So, you're thinking about phishing your own employees. But what are the repercussions?
Will it even be successful in raising awareness? So many questions and, luckily for you, so many answers...
The current state of phishing
"91% of cyber attacks begin with a phishing email" - this statistic alone gives you a pretty big insight into just how serious phishing attacks are to our end users.
But it's not only the less technical or lower level employees that are falling for phishing scams, these attacks are reaching way up the ladder - right through to the C-suite. From conducting tons of simulated phishing campaigns ourselves, it's clear that spear phishing campaigns (targeting C-level execs) produce a much higher compromise rate.
The question often gets asked as to how businesses can improve the security awareness of all their end users, especially given that most employees commit even the most basic cyber security mistakes each day. Well, many companies are attempting to tackle this with only sporadic training consisting of the old tick box approach.
But a lack of consistent and jargon-free education, combined with a failure to monitor and report on the progress of a user's cyber security knowledge, are significant reasons as to why phishing is still coming out on top, and why many security awareness programs just aren't up to scratch.
So, what can you actually do to raise awareness?... PHISH YOUR EMPLOYEES!
Now, we’re not suggesting that you scam your finance team... we mean the opposite. Educate your users on real-world attacks to test just how effective their cyber education really is. We've compiled a small list that highlights the benefits of simulating a phishing attack on your users...
#1 Expose your employee's biggest cyber security flaws
Phishing your users firstly allows you to see who has clicked on the 'malicious' links, and who has acted appropriately. This can give you an excellent insight into just how exposed your workforce is. Not only is this useful for seeing where the weaker links are, but it is also extremely efficient for discovering which departments are more susceptible to a breach.
Many businesses are guilty of raising awareness of the perceived "higher risk" departments. However, all users have company-sensitive information and should all receive the same level of education and awareness. It is important, however, to follow the ‘engage, not enrage’ methodology when conducting this simulation, and give employees individual feedback, rather than in a name and shame manner.
#2 Increase the awareness around phishing emails
The more exposed your workforce becomes to these types of emails and their signs, the more likely they are to detect the red flags. There is also the opportunity of shocking the more complacent staff members into realising just how vulnerable they are to social engineering. As mentioned before, it can be difficult for an end user to envisage just how important they are in the security chain -- so targeting them with a mock phishing test can be an effective wake-up call.
Some individuals also believe that they are able to spot the obvious signs of such emails, such as domain names and the odd language and requests involved in them, but social engineering can increase the user's trust immensely. If they can already spot a phishing email, then great. If not, then at least the risks are mitigated before being targeted by a real phisher.
#3 Educate those who failed in the 'attacks'
Once your employees have been exposed to these phishing emails and what they look like, you can educate your employees on how to avoid them, report them, and how to spot the other common signs and types of phishing attacks.
Try to avoid the previously stated method of irregular training. Keeping the training consistent, whilst also avoiding learning fatigue, is crucial. Make sure you are able to measure the results of how effective this training has been, and where there is room for improvement.
#4 What to do with employees who keep falling for phishing simulations?
When an employee continually fails phishing simulations knowing what to do next is something that needs to be approached carefully. Now, there could be several reason why they keep failing the simulations here are a few points to bare in mind:
They are not receiving enough security awareness training
They simulation may have been sent a time when the employee is stressed.
The email looked legitimate
The employee isn't looking for phishing emails
Make cyber security everyone's job.
Let me explain this point a little further...
The problem with phishing is it targets a wide variety of people, not just employees or the senior executives. The problem with phishing is there is a type of attack for every job role out there, in fact there are 27 different types of phishing to exact.
So, what can you do about it?
Well, to start off you need to find yourself a good security awareness training platform that educates your end users on the many cyber security threats out there, not just phishing. A good platform should:
-Locate individuals knowledge gaps
-Personalise the training to the end user and not the company
-Educate them on the security best practices
-Track employee progress
-Teach them how to prevent and mitigate potential attacks