[BreachExchange] Go Phish! Why Every Company Should Hack Its Own Employees

Wed Jan 18 20:19:01 EST 2017

http://www.forbes.com/sites/groupthink/2017/01/18/go-
phish-why-every-company-should-phish-its-employees/#2521cfad384e

If there is one fear every Chief Information Security Officer has, it’s the
fear of a phishing attack. It’s a rational one because every company, every
C-Suite executive and every employee is vulnerable to this type of
deception.

Due to the high volume of electronic messaging in the workplace, it only
takes a momentary lapse in vigilance for a phishing scam to wreak havoc.
Cybercriminals can steal company or personal data, delete files and deploy
ransomware with just one email or one instant message. A single successful
attack almost always results in some kind of monetary damage — whether it
be in time or monetary transfers. In fact, the FBI estimates that CEO email
scams have cost organizations more than $2.3 billion over the last three
years. But it’s not just emails. Phishing (or, more specifically, social
engineering) scams come in all shapes and sizes, from direct phone calls to
targeted social media campaigns. They can range in appearance too, from a
CEO asking for a wire transfer to a law enforcement officer demanding
personally identifiable information and more.

Phishing attacks are effective and common. They’re also difficult to defend
against, given their nature. But they do follow patterns and can be
detected with the right education. This is why every company should phish
itself.

Regular self-imposed and interactive phishing campaigns give employers the
opportunity to safely educate employees without risking the loss of
valuable information and data. Say, for instance, an employee clicks on a
company-provided phishing link, or shares company information through a
phishing email. The company, as soon as it detects the incident, can
provide the employee with additional hands-on security training on how to
identify and report phishing scams.

Here’s what you should know when planning your internal phishing campaign:

Get clearance. The first step in any internal phishing training campaign is
to make sure all of the relevant parties agree to it. This means
executives, board of directors, IT team and your legal department. Getting
approval for such an exercise should be simple. After all, a mild
investment in phishing education can help prevent successful attacks and
equip employees with the knowledge they need to keep company data secure.

In-house or outsource? Before you proceed, consider if you’ll want to
outsource your tests. If your organization is crunched for budget, but has
a capable IT team, then it may be possible to generate your own phishing
exercises. There are benefits to this method, as your IT team may have a
better idea of what sort of weaknesses your organization is susceptible to.
The IT team may also be able to generate phishing exercises on a regular
basis.

However, outsourcing has its own benefits. A contractor or outside vendor
could present a more realistic scenario for your organization, than an
in-house test can. Contractors are also devoid of internal bias (for
example, internal IT members may feel conflicted about tricking fellow
employees or may accidently mention the test in conversation). Finally,
most contractors have a robust learning platform for employee education,
should anyone fail a phishing test. However, contractors can be expensive.
Always ask for a quote and references before committing to a campaign.

Execute. Once everything is arranged, it’s time to execute your phishing
campaign. Your organization should face a range of simulated security
incidents. These attacks should play on common social engineering themes,
such as a fake email from an executive, a cloned site asking employees to
login to a plausible website, or fake information on benefit changes to
employees’ 401k plans or health insurance. Regardless, the attack should
carry language that applies to a broad number of employees unless you’re
training for spear phishing attacks — which are targeted and personalized
phishing attacks.

While executing your faux phishing attack, be sure to gather data on who
clicks on fake links and who enters login information into fake fields so
that you have a better understanding of who is vulnerable to what types of
attacks.

Notify employees. After a set period of time, notify your employees of the
simulated attacks, and share the anonymized results. Your notice should
explain that this test wasn’t simply to protect the company, but to arm
employees with the knowledge they need to stay safe online at the office
and at home. Remember, the purpose of security training isn’t to admonish,
shame or “catch” employees doing something wrong. Rather, it’s to educate
everyone and offer some level of protection from today’s capable
cybercriminals.

Practice, practice, practice. Finally, give the employees who failed the
test a few lessons in detecting phishing attacks. This is usually included
in contractor packages, but if you chose to conduct an in-house phishing
attack, then you’ll have to develop your own. The point of these trainings
and faux attacks, after all, is to allow employees to learn and improve in
a safe environment.

Wash, rinse, and repeat. One test phishing attack will not be enough. After
the first test, start the process over again. Lessons are learned through
repetition over a period of time. In a perfect world, tests should be
administered every quarter. That may not be feasible for your organization,
however. If you cannot commit to a phishing test every quarter, try to
commit to running them twice a year. You’ll build a safer company and your
employees, even if they don’t admit it, will be thankful for the security
education.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170118/4bc8546c/attachment.html>