Does Your Company Frown On Test Phishing Attacks?
Date: Jan 5, 2016
IT teams in larger organisations often face roadblocks when trying to roll out Security Awareness Training programs which includes simulated phishing attacks. They tell us that in their company culture, it’s a no-go to “trick” employees, as they might be made to look bad.
We understand that perspective, however here’s why this needs to change:
1.The viewpoint that employees should not be singled out comes from HR and Legal, and is basically correct, but you cannot apply that generally to IT security. In that area, it is an outdated and dangerous policy. Granted, you should never point to someone and embarrass them before other employees. However, there is a very workable (HR approved) strategy used by thousands of organisations to confidentially correct end-users who continue to click on phishing links and endanger your network.
2. If you don’t send simulated phishing attacks to your users, sooner or later the cyber criminals will succeed with a real one.
3. Security software layers are porous, end-point antivirus and firewalls have years ago ceased to be effective. There is no perimeter left with BYOD – your employee is your perimeter. Today, you need a human firewall.
4. Cyber criminals have gone pro. They have very well equipped labs with the latest versions of the very security tools that you use yourself. They test, test, test until their new attack gets through and so they always have the advantage. Untrained end-users that click on malicious links and open infected attachments cause malware infections.
6. When your Board reads on the front page of the Financial Times that your customer database was hacked and is now being sold to other hackers on the dark web, they are going to ask some very pointed questions. Once it becomes clear that your organisation did not deploy a simple, effective strategy that could have prevented this, quite a few (highly placed) heads will roll. Target’s CEO is an example. Help your CEO to keep their job.
7. Legally you are required to act “reasonably” and take “appropriate” or “necessary” measures to cope with a threat. If you don’t, you violate either compliance laws, regulations, or recent case law. The business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk. From standards organisations like ISO and CERT to industry standards like the PCI DSS, it is clear that implementing a security awareness training program is both reasonable and appropriate. Put another way, the failure to have such a program would likely be unreasonable and inappropriate given the risks involved.
8. Your estimation of the percentage of your end-users that will not fall for a simple phishing attack is too low. We frequently hear a groan on the other end of the phone when the IT team sees the actual Phish-prone percentage of their users after we run our initial Phishing Security Test.
To find out more: call us on 01256 379970 or email [email protected]