If you sent a phishing email to your employees, how many would open it and click on a link inside?
Wombat Security Technologies conducts simulated phishing attacks — the kind designed to trick a recipient into giving away their password or installing a virus — to test employees for security awareness. According to director of marketing Amy Baker, the tool catches a lot of employees with even relatively unconvincing phishing attempts.
“That average can, for an initial phish, go from 15 percent to as high as 75 percent of an organization falling for a phishing attack,” Baker says. She adds that the highest click rate happened at a Fortune 500 company.
Social engineering attacks and identity theft are threats to all levels of a business but, unlike malicious code that can be detected by software, no firewall or antivirus will catch them when they happen. The only defense against these tactics that play on human credulity, is to educate everyone with access to a company network on how to avoid them.
IT staff usually have certification and training requirements that keep them up-to-date on threats. Training other employees is a little more complicated, but the advantages are clear.
Seth Danberry, co-founder of Grid32 Information Security, says that while attacks were once about finding a point of weakness in a network’s external defenses and hacking in, “as defenses have gotten better, we see a lot more malicious entities are trying to do what we refer to as ‘hacking out,’ where they go after an employee and try to social-engineer them by sending a spear-phishing email that’s well crafted and hard to distinguish.”
From there, says Danberry, an attacker can convince an employee to send a compromised file to coworkers or unknowingly provide additional information about the network and staff.
Even employees who don’t come into direct contact with customer data benefit from training.
“If cybercriminals can expose [anybody’s] credentials, they can get access to the information they need once they get onto the network,” says Baker. As an example, prevailing theories about the cause of the Target payment data breach suggest that attackers likely began with an infected email sent to a heating-ventilation vendor with access to Target’s network.
Business owners might not realize that theft of employees’ personal accounts can end up causing a company data breach. As Baker points out, “often home accounts and corporate accounts are connected at least through a mobile phone, because it’s getting email from both of those locations.” Plus, personal social media habits posted publicly can give phishers enough personal information to help them impersonate employees.
Employee identity theft also brings productivity losses, says Craig Kunitani, chief operating officer of Security Mentor: “Sixty hours is the average that it takes someone to remediate the headaches of compromised accounts from an identity theft. That invariably means having to contact organizations that are only open during business hours, so it actually saves the employer time when employees don’t fall for a phishing attack.”
Security instructors say that, when they come into a workplace for the first time, they often face misconceptions about data security.
“Everyone thinks that a firewall and an antivirus [program] will protect them from attack. They think that the technology that the company has put in place has kept them safe, and that no matter what they click on, something’s going to prevent the malware from being installed or someone gaining access to their computer. That is the number one myth that we bust,” says Baker.
“People often say, ‘I thought I knew about how to be secure, but I realize I didn’t, and there’s a lot to be learned,’” says Kunitani. “People think they know more than they do, I think, and that’s dangerous.
And according to Danberry, “People think that they’re using very secure passwords, and then they’re shocked. We have a specific slide that shows the top 25 most-used passwords, and we notice some people’s jaws drop as they say, ‘Wait, that’s my password right there.’”
Fortunately, say the experts, employees who learn about the risks are eager to learn how to keep their workplace secure. Baker says that some Wombat training tools automatically enroll employees in follow-up training if they fall for a simulated attack, and “more than 40 percent of employees who fell for the attack took the training the same day.”
“They don’t want to be the employee that gets caught a second time,” says Baker. She adds that customers have achieved a phishing fail rate of less than six percent after repeated testing, education and re-testing.
Outsourcing can be a smart solution for small- to mid-sized businesses with employees to train.
“I would caution against the temptation of just building your own PowerPoint slide deck,” says Kunitani. “That avenue tends to fall back on traditional methods that have been proven to be not as engaging. That material could fall out of date because you don’t have the time to update it,” and most smaller businesses lack the budget and personnel to make sure it is accurate and that it’s communicating the message to employees.
The experts touted their systems as engaging, entertaining and integrated with assessment platforms. Employers should also seek out solutions that address up-and-coming threats before they become epidemics. Baker says that’s why Wombat recently developed a “smishing” simulation tool, which sends phishing attempts by SMS text message to employee phones.
But what’s really important, adds Baker, is for employers to find a program they can roll out right away, rather than let employees remain uninformed while potential attackers seek security weaknesses.