If there is one fear every Chief Information Security Officer has, it’s the fear of a phishing attack. It’s a rational one because every company, every C-Suite executive and every employee is vulnerable to this type of deception.
Due to the high volume of electronic messaging in the workplace, it only takes a momentary lapse in vigilance for a phishing scam to wreak havoc. Cybercriminals can steal company or personal data, delete files and deploy ransomware with just one email or one instant message. A single successful attack almost always results in some kind of monetary damage — whether it be in time or monetary transfers. In fact, the FBI estimates that CEO email scams have cost organizations more than $2.3 billion over the last three years. But it’s not just emails. Phishing (or, more specifically, social engineering) scams come in all shapes and sizes, from direct phone calls to targeted social media campaigns. They can range in appearance too, from a CEO asking for a wire transfer to a law enforcement officer demanding personally identifiable information and more.
Phishing attacks are effective and common. They’re also difficult to defend against, given their nature. But they do follow patterns and can be detected with the right education. This is why every company should phish itself.
Regular self-imposed and interactive phishing campaigns give employers the opportunity to safely educate employees without risking the loss of valuable information and data. Say, for instance, an employee clicks on a company-provided phishing link, or shares company information through a phishing email. The company, as soon as it detects the incident, can provide the employee with additional hands-on security training on how to identify and report phishing scams.
Here’s what you should know when planning your internal phishing campaign:
Get clearance. The first step in any internal phishing training campaign is to make sure all of the relevant parties agree to it. This means executives, board of directors, IT team and your legal department. Getting approval for such an exercise should be simple. After all, a mild investment in phishing education can help prevent successful attacks and equip employees with the knowledge they need to keep company data secure.
In-house or outsource? Before you proceed, consider if you’ll want to outsource your tests. If your organization is crunched for budget, but has a capable IT team, then it may be possible to generate your own phishing exercises. There are benefits to this method, as your IT team may have a better idea of what sort of weaknesses your organization is susceptible to. The IT team may also be able to generate phishing exercises on a regular basis.
However, outsourcing has its own benefits. A contractor or outside vendor could present a more realistic scenario for your organization, than an in-house test can. Contractors are also devoid of internal bias (for example, internal IT members may feel conflicted about tricking fellow employees or may accidently mention the test in conversation). Finally, most contractors have a robust learning platform for employee education, should anyone fail a phishing test. However, contractors can be expensive. Always ask for a quote and references before committing to a campaign.
Execute. Once everything is arranged, it’s time to execute your phishing campaign. Your organization should face a range of simulated security incidents. These attacks should play on common social engineering themes, such as a fake email from an executive, a cloned site asking employees to login to a plausible website, or fake information on benefit changes to employees’ 401k plans or health insurance. Regardless, the attack should carry language that applies to a broad number of employees unless you’re training for spear phishing attacks — which are targeted and personalized phishing attacks.
While executing your faux phishing attack, be sure to gather data on who clicks on fake links and who enters login information into fake fields so that you have a better understanding of who is vulnerable to what types of attacks.
All the trials and triumphs of building a business – delivered to your inbox.
Notify employees. After a set period of time, notify your employees of the simulated attacks, and share the anonymized results. Your notice should explain that this test wasn’t simply to protect the company, but to arm employees with the knowledge they need to stay safe online at the office and at home. Remember, the purpose of security training isn’t to admonish, shame or “catch” employees doing something wrong. Rather, it’s to educate everyone and offer some level of protection from today’s capable cybercriminals.
Practice, practice, practice. Finally, give the employees who failed the test a few lessons in detecting phishing attacks. This is usually included in contractor packages, but if you chose to conduct an in-house phishing attack, then you’ll have to develop your own. The point of these trainings and faux attacks, after all, is to allow employees to learn and improve in a safe environment.
Wash, rinse, and repeat. One test phishing attack will not be enough. After the first test, start the process over again. Lessons are learned through repetition over a period of time. In a perfect world, tests should be administered every quarter. That may not be feasible for your organization, however. If you cannot commit to a phishing test every quarter, try to commit to running them twice a year. You’ll build a safer company and your employees, even if they don’t admit it, will be thankful for the security education.
