Without having in place adequate Employees IT Security Awareness; You may have the best security on your corporate computer network but you might still seem to have your corporate network breached by hackers or even suffer a potentially Company Crippling Ransomware attack. What are the reason for this? It’s probably because a member of your staff has made it easy for cyber criminals to get inside. It’s really important that you find out who this person is, and keep in mind that it might be more than just one. And it may not even involve security technology.
For example An employee at a food and drink manufacturer opened a malicious Microsoft Word file attachment to an email, unleashing the Emotet and Trickbot malware onto their computer.
This malware in turn created a backdoor into the organization’s systems, allowing the cybercriminals to gain access and deploy the Ryuk ransomware. The company declined to pay the ransom in this case—but still incurred substantial costs. Over half of the organization’s systems were unusable for 48 hours, and the firm had to contract security experts to restore access.
Part of the problem here, is that employees who “open the door” for these criminals probably don’t even realize they are doing it. These criminals are smart, and they make themselves look really authentic. Sometimes, these crooks even disguise themselves as people your staff know. So, how do you find out who’s letting the bad guys in? Here are some things to try:
Conduct a Phishing Simulation to Raise your Employees IT Security Awareness
Set up a fake website, and then create a fake email campaign. Send these out to your staff members from a fake address, or better, a real looking address similar to your corporate domain, and see how many people take the bait. You might have to work with someone on your IT staff to spoof the sender’s email address. Make sure it looks legitimate or they will see right through it.
Though this might take some time and effort to do, it is a good way to find out where your worries might lie in regards to the cyber security knowledge of your staff.
You can also hire a security expert to do this for you. They will create, run, and track your campaign. However, these experts can be quite expensive and the campaign isn’t just a one-time thing. It is long-term ongoing.
There are also many phishing simulation security awareness vendors offering free trials just to see how vulnerable you may be.
It only takes a single click to cause a data breach. So, your main goal with this experiment is to find out who that clicker is. Or, who ALL those clickers are.
You should send out several fake emails, which ask your staff to click a link. Make sure, however, that they are very random. They shouldn’t be on any type of schedule.
Remember, you want to make it look like these are coming from a trusted source. Like a charity, existing vendor, coworker, company officer etc.
When you find out who is prone to clicking, you should take them aside and fill them in on the campaign. Don’t lecture them or discipline them. Instead, show them what they did wrong and fill them in on the consequences.
What Else Can you Do ?
Some phishing simulation security awareness vendors offer ongoing computer based training specializing in bringing these clickers up to speed and changing their behavior.
Now that you know who the clickers are, send them other staged emails a couple of times a month. See if they click again.
You may choose to make sure they know that the random fake emails are coming. This helps to keep them alert to this issue. Or, not and see how that affects their behavior.
By using this approach, you can help your staff slow down a bit, and really think about what they are doing when they get an email with a link and help raise Employees IT Security Awareness.
You can also create a company policy: Do NOT click on any links in emails on company computers. This helps to stop the need for that employee analysis and will make your staff question each email that comes through. Alternatively you may set up a custom footer/ email signature alert message to warn employees not to click link from unknown external email senders, something like “This Email Message is from outside the Organization, do not click or Open attachments if the sender is not known to you”.
Even with this policy in place, continue to send fake emails to see if someone is disregarding the new rules.
Criminals use fundamental principles of influence and the basics in the psychology of persuasion. There is a science to their process no different than how advertisers, sales and marketers get us to buy stuff. Getting snared isn’t difficult. Being smart and cautious isn’t difficult either. It just requires a little training and reprogramming to raise your Employees IT Security Awareness.
Read Also: How to Keep your Kids Safe Online