How To Get The OK To Phish Your Own Employees



Spear-PhishingIT people responsible for network security talk to us all the time. Almost all of them agree that end-users are their number one headache and managing that problem continues to be a big challenge. Social engineering is by far the easiest way for hackers to get in, either tailgating through the side door or (spear) phishing employees using email and social media.

So, it seems smart to protect against a threat like that with end-user education, driven by some "social pen-testing". The IT teams that get the approval from management to do this get great results. Apart from budget issues, sometimes there is resistance at the C-level to sending phishing tests to all employees, often driven by other departments like Legal or HR who claim "we should not trick our employees".  IT in those situations runs into political headwinds that scuttle the phishing project.

However, today you have to consider a new approach to securing your IT assets. You simply can’t afford to passively wait for attacks. Instead, you should take a lean-forward approach that proactively prevents "being low hanging fruit".

Here is some ammo to get that approval, and more important, air cover from the top of your organization.

  1. First of all, let's confront that "tricking employees" issue. If we don't do it, the bad guys will. Let's head them off at the pass. We do not want to wind up like Sony, Target, JP Morgan or Home Depot to name just a few and see our organization on the front page with an extremely expensive data breach. 
  2. The next hurdle is this; most small- and medium business owners think that they are not a target for cybercrime. Well, if you think you are safe because you are just a little fish in a big pond, think again. Cybercriminals have chosen small and medium sized businesses (SMBs) as their prime attack targets. The reason is that many SMBs lack the expertise, budget and time to really defend their network like the big companies do. You are the low-hanging fruit and they can automate their attacks. 
  3. New vicious ransomware might cause users sitting on their hands for days because all their files are encrypted and backups failed.  
  4. Wall Street Journal reported that the Target, Home Depot and Sony hacking incidents grabbed the attention of executives everywhere, bringing home the reality that cybersecurity has become a top risk consideration in the boardroom. These days getting air cover from the Board is much easier.
  5. Employees are not stupid, they are just trained in another field than IT. Once it has been communicated by the CEO that this is a company-wide ongoing training initiative which includes regular phishing tests and needs everyone's cooperation to get security-aware, after stepping through the training almost always the employees say: "Wow, I did not know it was that bad on the web. How do I share this with my family?" If you position (frame) this correctly as part and parcel of safe Internet usage which also helps them keep their family safe online, there is mostly very positive feedback from end-users.

So, here are the steps I recommend:

  1. Using the above five points to get the OK to do a free phishing security test and see how bad the employee Phish-prone percentage actually is. Usually an unpleasant surprise but great to get budget.
  2. Find out how affordable this is for your organization. This is normally the pleasant surprise and essentially a no-brainer.
  3. Start the campaign with support from (and an intro by) your CEO or another C-level executive and provide a deadline and incentives for the initial training. 
  4. Schedule frequent phishing security tests, one a month minimum, and create a game where you compare the percentages from different groups of employees. (this is supported by the KnowBe4 Admin console)
  5. Report regularly to both employees and executives about the positive results and show everyone graphs of the progress. 

Doing it this way could even improve the status of the IT department and make end-users understand much better what massive challenges you are faced with on a day-to-day basis. Good luck !


Request A Quote: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your quote for KnowBe4's security awareness training and simulated phishing platform and find out how affordable this is!

Get A Quote Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-quote



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews