Cybercrime has gone pro. The bad guys are bypassing your firewall, endpoint protection and other technology-based security measures by going after your users, and you have (reluctantly) come to the conclusion that your employees are the weak link in your IT Security for real. Augh! Is there a patch for stupid? (I didn’t really mean that).
Welcome to the club. Now what.
Well, phishing your own employees and finding out who the culprits are is a logical course of action. Find out who they are and
exterminate. OK, plan B. Let’s phish our own employees and then work out how to get them through effective Security Awareness Training. But not like the yearly Sexual Harassment Training (SHT) they do in this outfit, because they forget about that CYA exercise in a few weeks. We need something that keeps users on their toes year-round.
OK but first, how are we going to phish our employees? We need to know the Phish-prone percentage of our end-users.
There are a few ways you can do this:
Stu: "Yup, sounds very familiar. That’s actually why I started KnowBe4. Could have retired after selling Sunbelt but fighting cybercrime is way more fun. Now, to the point. Sorry to be blunt, but testing if users will click on a link, go to a phishing site and fill out a form is so ‘last decade’. Cybercrime is moving at lightspeed and has gone pro in the last 5 years. Bad guys are now spear-phishing your employees, and all it takes is ONE CLICK and that workstation is infected with (possibly zero-day) malware and your network is compromised."
What you want to test and train on is JUST THAT ONE CLICK. Today, users need to be inoculated against social engineering. Forget about that whole fake phishing website, that’s so old hat. What you want to do is:
Once they understand that they will get tested on a regular basis, and that there are repercussions for repeated fails, their behavior changes, and with each email they will take a second or two and ‘stop, look, think’ if this might be a scam email. This is the ONLY effective way to train employees against social engineering. I have the statistics to prove this by the way. We see a dramatic drop in Phish-prone percentages at our customers, seen clearly in their KnowBe4 management console. KnowBe4 has these three steps fully automated, gives you a management console and the whole thing takes 15 minutes, set-it-and-forget-it, whether you have 50, 500 or 50,000 users.
I recommend you start with our free Email Exposure Check which shows you your email attack surface. Sorry, sometimes this is an unpleasant surprise, but great ammo to get budget approval.
(Updated Jan 2016)