If there is one fear every Chief Information Security Officer has, it’s the fear of a phishing attack. It’s a rational one because every company, every C-Suite executive and every employee is vulnerable to this type of deception.
Due to the high volume of electronic messaging in the workplace, it only takes a momentary lapse in vigilance for a phishing scam to wreak havoc. Cybercriminals can steal company or personal data, delete files and deploy ransomware with just one email or one instant message. A single successful attack almost always results in some kind of monetary damage — whether it be in time or monetary transfers. In fact, the FBI estimates that CEO email scams have cost organizations more than $2.3 billion over the last three years. But it’s not just emails. Phishing (or, more specifically, social engineering) scams come in all shapes and sizes, from direct phone calls to targeted social media campaigns. They can range in appearance too, from a CEO asking for a wire transfer to a law enforcement officer demanding personally identifiable information and more.
Phishing attacks are effective and common. They’re also difficult to defend against, given their nature. But they do follow patterns and can be detected with the right education. This is why every company should phish itself.
Regular self-imposed and interactive phishing campaigns give employers the opportunity to safely educate employees without risking the loss of valuable information and data. Say, for instance, an employee clicks on a company-provided phishing link, or shares company information through a phishing email. The company, as soon as it detects the incident, can provide the employee with additional hands-on security training on how to identify and report phishing scams.
Here’s what you should know when planning your internal phishing campaign:
Get clearance. The first step in any internal phishing training campaign is to make sure all of the relevant parties agree to it. This means executives, board of directors, IT team and your legal department. Getting approval for such an exercise should be simple. After all, a mild investment in phishing education can help prevent successful attacks and equip employees with the knowledge they need to keep company data secure.
In-house or outsource? Before you proceed, consider if you’ll want to outsource your tests. If your organization is crunched for budget, but has a capable IT team, then it may be possible to generate your own phishing exercises. There are benefits to this method, as your IT team may have a better idea of what sort of weaknesses your organization is susceptible to. The IT team may also be able to generate phishing exercises on a regular basis.