Phishing Your Employees Has Benefits

Phishing Your Employees Has Benefits

The recent worldwide ransomware attacks put a spotlight on two key cybersecurity issues. First, software vulnerabilities can lead to disastrous results if not patched. Second, duping users into opening malicious software or malware is the oldest but most successful trick in the book. According to published reports, many victims of recent attacks were enticed to open the malware by an email purporting to be legitimate but actually downloaded malware or ransomware on their computers. This type of phishing email remains one of the biggest threats to companies today.

Companies need to take a proactive approach to effectively train their employees to identify, report and respond to phishing emails. For many years, cybersecurity training for employees was limited to reading material. Expecting employees to read a document and then be savvy enough to identify all phishing emails is not realistic, especially considering the diversity and sophistication of many scams. A more experiential training method has greater promise.

The idea is simple - create a phishing email that mimics one your employees might actually receive, such as an important message from human resources. It should entice the user to click on an embedded link and if they do, it leads to training material notifying the employee that the email is part of a company-sanctioned training exercise. The message should highlight the phishing indicators in the email and advise the employee how to report phishing scams.

In this scenario, every employee who gets caught receives needed training immediately. Phishing exercises like this leverage the same benefits of a fire drill or similar experiential training where employees experience a situation with the opportunity to exercise the proper response. This training can be supplemented with videos and reading material.

Having run this exercise for different organizations, I can attest to its immediate and measurable impact on improving security awareness. At the beginning, the percentage of users who are caught may be shockingly high. However, by conducting regular phishing campaigns monthly or quarterly, you will see the percentage steadily decrease. An additional benefit is users may become so sensitive that they report phishing emails your security tools and monitoring may have missed, effectively increasing support for your cybersecurity program.

Despite the positive impacts of a company-sponsored phishing training program, there are two caveats worth mentioning. First, in a typical business environment, there will always be a small single-digit percentage of users who will be caught by phishing emails. A steady schedule of phishing training campaigns is necessary to maintain a lower percentage. Second and most important, establishing a training program as described requires planning and formal support. Do not simply create a phishing email and send it to your employees. That is a recipe for disaster and will not be effective in the long run. In addition to considering assistance from a technology leader or other cybersecurity professional, here are some tips for establishing a company phishing training program:

  • Before you start, make sure your company has procedures for handling real-world phishing attacks and that employees are trained on them.

  • Ensure your company leaders are all on board with the program as executive-level buy-in is important should any employee question the program and its methods.

  • Evaluate the software tools made specifically to implement a phishing program like this. Unlike years ago, pricing is more reasonable but make sure the tool is from a reputable company, matches the skill level of the intended operators in your company and meets your training objectives.

  • If your training email impersonates an internal department, notify the department head before sending it out so they are not caught off-guard.

  • When reporting your training results, focus on trends instead of on the individuals who are duped. Repeat offenders should receive additional training but in general, focus on improving the company’s overall security posture.

By engaging employees directly with training that simulates real phishing attacks, companies can further reduce their risk of being affected by malicious phishing campaigns.

Find out more about how our security solutions can help protect your business.

© Honolulu Star-Advertiser

Visit this article in the Star-Advertiser