Multiple layers of high-tech, sophisticated cybersecurity solutions can keep cyberattackers from strong-arming their way into your business's network and stealing sensitive data; however, the best security programs won't help if they are let in through the front door.
According to a 2017 study by Verizon, 43 percent of data breaches used some form of phishing. It's no secret that data breaches cost companies millions of dollars due to network downtime, damage repair and potential litigation.
Phishing and spear-phishing is the tried-and-true method for hackers to gain access to a business's network and applications, all by using simple hacking techniques to obtain credentials or trick employees into downloading a malicious attachment or clicking a suspicious link. According to SecurityIQ, 30 out of 100 employees can't identify a phishing email.
Some phishing attempts can be easily spotted just by looking at the sender's email address. Some are blatantly fraudulent emails revealed by clues like poor grammar and spelling, the lack of a corporate logo or graphics, or oddly placed graphics. Some attempts ask for the employee's username, password and other credentials that a business would not ask for. Other times, hackers use more sophisticated techniques, such as spoofing email addresses that match the company's URL, company graphics and personal information (names, titles, etc.,) of employees they may have found online to establish credibility. Careful attention to detail can be enough to fool employees into giving out sensitive information or downloading malware. [Interested in network security services? Check out our best picks on our sister site Business.com.]
Training employees to spot and report phishing emails is absolutely essential for avoiding catastrophic breaches; however, sometimes it's necessary to put that training to the test.
Much like holding regular fire drills to prepare employees for an emergency, it's prudent to simulate phishing attempts to keep employees on their toes, identify vulnerabilities in the network and further educate them on these types of attacks.
Running a phishing simulation
Being tricked never feels good, and some employees may feel embarrassed for falling for your phishing attempt. Therefore, never publicly shame or punish employees who click phishing emails links or attachments, or give out sensitive information. These exercises should be a learning tool for the entire company. Your intent must be clearly stated and conveyed to those you're testing.
Much like a fire drill, earthquake drill or other safety exercise, it's not a bad idea to give employees a heads up that you'll be performing a cybersecurity test so they have a heightened awareness. You don't have to tell them when or how the test will be administered – just that it will be done within a certain timeframe. After the simulation, inform employees of what the test was and how they can improve on the results. Sometimes it's a great help to show staff your staff what a phishing email is and just how deceptive they can be.
After gathering results and revealing how many employees had negative results, you can determine what and how much cybersecurity training is in order for your office. After renewed training and some time has passed, conduct the test again. If employees show improved vigilance, perhaps an officewide reward is in order.
Phishing simulation tools
If you want to put your staff to the test, there are several ways you can do it. One of the easiest ways is hire an outside company to do it. Many network security services, such as Core Security, provide comprehensive vulnerability testing for businesses. These assessments not only include phishing simulations – they test all aspects of your network security. They give you a breakdown of your current security model and how well it did, as well as a list of recommendations of how you can improve, including if your office needs better phishing training.
These vulnerability tests can be expensive, so if you're looking for an inexpensive way to phish employees, there are several free and cost-effective tools online to help you accomplish this. Gophish is a free, open-source phishing tool to set up faux phishing campaigns. You can upload different templates to test employees' vulnerability to different types of phishing attempts, such as gaining credentials or clicking malicious links. However, Gophish and most other open-source tools require some knowledge of HTML to create a convincing phishing campaign.
Some inexpensive tools that make it easier to set up a phishing campaign include SecurityIQ and LUCY. These services allow you to create convincing phishing emails and can even use your company's email address to make it more plausible. These services aren't free, but they come with optional learning tools to teach employees cybersecurity safety practices.