Best Protection Against Cyberattacks? Phish Your Employees!

Remember the good old days, when cybercriminals weren’t too bright?  Back when scam emails were riddled with spelling and grammar mistakes, sent from addresses that were clearly not associated with real businesses. Remember being asked to click on clearly fake links with names like www.realbusiness.org?  These were simpler times.  Even if one or two members of your team got duped, it was relatively easy to fix and explain so they could effectively scope out the next one. 

Unfortunately, cybercriminals have been studying, and the commoditization of “phishing kits” allows even the dumbest ones to execute fairly sophisticated scams.  Just as unfortunately, employees are notoriously bad at guarding against these scams – 59% of data security breaches were due to employee negligence last year.  Yikes.

Just for fun, let’s look at some scams that were particularly effective:  

• LinkedIn invitations.  Emails containing an invitation to connect to someone on LinkedIn seem so utterly innocuous (and potentially good for your career), that clicking a life-like link becomes almost automatic.  Cybercriminals have begun to take advantage of our collective trust and deeply ingrained habits in our social media spheres.  Scary. 
• Undelivered mail returned to sender.  Nothing is worse than getting the notification that your time-sensitive email hasn’t been delivered.  This scam uses this stressful situation to leverage the victim’s sense of urgency.  
• Mobile.  There’s a simple reason why mobile phishing scams are on the rise – smaller screens.  Can you really distinguish a one-letter difference in a domain name, if the site looks virtually identical to the real thing? 

This is just a tiny selection in a sea of phish, but there is a common theme throughout – social engineering and human error.  These scams manipulate basic human habits, trust, and lack of attention.  Each time a scam effectively combines these lapses in judgment, your entire organization is at risk.

So – What Now?

If the methods of attack are becoming more sophisticated everyday, training your employees to identify and avoid scams is becoming equally difficult.  You can no longer send a notification email warning them “not to open strange emails.”  You have to find a way to make it real, to make it impossible to avoid. 

You have to phish them.

It might sound strange, but implementing an ongoing simulation of real-world threats is the absolute best way to measure a baseline, track progress, and improve defense against attacks.  Rather than guessing where your weak points are, simulated attacks allow you to cast a wide net of threats and pinpoint what needs work. You can then train employees with greater precision.  No more seminars with general information that employees won’t retain. 

Game-ify It

Do not miss the opportunity to make this fun.  After you implement your first unannounced attack to measure your baseline, create an atmosphere of friendly competition.  We mentioned human error due to lack of attention – by calling out high-performers, implementing leaderboards, or incentivizing employees, you can ensure they will always be on the look out for a scam.  Any scam.  Including the real ones that can actually hurt your business. 

So, if Marcy has never fallen for your well-crafted attack, maybe give her the VIP parking spot for the month.  If Bill falls for every one, it’s time to double-down on his training. 

Don’t Be Big Brother

To avoid employees feeling “tricked” or over-monitored, make sure to have an open dialogue at your first training / recap meeting.  Talk about the program and tell them why it’s important.  They’ll understand immediately if there’s a forum for open dialogue. 

By leveraging a strong simulation plan coupled with targeted training, you can drastically reduce the likelihood of a data breach.  Just remember – if www.realbusiness.org still tricks your employees, you’ve got bigger problems.

Originally written for the Envision BizTech Insider