weather icon Mostly Clear

When it comes to cybersecurity, employees are weakest link

Employee hubris is costing companies — and possibly you — a lot of money.

Some workers are spending less than a minute on their company’s cybersecurity training because they think they know everything, a University of Buffalo associate professor told a Las Vegas audience on Thursday.

Those workers, however, tend to think their colleagues aren’t so cyber sophisticated as they are.

“Everyone thinks they are a genius. They don’t take (the training) seriously,” said Arun Vishwanath, who has been studying for the past decade how hackers and cyberterrorists compromise users. He was speaking at the Black Hat cybersecurity conference at Mandalay Bay.

Phishing attacks are growing and becoming more consequential with nearly every industry now impacted, said Vishwanath. There were 300,000 infections in 150 countries in less than 48 hours, he said. Successful phishing attacks can lead to hackers acquiring customers’ personal information.

Hackers succeed more when they use logos of companies that people trust, such as Google and Amazon, in their phishing emails, he said.

The employee is the weakest link in an organization’s defense line and thus companies are spending billions on traditional training programs to cognitively arm them, he said. However, studies show they have minimal impact.

Vishwanath said 32 percent of employees at a major bank clicked on a phishing link in the weeks following cyber training class. That compared with 35 percent that received no training.

Another form of training that involves cybersecurity specialists sending phishing emails to employees has only slightly better results, Vishwanath said.

“When I talk to security folks, they are constantly lamenting how users are not paying attention,” he told the hundreds of security specialists attending his presentation.

Technology employees are no less susceptible than other workers due to the same hubris problem, he said.

“People who are in information security think they are smarter than they are,” he said.

Companies need to incorporate people’s self confidence as well as their habits into their training programs, said Vishwanath. Many people fall victim to phishing attempts because they are checking their email while walking or talking, he pointed out.

“It is easier for me to get you to click on a link if you are on a mobile device,” he said.

Black Hat, now it its 20th year, attracts more than 15,000 cybersecurity professionals and 290 exhibitors. The six-day show, which features courses and nearly 120 talks on various issues, ends Thursday.

Contact Todd Prince at tprince@reviewjournal.com or 702-383-0386. Follow @toddprincetv on Twitter.

Don't miss the big stories. Like us on Facebook.