[BreachExchange] Are Your Employees Putting Your Company at Risk? Here’s How to Find Out!

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 21 19:29:52 EDT 2018


Even if you have the best security on your computer network, you might have
noticed that you still seem to get hacked…or worse. Ask Equifax. Why is
this happening? It’s probably because a member of your staff has made it
easy for cyber criminals to get inside. It’s really important that you find
out who this person is, and keep in mind…it might be more than just one.
And it may not even involve security technology.

Part of the problem here, is that employees who “open the door” for these
criminals probably don’t even realize they are doing it. These criminals
are smart, and they make themselves look really authentic. Sometimes, these
crooks even disguise themselves as people your staff know. So, how do you
find out who’s letting the bad guys in? Here are some things to try:

Phishing simulation:

- Set up a fake website, and then create a fake email campaign. Send these
out to your staff members from a fake address, or better, a real looking
address similar to your corporate domain, and see how many people take the
bait. You might have to work with someone on your IT staff to spoof the
sender’s email address. Make sure it looks legitimate or they will see
right through it.
- Though this might take some time and effort to do, it is a good way to
find out where your worries might lie in regards to the cyber security
knowledge of your staff.
- You can also hire a security expert to do this for you. They will create,
run, and track your campaign. However, these experts are not cheap, and the
campaign isn’t just a one-time thing. Instead, it’s ongoing.
- There are also many phishing simulation security awareness vendors
offering free trials just to see how vulnerable you may be.
- It only takes a single click to cause a data breach. So, your main goal
with this experiment is to find out who that clicker is. Or, who ALL those
clickers are.
- You should send out several fake emails, which ask your staff to click a
link. Make sure, however, that they are very random. They shouldn’t be on
any type of schedule.
- Remember, you want to make it look like these are coming from a trusted
source. Like a charity, existing vendor, coworker, company officer etc.
- When you find out who is prone to clicking, you should take them aside
and fill them in on the campaign. Don’t lecture them or discipline them.
Instead, show them what they did wrong and fill them in on the consequences.
- Some phishing simulation security awareness vendors offer ongoing
computer based training specializing in bringing these clickers up to speed
and changing their behavior.
- Now that you know who the clickers are, send them other staged emails a
couple of times a month. See if they click again.
- You may choose to make sure they know that the random fake emails are
coming. This helps to keep them alert to this issue. Or, not and see how
that affects their behavior.
- By using this approach, you can help your staff slow down a bit, and
really think about what they are doing when they get an email with a link.
- You can also create a company policy: Do NOT click on any links in emails
on company computers. This helps to stop the need for that employee
analysis and will make your staff question each email that comes through.
- Even with this policy in place, continue to send fake emails to see if
someone is disregarding the new rules.

Criminals use fundamental principles of influence and the basics in the
psychology of persuasion. There is a science to their process no different
than how advertisers, sales and marketers get us to buy stuff. Getting
snared isn’t difficult. Being smart and cautious isn’t difficult either. It
just requires a little training and reprogramming.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180521/b715470e/attachment.html>

More information about the BreachExchange mailing list