You are continuously focusing on security – you probably have spam filters, firewall, antivirus software, and password policies in place. But today, that does not take it far enough.
Hackers are using social engineering to come through your employees which are your last line of defense. Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system in which phishing is an example.
Phishing schemes are still one of the most serious threats to companies. According to the FBI, companies lost $676 million in 2017 due to business email compromise campaigns, which are attacks designed to trick company executives or accounting departments into sending money to fake vendors. One of the biggest recent schemes included Google and Facebook being impacted by $100 million through an email phishing scheme when a hacker impersonated a computer-parts vendor.
And to make matter’s worse, it is not just email. Hackers are now infiltrating through your employees via social networking, texting, voice-over-IP (VoIP) as well as via platforms such as Dropbox and Google Docs. All the more reason that there is a growing focus on paying more attention to training and testing employees on social engineering and phishing with a goal to continually reduce this risk.
Research from our security awareness training partner KnowBe4 shows that the following percentage of employees are phish prone:
- 27% before engaging an awareness and testing program
- 13% after 90 days of combined computer-based training and simulated phishing security testing
- 2.17% after 1 year of combined computer-based training and simulated phishing security testing
Because of the associated risk, more and more of our clients have engaged us to help decrease their percentage of employees that are phish prone. The approach we suggest is multi-layered including:
- Ensuring your technical controls are in place including spam filters, firewall, password policies, and antivirus to protect from malware
- Training and engaging users to keep social engineering topic top of mind
- Phishing your own staff to determine who is susceptible
- Analyzing results to determine who is susceptible, and including understanding statistics between teams, levels, geographies, etc
- Developing an on-going training program and measuring results over time
By training, testing and measuring your employees on the latest phishing and other social engineering tactics, you are completing your security protection. The ultimate goal — decrease the percentage of your employees that are putting your company finances or intellectual property at risk.
Dan Grady (here’s my LinkedIn)
If you enjoyed this blog, sign up for exclusive content!