ANS Blog

Why Every Organization Should “Phish” Employees

Cybersecurity

Why Every Organization Should “Phish” Employees

There’s certainly no shortage of cybersecurity solutions available to IT managers to combat cyberattacks. But to truly achieve a stronger cybersecurity position, organizations have to go beyond implementing new products and services to include efforts to secure the “human element.” While it’s easy for IT managers to become enamored with the newest technology, the truth is the actions of employees can pose as high a risk to security than any software or system vulnerability. Cybercriminals are exceptionally well versed in the art of exploiting the “human element.” Through the use of a technique called “social engineering,” cybercriminals use fraudulent communications to manipulate employees into divulging confidential information.The most common way an employee will encounter a cyberthreat like this is through email.

What Is Phishing?

One of the most common methods of attack via email is a technique called “phishing.” The goal of phishing is to lure the email recipient into believing that the message is something they want or need — such as a request from their bank or a request from someone within their organization — and to click on a malicious link or attachment. The element that distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the target might do business with. It's one of the oldest types of cyberattacks, dating back to the 1990s, and it's still one of the most widespread with techniques, having become extremely sophisticated.

Why Is Phishing so Dangerous?

Generic forms of phishing have quickly evolved into highly personalized and targeted varieties such as spear phishing, whaling, CEO fraud, and other email compromises. These highly directed forms of phishing are often intended to steal extremely sensitive data (such as W-2s or online banking log-ins), and they are also used to install malware on a victim’s computer, which can then be used to infiltrate other parts of a network. Regardless of the form it takes, or the damage it causes, phishing has grown exponentially; with no sign of stopping. In fact, according to research published by Verizon in 2018, 93% of attacks experienced launch with some type of a phishing email.

Security Awareness Combats Phishing Attacks

Given their prevalence and damage potential, every organization should have a formal plan to address the threat of phishing attacks and other cybercrimes. A program of security education (also called security awareness training), along with strong security policies and procedures, is an effective way to reduce the risk posed by employees.

As the name implies, security awareness training is a process that teaches employees about cybersecurity, IT best practices, and even regulatory compliance. A comprehensive security awareness program for employees should train them on a variety of IT, security, and other business-related topics. These may include how to avoid phishing and other types of social engineering attacks, spot potential malware behaviors, report possible security threats, follow IT policies and best practices, and adhere to any applicable data privacy and compliance regulations (GDPR, PCI DSS, HIPAA, etc.).

Studies have shown that quick, relevant, and continuous training, throughout the employee’s tenure with a company, is the best way to arm employees with the information they need to become an organization’s first line of cyber-defense. It also builds a broader, overreaching, organizational culture of both personal and collective responsibility for cybersecurity.

Why Phish Your Own Employees?

Even with a training program in place, day-to-day operations can be hectic and employees sometimes push security concerns to the backburner in favor of meeting deadlines or landing new customers. This is where company-sponsored, internally controlled testing of employees can provide tremendous value. Yes, you can safely phish your own employees to ensure they’re applying their knowledge where and when it really counts.

Phishing your own employees is a type of cybersecurity audit. It involves sending out real but innocuous phishing emails to test the effectiveness of your awareness program. By sending “safe” phishing emails to your employees, you can quickly identify employees who need additional training.

Most companies that offer security awareness training programs have a robust learning/testing platform that allows you to perform realistic phishing simulations. Many also have the capability to deliver tests that are customized by department or job role. Most allow you the choice of having an in-house resource (usually someone in IT or HR) assigned to perform tests, or will perform them for you. Should anyone fail a phishing test, they offer re-education and re-testing as part of their comprehensive services.

When done periodically, phishing your own employees can be an impactful way to reduce security risks due to human error and build a cyber-aware culture within your organization. Advanced Network Systems provides a security awareness training program with phishing simulations as part of our Managed Security Services Program. We can help you add this important, additional layer of protection for your organization as part of a comprehensive solution to strengthen your security posture and align it with how you do business.

Set Your Business on the Path to Better Cybersecurity

Take the first step by scheduling your free consultation with ANS today.