How To Phish Your Employees

Cybercrime has gone pro. Cybercriminals are bypassing your firewall, endpoint protection and other technology-based security measures by going after your users. 

Since your users are your last line of defense, you need to equip them with the know-how to defend against phishing attacks; the most common way bad actors break in.So let’s phish our own employees and then work out how to get them through effective security awareness training. But it has to be more than once per year, because anything that goes too long without practice will soon be forgotten. We need something that keeps users on their toes year-round.

But first, how are we going to phish our employees? We need to know the Phish-prone™ Percentage of our end-users.

Possible Ways to Phish Your Employees

There are a few ways you can do this:

1. Raise a temporary webserver, and “roll your own” phishing site. Then create your own phishing email that should lure the users to your fake site, using what you know about social engineering. Work out how the tracking and reporting works, and code that. Make it look acceptable. Takes a few days of work for someone who knows what they are doing. Next, send the email to all users using a mail server that allows you to spoof the “From” address. Then keep track, fend off users calling and emailing about this. Fend off your manager who is getting calls from other managers about this, despite the fact this was all announced well in advance. All this on top of my normal 60 hours per week workload? Forget that, never gonna happen.
2. Get an outside security consultant to come in and do all the above as a “mini PEN test.” Whoa Nellie, 40 hours at $250 an hour? You may not have an extra $10,000 in the budget and will never get that approved. And that’s a one-time gig? No way.
3. Semi-automated tools. OK, there are the people of Cofense and Proofpoint. They have most of this automated that could save some time, and they compete with each other. So, for 600 users how much would that be? Ask both for a quote, it might be more than you expect. And there is still a lot of manual work here. 
4. New-school security awareness training like KnowBe4. Hey, that’s us! In business since 2010 and it’s Stu Sjouwerman, he’s one of Sunbelt Software co-founders, who wrote this newsletter for system admins when he was at Sunbelt (WServerNews) for 16 years. He usually knew what he was talking about. After building an antivirus / antispyware product he decided to move into end-user training.

The Right Way to Phish Employees 

What you want to test and train on is JUST THAT ONE CLICK. Today, users need to be inoculated against social engineering. Forget about that whole fake phishing website, that’s so old hat. What you want to do is:

• Do a simulated phishing attack and get a baseline percentage of which users are Phish-prone™. (You could skip this step if company politics get in the way). But what you absolutely have to do is –
• Train them online about various vectors of social engineering for about 30 to 40 minutes,
• Send them simulated phishing attacks at least once a month.

An additional five points to consider:

1. Awareness in and of itself is only one piece of defense-in-depth, but crucial
2. You can't and shouldn't do this alone
3. You can't and shouldn't train on everything
4. People only care about things that they feel are relevant to them
5. The ongoing process is to help employees make smarter security decisions

...and what we've found to be the five best practices to embrace:

1. Have explicit goals before starting
2. Get the executive team involved
3. Decide what behaviors you want to shape - choose two or three and work on those for 12-18 months
4. Treat your program like a marketing effort
5. Phish frequently, once a month minimum

Once users understand that they will get tested on a regular basis, and that there are repercussions for repeated failures, their behavior changes, and with each email they will take a second or two and “stop, look, think” if this might be a scam email. This is the ONLY effective way to train employees against social engineering. We see a dramatic drop in Phish-prone™ Percentages with our customers, seen clearly in their KnowBe4 platform. KnowBe4 has these three steps fully automated, gives you a management console and the whole thing takes 15 minutes, set-it-and-forget-it, whether you have 50, 500 or 50,000 users.