Improve your cybersecurity by phishing your own employees, says (ISC)2

As the number of phishing attacks increases every month, it’s clear that organizations’ current defenses aren’t sufficient. Nearly a quarter of malicious emails pass through spam filters, and once that happens the only thing protecting an organization from disaster is the employee who receives that email. If they click on the attachment or link in the email, they leave their organization exposed to all kinds of malicious software.

This happens a lot, according to Verizon’s 2017 Data Breach Investigations Report, which found that 31% of all data breaches begin with phishing emails.

To mitigate this threat, (ISC)2 says that organizations should phish their own staff. Phishing emails sent to everyone in the company (obviously without the malicious payload) can give those who fall victim a warning, and make them think twice in the future.

Investing in your staff

Wesley Simpson, chief operating officer of (ISC)2, told TechRepublic that although many organizations have some form of cybersecurity awareness program, they are often ineffective and only run once a year.

“Tech leaders need to understand that they are not immune to these spear phishing attacks,” Simpson said. “The sooner they assess where they are, the quicker they can start to fill in the gaps.

“Management usually reacts to money and results. These phishing exercises are inexpensive, and can be done with existing staff. Once you start running them, the numbers speak for themselves.”

This isn’t the first time this strategy has been suggested. In fact, there’s a whole industry of simulated phishing attacks, and in January Forbes wrote: “Regular self-imposed and interactive phishing campaigns give employers the opportunity to safely educate employees without risking the loss of valuable information and data.

“The company, as soon as it detects the incident, can provide the employee with additional hands-on security training on how to identify and report phishing scams.”

Both Forbes and (ISC)2 say that organizations might prefer to hire a third party to produce these benign phishing emails and analyze the results. Forbes writes: “A contractor or outside vendor could present a more realistic scenario for your organization [and it will be] devoid of internal bias (for example, internal IT members may feel conflicted about tricking fellow employees or may accidently mention the test in conversation).”

Simulated phishing with IT Governance

Our Simulated Phishing Attack will establish how vulnerable your organization is to the threat of phishing. The service provides an independent assessment of employee susceptibility, and benchmarks your security awareness campaigns. It can help you to:

  • Satisfy compliance and regulatory requirements
  • Adapt future testing to areas and employees of greatest risk
  • Reduce the number of employee clicks on malicious emails

After conducting this test, you might want to take action and enroll your staff on our Phishing Staff Awareness Course. It will reduce the likelihood of your employees falling victim to such scams by helping them understand how phishing works, the consequences of a successful attack, and how to identify and respond to malicious messages.

Find out more about phishing >>