“I believed that cyber awareness training was useless because I believed my users were probably untrainable,” Levine, cybersecurity advisor at Wombat Security and a former CISO at aluminum giant Alcoa and its spinoff Arconic, said. “What I learned was that it was a pivotal and critical part of my cyber defense strategy.”
At the recent InfoSec World conference, he shared his story of how a cyberattack on Alcoa converted him into being a strong proponent of security awareness trainings.
In 2008, while he was the CISO at Alcoa, Chinese hackers created an email account claiming to be that of then Nissan CEO and Alcoa board member Carlos Ghosn and sent an email to 19 senior Alcoa employees. The message included malware in an attachment disguised as an agenda for the company’s board meeting. Users were tricked into downloading the malware, allowing the alleged hackers to gain access to Alcoa’s network. They stole nearly 3,000 emails containing sensitive information that included internal discussions about a partnership with a Chinese state-owned enterprise.
“I can tell you that we had just about everything in place that we could to prevent against a cyberattack, with the exception of a formal cyber awareness program,” he said.
Levine realized it was time to deploy a cyber awareness program that was formal, structured and measurable. It would also give his organization an additional level of confidence that all those users that he believed were “untrainable” might have a chance to do the right thing the next time they received phishing emails, he said.
“We looked at acquiring a program. I wanted to be able to test the condition, and retest certain users whom I call my ‘problem children’ who would fail test-phish after test-phish. I also wanted to know who was refusing to take training,” he said.
Before deploying the cyber awareness program, they had test-phished 650 employees in the CFO’s department and 66% fell for the phishing scam, he said. After training and retraining the same group of people, that number came down to 16%, he added.
The program helped users become aware of phishing attacks, he said. Over time, more users learned how to identify a phish and know what to do when they saw one, he added.
“It was an incredible turning event for me, as a CISO. What I learned was that all of my budget was going towards my first line of defense … I wasn’t spending a penny on my users, my last line of defense,” he said. “If a user receives an email that has a link or an attachment, that user has a binary choice: to click or not click. If they made the wrong choice, that next attack would be successful and unauthorized exfiltration would be possible.”