Building Sensitivity to Security Risks

Phishing continues to be one of the biggest threats to network security, which has led to “ethical hacking” being used to protect against it.

» Phishing attacks account for more than 80 percent of reported security incidents

» $17,700 is lost every minute due to phishing attacks.

“Fake phishing” emails are a valuable training tool. This type of simulation is common across many disciplines. For instance, sometimes, a property owner will donate an old barn or house to a fire department, which will then set it ablaze (with safety protocols in place), and practice putting it out.

Phishing emails provide some of the best insights into what type of emails employees are clicking on and which one’s people are more prone to “falling for.”

Still, there are best practices that must be followed when setting up phishing simulation encounters with employees. Fake emails should not be designed in terms of their content to cause personal injury or damage to the individual – they are used to test effectiveness of the company’s cybersecurity awareness training. It is important to know that your employees are alert to potential threats and that they have an opportunity to learn the potential cost of inattentiveness.

Pen Testing:  Criminals do not announce their activity to potential targets, so it’s unlikely to be a good idea to tell employees when the phishing test will happen.

Depending on the management’s relationship with employees, policies, legal structures, etc., the pen test could pose a risk to the employee’s job status. Depending on the nature of the test email they often try to create a sense of fear, urgency, or greed to provoke quick action. Some of those things may trigger psychological stress for some people.

 When done correctly, pen-testing using fake emails is valuable tool for educating workers. People are often under stress in the workplace, and both criminal hackers and security trainers/testers can be creative and clever. Companies should assess their risk, train, and test appropriately.

For the target company, the primary goal “fake phishing” is to ensure that training is effective, and that risk of phishing success is reduced.

Contact us for additional information