3 Reasons Why You Should Phish Your Own Employees
17 August 2017 14:14
So, you're thinking about phishing your own employees. But what are the repercussions? Will it even be successful in raising awareness? So many questions and, luckily for you, so many answers...
The current state of phishing
"91% of cyber attacks begin with a phishing email" - this statistic alone gives you a pretty big insight into just how serious phishing attacks are to our end users.
But it's not only the less technical or lower level employees that are falling for phishing scams, these attacks are reaching way up the ladder - right through to the C-suite. From conducting tons of simulated phishing campaigns ourselves, it's clear that spear phishing campaigns (targeting C-level execs) produce a much higher compromise rate.
The question often gets asked as to how businesses can improve the security awareness of all their end users, especially given that most employees commit even the most basic cyber security mistakes each day. Well, many companies are attempting to tackle this with only sporadic training consisting of the old tick box approach.
But a lack of consistent and jargon-free education, combined with a failure to monitor and report on the progress of a user's cyber security knowledge, are significant reasons as to why phishing is still coming out on top, and why many security awareness programs just aren't up to scratch.
So, what can you actually do to raise awareness?... PHISH YOUR EMPLOYEES!
Now, we’re not suggesting that you scam your finance team... we mean the opposite. Educate your users on real-world attacks to test just how effective their cyber education really is. We've compiled a small list that highlights the benefits of simulating a phishing attack on your users...
#1 Expose your employee's biggest cyber security flaws
Phishing your users firstly allows you to see who has clicked on the 'malicious' links, and who has acted appropriately. This can give you an excellent insight into just how exposed your workforce is. Not only is this useful for seeing where the weaker links are, but it is also extremely efficient for discovering which departments are more susceptible to a breach.
Many businesses are guilty of raising awareness of the perceived "higher risk" departments. However, all users have company-sensitive information and should all receive the same level of education and awareness. It is important, however, to follow the ‘engage, not enrage’ methodology when conducting this simulation, and give employees individual feedback, rather than in a name and shame manner.
#2 Increase the awareness around phishing emails
The more exposed your workforce becomes to these types of emails and their signs, the more likely they are to detect the red flags. There is also the opportunity of shocking the more complacent staff members into realising just how vulnerable they are to social engineering. As mentioned before, it can be difficult for an end user to envisage just how important they are in the security chain -- so targeting them with a mock phishing test can be an effective wake-up call.
Some individuals also believe that they are able to spot the obvious signs of such emails, such as domain names and the odd language and requests involved in them, but social engineering can increase the user's trust immensely. If they can already spot a phishing email, then great. If not, then at least the risks are mitigated before being targeted by a real phisher.
#3 Educate those who failed in the 'attacks'
Once your employees have been exposed to these phishing emails and what they look like, you can educate your employees on how to avoid them, report them, and how to spot the other common signs and types of phishing attacks.
Try to avoid the previously stated method of irregular training. Keeping the training consistent, whilst also avoiding learning fatigue, is crucial. Make sure you are able to measure the results of how effective this training has been, and where there is room for improvement.