OK, so here is a horror story that you can prevent from happening in your own organization. Now and then we hear that KnowBe4 customers do not make the security awareness training mandatory, and that they allow their employes to choose whether they do the training or not. This is not a good idea. I am expressing myself mildly.
Here is some ammo to help you get management convinced that security awareness training should be mandatory.
This is an email we received from a system admin who sent this to all his users, (the names are changed to protect the innocent).
From: JonasSent: Monday, December 03, 2018 1:17 PMTo: ALL USERSSubject: URGENT Information- I NEED YOUR HELPHello, Last week we had two incidents where $750,000 and $35,000 were stolen from the company by cyber crime. These amounts will most likely never be recovered. This should not have happened. These thefts occurred by allowing the bad guys into our network by what is call “Phishing":"the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers."We have, in the past 6 months identified 15% of the email users in our company falling for the fake emails and following links that require authentication of usernames and passwords.After the incidents last week we identified 5 email user accounts that had been compromised by bad guys. In these accounts (one a branch manager, one a controller, one an engineer) the user ID and Passwords were given to the bad guys where they were able to intercept or send, unbeknownst to the company employee, emails with instructions to move company money for wire transfer or modify ACH accounts for payroll deposit and vendor payments.PLEASE, take this seriously! You would not let people into your house without knowing who they are and what they want. Email is the same. Don’t take the bait. We will be taking measures to make it more challenging for the bad guys to win. We will be making password updates more frequently along with other authentication processes.You are our front line in this battle, not letting them into our systems, by being vigilant with the phishing schemes. If you are asked by our IT team to take training I expect you to do just that. Only 66% took the training when asked during our early September Phishing Test.If you would like more information regarding what you can do to insure security with your accounts please contact Eric in our IT department, or reach out to me directly.Thank you for your HELP,Jonas