Heavy investment in technology and spot-on implementation of processes and procedures don’t always guarantee that companies are free from cyber risk. Despite these efforts, many companies still fall victim to basic cyber attacks, such as phishing, because they have failed to take into consideration the most critical component of any good cyber security strategy: people.
Phishing causes companies a great deal of distress. How do you know whether your employees are able to recognise scams? Introducing a phishing staff awareness course is a possible answer. But how do you assess whether the course is effective if you have never assessed your staff’s vulnerability to phishing attacks? You won’t know until you think and act like a hacker.
Put yourself in a hacker’s shoes
The only way you can test your staff’s vulnerability to phishing attacks is to act like a hacker. Whether you already have the technical skills or you hire a professional ethical hacker, if you follow the Test-Educate-Assess approach you can easily put in place a safe, effective programme to develop staff awareness and encourage security-conscious behaviour.
Step 1 – Test
Simulate a spear-phishing email attack to establish whether your staff swallow the bait and put your organisation at risk or whether they recognise the scam. Select the target audience (staff who you consider to be more vulnerable or in key positions, such as HR and finance), create a legitimate-looking email containing a masked ‘malicious link’, send the email and wait.
Step 2 – Educate
Enrol your ‘high-risk’ employees – and the rest of your staff for consistency – on a phishing staff awareness course, where they will discover how phishing attacks work, the tactics that cyber criminals employ and how to spot and avoid a phishing campaign. If you choose an e-learning course, it will be cheaper and faster than classroom training.
Step 3 – Assess
Now that your staff are up to date with the latest phishing trends and best practices, it’s time to test their comprehension of the topic by simulating another phishing attack. Compare the results from this second mock-attack with the first to see how your staff’s awareness has improved.