ANS Blog

Preventing Hacks: Why Every Organization Should “Phish” Its Employees

August 22, 2019 in Cybersecurity

Preventing Hacks: Why Every Organization Should “Phish” Its Employees

Businesses have many cybersecurity tools available today. But, to truly support a stronger cybersecurity position, companies have to do more than install new products and services. The security of every organization is also highly dependent upon the education of employees regarding cyberthreats and how their own thought processes and actions affect security. 

The truth is, humans pose an even higher risk than software flaws and vulnerabilities. For those looking to breach a business, it’s far easier to exploit people than find a software vulnerability. People are also easier to compromise, especially if they lack proper training in the basics of network security best practices. Cybercriminals understand “the human factor” all too well and target individuals with email content that is guaranteed to get their attention.Through these fake and misleading emails, cybercriminals are able to lure the recipient in to installing malware to infiltrate your network, or trick users to divulge their login credentials. 

Generic forms of phishing have quickly evolved into spear phishing, which is an email or electronic communication scam targeted towards a specific individual or business. While spear phishing is often intended to steal data (like W-2 or other marketable information) it is also used to install malware on a targeted user’s computer. But, regardless of the form it takes, phishing and the damage it causes has grown exponentially and continues to be on the rise. According to research published by Cyberdefense Magazine, 91% of attacks experienced by small businesses launch with some type of a phishing email.

Why phishing is such a threat

Phishing is problematic because it exploits the human condition. Our natural instincts of curiosity and compliance make us all the weakest link in any cybersecurity program. It’s what causes employees to click on a URL that looks like it’s coming from your organization’s bank and enter their ID and password, and it’s why an employee would email company payroll records to someone they think is their demanding CFO. These are the things that make it so simple and effective for hackers, and so dangerous for organizations both large and small.

How to stop phishing in its tracks

Given the prevalence and level of damage phishing scams can cause, every organization should have a formal plan to address the threat. While it’s essential to have policies and procedures in place to combat phishing threats, the best protection is employee education. Security education includes building employees’ awareness of their personal responsibility for cybersecurity, and explaining the steps the organization is taking to address security threats. It also includes building their “cyber IQ” so employees can better spot cyber threats. Having this type of formal educational process is proven to reduce behaviors that increase risk to internal systems and processes. Employees at every level of the company should see this training initially upon orientation, with reinforcement and updates on a regular basis throughout the year.

But day-to-day operations can be hectic, and invariably employees may push security concerns to the backburner in favor of meeting deadlines and gaining new customers. This is where company-sponsored, internally-controlled testing of employees can provide a tremendous value. 

Phishing your own employees is a type of cybersecurity audit. It involves sending out real but innocuous phishing emails to test your security awareness training program’s effectiveness. By sending “safe” phishing emails to your employees, you can put your educational content and policies to the test, and more importantly, identify employees who need additional training. 

Done periodically, and without warning, phishing tests are a highly impactful tools that help organizations reduce their risk of a cyber attack. Both Security Awareness Training and phishing tests are available from Advanced Network Systems as part of our Managed Security Services Program. ANS can help you add this vitally important layer of protection for your organization as part of an overall program to strengthen your security posture so it aligns with how you do business. 

Ready to evaluate your organization’s real level of vulnerability? Contact Advanced Network Systems to learn more about its comprehensive security support services designed for small and mid-sized organizations.