can easily find the names and email addresses of a company’s senior management. Armed with that information, they can spoof an email from the CEO asking the CFO to click a link. Once clicked, it downloads a keystroke logger to the CFO’s computer. By this means, the hacker can obtain bank account information and passwords. If the bank uses two-factor authentication, the scammer simply spoofs an email from the bank asking the CFO to install a smartphone security app, which is actually more malware. And with that, the cybercriminals have full access to the CFO’s account login credentials, and control any two-factor text messages sent to the CFO.

• Or this one:

  Layoff Notice – This particular phishing tactic takes advantage of the current economic climate and targets employees. It begins with a spoofed email from the CEO or Human Resources informing recipients that they have been laid off, but that they are eligible for severance and unemployment benefits. Employees are asked to click a link to register for severance pay. The landing page looks just like the company’s website, and asks users to enter their name and social security number to log in. However, the website actually triggers a malware download to the user’s system; and if the victim enters any personal details, they are immediately at risk for identity theft.

• Even better, what about a Free Dinner in Return for Feedback?

  By reviewing an executive’s social media profiles, cybercriminals are able to determine what organizations that individual supports or does business with, as well as his or her favorite local restaurants. The scammer will then spoof an email from a representative of one of those charities or organizations, asking the recipient to download a PDF that supposedly contains details on an upcoming campaign or event, and promises free dinner at the local restaurant as an incentive for providing feedback. When the PDF is downloaded, it installs malware to the system – and gives hackers direct access to the network.

• And what about a notice that says you’re being sued?

  In this scenario, cybercriminals cull the email addresses of a company’s executives and legal counsel. They will then spoof an email from the legal counsel to the executive team, and attach a PDF that purports to contain information about new or pending litigation. When the recipients download the attachment, their system becomes infected and the entire network is compromised.

Stu says, “When executives receive a time-sensitive email that appears to be sent by the Better Business Bureau, a fellow exec, their legal counsel or an organization they support, most won’t think twice before clicking because they trust the person they believe is the sender. That’s what cybercriminals are counting on, and why they’re willing to invest the time to create realistic-looking messages from familiar sources. They’ve discovered just how effective these types of spear-phishing scams can be.”

The only defense is training — not just once, but regular updates, too. As you might imagine, Stu’s company will happily help you with human security training — for a fee. But KnowBe4 also has a free Phishing Security Test you might want to take, and Stu’s book, Cyberheist: The biggest financial threat facing American businesses since the meltdown of 2008, only costs $21.99 in paperback and $9.99 for Kindle, which is not much to pay for solid insight into security holes you might not have thought about before.

And there’s always the “do it yourself” alternative: looking online for all the information you can get about phishing and other “human IT insecurity” problems, and coming up with your own, internal security course — and updates. You cannot forget the updates whether you work with someone like KnowBe4 or go it alone, because people will gradually forget what they learned in your security briefings, and will revert to their old, bad habits unless you stay on top of them regularly, not for just a month or two but forever.

Alan admits his “trust no one” attitude comes from his New Jersey upbringing and is not common among his Indianapolis neighbors and coworkers. But the essence of computer security is forethought mixed with paranoia. Rather than protecting against what miscreants have done in the past, you must think about what they might do in the future.

Realize, too, that all good things must come to an end. The person you hire today will sooner or later move to another job or retire or even die in the saddle, leaving all his home office desk and all the papers in it (including your corporate passwords) to his nephew who has felony convictions in five states. Or your company may suffer business reverses one day and be forced to let your new hire go.

Think pre-nup. Everything is lovey-dovey today, but will everything be lovey-dovey 10 years from now? We have no way of knowing.

What we do know, however, is that by having security access policies in place, and following them, we can minimize the risk of disgruntled ex-employees sabotaging our IT infrastructure. And rule number one for doing this is to give people only as much access as they need to do their jobs. Alan says he’s not just talking about passwords, but that “key code access to server rooms and external access to IT systems should be limited only to those who absolutely need these privileges.”

He also says:

• There should be well-established, written policies in place for when new employees start as well as for the time of their departure.
• Established policies that are carried out for all employees avoid the chance of missing a critical step.
• Fixed policies do not allow a disgruntled employee the chance to claim unfair polices were directed at him or her.
• Consistent policies also prevent the company from skipping processes because the employee was deemed trustworthy.

Fast-forward nine years

Why nine years? Why not? Anyway, a good long time after hiring, your no-longer-new person may starting coming back from lunch with the smell of liquor on his breath. At the same time, changes in your business make his skills less valuable than they once were, and he has made no effort to learn new ones.

It’s time to say, “Hit the road, Jack.”

But before you say that (or even start humming the famous Ray Charles song), you need to alert IT personnel — especially management — about the impending departure. In confidence. And, Alan says, you need to review “all of the company systems the employee has access to. Make a check list of the affected systems and require a confirmation of action once the employee leaves.”

The check list is important, because forgetting one key or a single obscure password can ruin the rest of your careful security preservation work. And your termination checklist should cover all employees in order to protect yourself from termination-based lawsuits — which might be frivolous, but can still be expensive and should be avoided whenever and however possible. “Consistent policies,” right?

Here’s Alan’s basic “time of departure” checklist:

• Collect all company IT hardware –- computers, keys, fobs, SecureID tokens, and cancel access to any company systems that the employee had access to. This would be internal systems as well as external (i.e., VPN access)
• Inform IT vendors of the employee’s departure –- they might be the target of a social engineering attack if they are not aware the employee has left the company
• Change the passwords on all company email accounts used by the employee. (Alan also suggests redirecting the employee’s email to a manager for a short period of time to detect any suspicious behavior.)
• Don’t forget to change passwords not only to obvious systems but also on seemingly benign Internet applications that the employee might have access to (i.e., company website, Facebook, LinkedIn).
• Consider the employee’s company computer and all computers the employee had access to as possible sources of malware. A key logger or malware might send information from the ex-employee’s former computer to an external hacker when that machine is given to or used by another employee. If possible, have these computers checked.

——-

Alan says that if you learn nothing else from what he’s said here, you should remember two main points:

• Treat departing IT employees with respect — and be consistent, with firm, well-established processes that protect the company.
• Operate your company on a need-to-access policy, not on freedom of information. Most companies do a really poor job of this.