Go Phish! Why Your Organization Should Implement Phishing Exercises

If there was a single, simple action that you could take today that could cut the potential of phishing attacks in half, would you do it?

24Jan

Great news — taking steps to keep your organization safe from this intrusive type of cyber-attack may be easier than you realized. One-time training for employees to stay vigilant is only the first skirmish in the battle to secure your organization’s digital assets. Ongoing education and reinforcement of the message to be cautious, all presented in a way that employees won’t rebel against, is the first line of defence against spear phishing.

Scope of damage from phishing attacks

The FBI calls them business email compromise scams, but most cybersecurity professionals are more familiar with the term phishing, with spear phishing being the latest way to exclusively target individuals based on their organizational ties or position. With nearly $1.6 billion in losses by U.S. businesses between 2013 and 2016 at organizations of all sizes and segments, spear phishing is costing individual businesses millions of dollars per year. Cybercriminals are targeting real estate, title professionals and attorneys slightly more often, but no business is immune. Any organization in which large sums of money change hands or employees have access to wire transfer information or personal information is in danger.

Awareness and education

While education around cyber threats has often been in the realm of an organization’s IT department, today’s security heads are finding allies in the human resources department. By making cybersecurity training a key part of each new hire’s orientation, you’re starting the business down the path of caution. You’re also protecting the enterprise from the most vulnerable part of the corporate population — new employees, who are more likely to click first and ask questions later. Once IT has defined the training to be received, HR can be a large part of ensuring that all adequate training, testing and re-training is completed in a timely manner.

Employee penetration testing

Even the most intensive training schedule can’t protect your business from today’s sophisticated cybercriminals. While hacks in the past have been easily spotted with poorly-spelt entreaties to send thousands of dollars to Africa or the Philippines, cyber thieves have become much savvier. You’re much more likely to receive a coupon for a free pizza from a trusted brand — complete with corporate logo — as a phishing attack. A comprehensive testing strategy for employees at all levels is a more effective tool than any after-the-fact cleanup or recovery program, and it can help reduce the likelihood of an attack by up to 50 percent.

Powerful testing strategies

Creating a positive environment for learning within the organization is critical; never shame employees who may have made a simple mistake and clicked something they shouldn’t have. Instead, gently remind them of the importance of knowing where emails come from, previewing links and other ways to stay safe online. Here are a few additional tips to promote positive engagement with your teams:

  1. Don’t exclude anyone, even Help Desk employees or senior management. They’re prime targets for this type of attack.
  2. Keep testing short and to the point. When you make it a quick lesson in making the right decision when presented with a phishing email, you’ll cause less resentment in the ranks.
  3. Stay consistent. Organizations who test regularly are more likely to keep the threat of attack top-of-mind.
  4. Get creative with your attacks! Fake websites asking for personal information, dangerous attachments or links and download requests are only a few ways to keep your team on their toes.
  5. Make the program engaging. Consider adding a gaming component with incentives for teams with the best record of spotting the attacks.

While the first time you run a test may seem a bit depressing due to the number of people willing to click on a fake link or download something sketchy, it’s ultimately safer to use these training exercises as a way to educate your teams on cybersecurity.

Sharing results and ongoing communication

Again, stay away from shaming or sharing names of people who went for the bait. Instead, focus on positive outcomes and communicate that the test occurred (and the results) in a timely manner. Use this ongoing communication to educate your organization on what to do when they see something that seems like it could be a phishing attack. Use this opportunity to re-educate the Help Desk and technology teams to stay neutral and positive, and request that employees share anything they find that could be questionable — before or after they click a link or download a file. Early notification of something that’s “phishy” could allow you the few minutes needed to add a layer of protection or change passwords before they are used.

Smart manufacturing small

Read next:

The Business Case For Smart Manufacturing

i