.jpg)
Now and then, when I talk to the IT people in larger organizations, they tell me they experience political headwinds in trying to get an awareness program rolled out that includes simulated phishing attacks. They tell me that in their culture, it's a no-go to "trick" employees, as they might be made to look bad.
Well, I understand where that perspective is coming from. However, let me give you some ammo here that you can use to enlighten your organization, help to create some cultural change in the direction of better security and prevent an enormous amount of damage, lost money, and IT heartache.
1) The viewpoint that employees should not be singled out comes from HR and Legal, and is basically correct, but you cannot apply that generally to IT security. In that area, it is an outdated and dangerous policy.
Granted, you should never point to someone and embarrass them before other employees. However, there is a very workable (HR approved) strategy used by thousands of organizations in the U.S. to confidentially correct end-users who continue to click on phishing links and endanger your network.
2) If you don't send simulated phishing attacks to your users, sooner or later the bad guys will succeed with a real one.
3) Security software layers are porous, end-point antivirus and firewalls have years ago ceased to be effective. There is no perimeter left with BYOD, your employee is your perimeter. Today, you need a human firewall.
4) The bad guys have gone pro. They have very well equipped labs with the latest versions of the very security tools that you use yourself. They test, test, test until their new attack gets through and so they always have the advantage.
5) Untrained end-users that click on malicious links and open infected attachments cause malware infections. These days that is likely to be Cryptowall 4.0 ransomware which encrypts the workstation and/or network drives. The downtime is considerable.
6) When your Board members read on the front page of the Wall Street Journal that your customer database was hacked and is now being sold to other hackers on the dark web, they are going to ask some very pointed questions. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, quite a few (highly placed) heads will roll. Target's CEO is an example. Help your CEO to keep their job.
7) Legally you are required to act "reasonably" and take "appropriate" or "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. The business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk.
From standards organizations like ISO and CERT to industry standards like the PCI DSS to governmental entities like the FFIEC, it is clear that implementing a security awareness program is both reasonable and appropriate. Put another way, the failure to have such a program would likely be unreasonable and inappropriate given the risks involved. Class action lawsuits that are always filed after a data breach are going to have a field day if that is the case. More about that in the next item below.
8) Your estimation of the percentage of your end-users that will not fall for a simple phishing attack is too low. We frequently hear a groan on the other end of the phone when the IT team sees the actual Phish-prone percentage of their users after they run our complimentary Phishing Security Test.
The Five Steps To Phish Your Own Users
1) Get agreement from top management to do a small initial test. Just 100 people and see what the percentage is. That's great ammo for the next step, because everything over zero is too high and the average is 16%.
2) Once you know that around 16% of your users are Phish-prone, C-level execs and Board members wake up to the threat and ask what can be done about it. Get a quote for a subscription to an integrated platform that does both effective on-demand security awareness training and provides easy-to-manage simulated phishing attacks.
3) Let a C-level exec announce company-wide that a test was done and that the percentage of people clicking was too high. An awareness training program will be rolled out and part of that is that everyone from the mail room to the board room will be getting frequent simulated phishing attacks. People that continue to click on things they shouldn't will get remedial training.
4) Roll out the training campaign: on-demand, web-based interactive training featuring an expert who will teach them the dangers of the Internet and what they can do about it to stay safe.
5) Schedule frequent simulated phishing attacks using the hundreds of ready-to-send templates, and configure fully automatic remedial training for chronic clickers.
And what is the first thing after the training that comes out of your end-user's mouth? "Wow, I did not know that it was that dangerous on the Net, how can I share this with my family?"
And we're happy to say that we have the perfect answer for that, we have an awareness course for all your employees they can take at home with their family.
Get started with Step 1 - Do your no-charge Phishing Security Test now:
https://info.knowbe4.com/phishing-security-test
|
|
NYSE Governance Services and Infosec company Veracode recently published results of a survey over of 276 board members titled "Cybersecurity and Corporate Liability". A massive 60 percent of the respondees expect an increase for 2016 in shareholder lawsuits against companies due to cybersecurity issues. Four out of five respondents said they have, at some point, highlighted the issue of cybersecurity liability in boardroom discussions.
More important however, 89 percent of people who answered believe that businesses should be held liable for breaches if they do not make reasonable efforts to secure their customer data. And a whopping 90 percent agreed that third-party software providers should be held liable for vulnerabilities identified in their packaged software, (not that it's going to happen anytime soon with the current contracts in place).
But what constitutes reasonable efforts? Find out more at the KnowBe4 Blog:
https://blog.knowbe4.com/2016-will-show-increase-in-shareholder-cybersecurity-lawsuits
|
|
I saw a blog post by Alex Grigsby and thought it was great! "The new Star Wars movie, The Force Awakens, comes out in about a month. As with most people, I can't wait for the new movie. I've been re-watching the old ones (except for The Phantom Menace, it's terrible) and getting hyped for the new release.
"In re-watching the old movies, I’ve been struck by just how bad the Empire was at cybersecurity. It’s not surprising given that the Empire, despite its resources and power, had some pretty glaring security gaps." Here they are:
http://blogs.cfr.org/cyber/2015/11/17/the-galactic-empire-has-terrible-cybersecurity/
PS: KnowBe4, for its Holiday party, has rented a whole movie theater so we can watch the new episode VII all together and celebrate a banner year.
|
|
Today, your employees are frequently exposed to sophisticated phishing and ransomware attacks. Old school Security Awareness Training doesn’t hack it anymore. More than ever, your users are the weak link in your network security.
Join us on Thursday, December 3 at 2:00 p.m. (EST) for a 30-minute live product demonstration of the innovative Kevin Mitnick Security Awareness Training Platform and see how easy it is to train and phish your users:
- NEW Phish Alert Button for Outlook so employees can report phishing attacks with one click.
- Get a baseline, send a phishing test to your users to get your Phish-Prone percentage.
- Easily roll out training campaigns for all users (or groups) with follow-up emails to “nudge” users who are incomplete on the training.
- Send frequent phishing tests to keep your users on their toes with security top of mind.
- Point-of-failure training auto-enrollment.
- Reporting to watch your organization's Phish-Prone percentage drop, with great ROI.
Find out how more than 2,000 organizations have mobilized their end-users as their first line of defense. Register Now:
https://attendee.gotowebinar.com/register/388892135690154498
|
