Employee Simulated Phishing: Should Your Business Bother?
16 May 2018 00:00
Here, we take a look at why businesses can't afford to neglect the threats of employee phishing, and whether or not simulated phishing tests are really worth your time of day.
What's the point of phishing your own pond?
Just because you have home insurance doesn’t mean you should stop locking your front door when you leave the house, just as travel insurance doesn’t give you free rein to leave your valuables scattered around the hotel pool. All insurance policies expect the holder to take reasonable care to reduce risk – indeed not doing so can often invalidate the policy – and cyber liability insurance is no different.
Many employees are failing to act with reasonable care when it comes to storing or sharing data, whether that be sharing login credentials or emailing sensitive data to anyone who asks.
This is mainly down to a lack of cyber security understanding and shows why employees are the weakest part of the organisation when trying to combat cyber crime, with studies showing that 90% of all cyber attacks are successfully executed with information stolen from employees.
The main culprit of tricking these users? None other than phishing.
This shows why there is a need for employee simulated phishing to know exactly where your company’s security stands against the issue.
Organisations should regularly run phishing tests for employees in order to train them to be more resilient to attacks, from simple (yet highly effective) things like:
- Reviewing the sender/ recipient of an email before interacting/ sending
- Looking out for suspicious domain names and language
- Questioning the request of an email (are they asking for financial details?)
- Knowing where to report suspicious emails and requests to
Would your employees even be willing to play ball?
One of the main initial objections we hear from companies for not phishing their employees comes from the risk of receiving complete Armageddon from their users as a result. While it's not crazy to think that your users aren’t going to be chuffed to receive ‘fraudulent’ emails from their own company, there are key ways to side-step this conundrum.
The main one is simple - be completely honest with your users prior to the phishing tests.
Now, we’re not saying that you warn them of when/ how they’ll be phished, we’re talking about making it clear that these tests are part of your business’s overall security awareness training efforts.
Prior knowledge from (ideally) senior management will demonstrate that this is a company-wide effort that is in the good of the entire business - not just the customers. There’s also the added benefit of your employees having an instant alertness to potential phishing attacks, rather than waiting for users to fail the tests (or worse, falling for a real attack).
What could my business realistically expect from a phishing simulation?
Having conducted tonnes of simulated phishing campaigns on behalf of clients, one of the initial benefits you can expect from these tests are when gaining visibility and how many of your users would fall for attack.
There’s also the invaluable insight into knowing which employees are susceptible to phishing, along with which of your department are the weakest.
Be sure to take a look at our blog showing what results you can expect from your phishing simulation.