The best way to inspect your company’s vigilance – and every member of your team – is to test them on occasion.
Consider this a “pop quiz” just as your teachers gave you in high school and college to discover how well you were keeping up with your reading and grasping the concepts of your subject matter. Businesses can preach time and again about being cautious – I prefer the term “vigilant” – but it takes discipline and focus to protect your company’s data and finances from nefarious schemers.
These hackers have no conscience. They just want your money and they want you to hurt. First, a couple of definitions:
- A phishing simulation is an exercise that tests your team’s ability to recognize and appropriately respond to a phishing attack.
- This simulation can take place in several forms: an AI-simulated voice or text message, or an email that tries to convince you to download some form of malware that will compromise the security of your information. This information might include usernames, passwords, or credit card information. You might even receive an email asking you to send money to someone you would normally trust.
IBM ran a phishing simulation last August and the results can be humbling. Here’s how it works:
- Send employees simulated phishing emails, texts, or voice calls that imitate actual attacks – the attempt will try to earn their trust while expressing a great sense of urgency.
- The difference between this simulation and an actual situation is that there is no adverse impact on your organization because nobody is attempting to take anything.
- The simulation reveals the vulnerabilities within your system and team, providing you with real-life teachable moments.
You may ask, “Why do I want to waste my employees’ time in such a game? What is there to prove?”
Through this exercise – which you should NOT warn your employees about, you are revealing that:
- These phishing attacks are so convincing that even your most trusted employees will occasionally fall for them.
- Phishing is more credible than you would imagine.
- The embarrassment is real – you will learn which employees fell for the guise and you will discover if they attempted to cover up their error.
- You will discover which employees pay attention and protect your data and money.
You should recognize that these simulations help your team members learn they can be victimized when they are not paying full attention. They will often fall for an attack that gives them the impression they are communicating with a believable source.
Worst of all, they will discover that Artificial Intelligence (AI) is creating even more sophisticated attacks than they have previously encountered.
The two most critical elements in such an attack are in monitoring and analyzing the results. Once the deceptive emails or texts are sent, team leaders can track and record how their employees interact with the simulated emails.
According to the IBM study, these leaders monitored which links drove the most engagement and provided sensitive information.
Following the phishing simulation, leaders then analyze such trends as click rates and the vulnerability of security systems. They follow up with their employees to demonstrate what made certain statements most credible and tempting, and they help the employees discover how to recognize the triggering keywords and links and how to avoid responding.
Trust but verify: This mantra helps businesses become more cautious and suspicious, which helps create a safer and more secure atmosphere to protect your company’s data, finances, and confidential information such as customer credit card numbers and other secure information.
Phishing simulations may cause some disruption within the company until leaders teach their employees that caution is essential because carelessness can compromise the future of the company and every employee.
Entire life savings can be lost. Jobs can be lost. Companies can go out of business. This is serious.
To learn more: I invite you to join us for a Small Business Cybersecurity Training Lunch & Learn on Wednesday, May 8, at Del Frisco’s in Dallas. Special FBI Agent Sheraun Howard will give insights on surprising tricks that fraudsters are using and how to protect your company’s finances, data, and confidential information. Registrations are being accepted online.
Michael Moore is founder and CEO of M3 Networks, an IT Support and Cybersecurity firm located in Southlake with a nationwide presence. He has well over 20 years of experience in the IT and cybersecurity field and has been an in-demand speaker as a subject matter expert on cybersecurity and HYPER business growth utilizing technology as rocket fuel. He has co-authored “Cyber Storm,” a book featuring cybersecurity experts from around the world.