As cyber crime increases should you be using simulated phishing techniques within your own staff pool to identify weak security links? Matt Rhodes, commercial services manager at Quiss Technology, explains how the company employs this test scenario within companies.
The recent spate of ransomware attacks that hit major organisations across the world has again focused attention on the dangers of cyber-crime, and phishing attacks in particular. Phishing is a pre-cursor to more than 90% of hacking attacks and involves targeting individual employees within an organisation. The criminals try many attacks, knowing they only have to be successful once to gain access to secure systems and infect them with ransomware or steal valuable data. So are you and your staff prepared?
Matt Rhodes, commercial services manager at QuissTechnology, believes “security training should be part of every organisation’s induction process for every new employee, with emphasis on the dangers of phishing attacks, typically conducted via email.
“Criminals are developing ever more sophisticated attacks and they remain an effective method to steal sensitive information or hold organisations to ransom, as has recently been the case. To increase the success of attacks, criminals use personally addressed emails, which often contain personal information to try to engender trust. Therefore, everyone throughout an organisation should undertake regular refresher sessions, with regular updates on what to look out for and what to do with suspect emails.
“Unfortunately, social media channels, search engines and even a target organisation’s website will often contain all the information needed to allow criminals to create emails that look to have come from someone known to the recipient.
“Phishing emails typically contain requests for account details to be confirmed, orders to be checked, etc., which usually require the recipient to open an attachment or click a link. This link will connect to a genuine looking website, which will be fake. Some who arrive at the sites will be fooled and will confirm IT system log-in details, account passwords etc., without realising the site is part of the attack.”
Rhodes adds: “The appeal of phishing is obvious. There is only a low risk of capture for the criminals, whilst the potential returns can be significant. Unfortunately, the figures confirm the success, with 10% of those targeted falling victim to a phishing attack and 11% of those victims, clicking on toxic attachments or links.
“Explaining the dangers and showing what to look out for, with regular security training will cut the risk, but there is always someone who ignores the warnings and becomes complacent. The people likely to make a mistake pose a real threat to security - but who are they?”
To help you find out where your weak links may be, companies like Quiss can conduct simulated attacks on your company to discover how employees react. Credible emails that appear to come from likely contacts, familiar to employees and replicate real phishing emails will be created and targeted at employees.
Copying recent attack methods, everyone within an organisation can be targeted at different times, using unique emails containing links or toxic attachments, with recipients unaware they are being tested.
“How each individual responds to the ‘fake’ phishing email is recorded, along with their actions. Reports show if they opened any attachment, clicked a link, etc., or if they notified their manager about the suspected attack,” explains Rhodes. “Those that respond inappropriately will be informed that they have been caught by a phishing attack and will be reminded of the dangers, and warned them to be more vigilant.
“The service is designed to engage everyone in the security process and help identify areas for improvement. Organisations can then concentrate training on the people that need more support.
“Experience dictates a failure rate of around 33% at the start of the campaign, but after more training it will reduce to around 5%. Unfortunately, because we are dealing with humans, the failure rate is unlikely to ever be 0% - a fact that should focus everyone’s mind on security.
“The threat posed by just one employee opening the wrong email is huge and it is imperative organisations regularly test their defences and improve their approach to security. It’s critical to find the weak points by phishing employees and developing coping strategies, before the real criminals turn up.”