High-profile security breaches are a common occurrence these days and for this reason, many companies are taking action to make sure their employees don’t unintentionally put the company at risk of an attack.
With phishing emails widely becoming an entry point for hackers, all it takes is one click on a fake link for an Amazon gift card to unleash malware into the company network, steal password/login information or provide other access to cybertheives.
Who Falls for the Fake Emails?
To combat this risk, companies like Twitter Inc. are taking an unconventional path to educate employees about vulnerabilities within the company. It may come as a surprise to some that the greatest vulnerability within the company – are the employees themselves.
A study by Online Trust Alliance recently found that more than 1,000 breaches in the first half of 2014 (90%) were preventable. More than 1 in 4 were caused by employees (often by accident).
Twitter Inc. and a rising number of companies are sending employees fake phishing emails to raise awareness and strengthen company security.
During a recent town hall meeting in NYC, Josh Aberant, postmaster at Twitter said, “New employees fall for it all the time.” This fake internal “test” provides employees with a teachable moment to ensure that, when faced with a real threat, they will proceed with caution rather than falling victim to the next phishing email they receive.
What Would this Test Look Like?
Twitter isn’t the only company jumping on this unorthodox bandwagon. Wombat Security sent out an email to their employees with a subject that reads “Email Account Security Report – Unusual Activity.”
The employee receives an official looking email stating their account may be locked due to unusual activity such as sending a large number of undeliverable messages. Toward the bottom of the email is a link that would infect the recipient’s computer with malware – if this were a real phishing email.
When the link is clicked, a web page pops up stating, “The email you just responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.” The email then offered employees tips on recognizing suspicious messages in the future.
Do these Employee Tests Actually Work?
Nashville based, Pinnacle Financial Partners has sent employees fake phishing emails about once a quarter. Since the start of the Wombat program, they have seen a 25% drop in successful phishing attempts within their 800-employee company.
They reported “Workers take it very personally when they fall for it. They become apologetic and wonder, ‘how did I miss it’?”
Any Hope for the Future?
To combat this widespread threat on a greater scale, large internet based companies like Facebook Inc., Microsoft Corp. and Google Inc. are in support of a standard that would make it impossible for scammers to impersonate your persona data (bank info, social network or other business related details) in an email. This standard would be similar to a verification system for emails but at this point, this solution is still a long way off.