Phishing employees

Phishing Employees consists of the sending of simulated phishing attacks to all members or selected groups of an organization, with the goal to establish the percentage of employees that will click on phishing links. Once that percentage is established, a Security Awareness Program can be deployed with the express goal to get the percentage of phish-prone employees as low as possible, ideally to zero. Phishing employees usually gets done by the IT group of that same organization, or by their Security Team. Sometimes the project is done by third parties under contract by the organization.
Phishing employees is a tactic that is becoming popular at the time of this writing (Early 2012), as cyber criminals are increasingly deploying sophisticated spear-phishing attacks that are very difficult to defend against. Employees turn out to be the weakest link in IT security, and cyber crime is exploiting this vulnerability to the fullest.
Organizations that need to comply with Government or Industry regulations (i.e. GLBA, PCI DSS, HIPAA, Sarbanes Oxley) normally require formal Security Awareness Training for all employees, usually once or twice a year. However, as is known, Compliance and Security are not the same thing. Many of the companies that were hacked the last two years were compliant and did pass an audit. Similarly, once a year a phishing refresher course (similar to Sexual Harassment Training) is insufficient when employees frequently get exposed to sophisticated phishing attacks.
Many Small and Medium Enterprises (SME's) do not require formal Security Awareness Training for regulatory compliance, but train their employees to prevent phishing security breaches, and find that phishing their own employees with simulated attacks is a very effective tactic to keep security top of mind, and the employees on their toes regarding email security.
There are four ways to phish your own employees, depending on your Buy / Build determination.
*Build your own from the bottom on up. Recommended for large organizations with a dedicated security team, who can spend the time to build and maintain such a setup. In summary: Raise a temporary webserver, and ‘roll your own’ phishing site. Then create your own phishing email that should lure your users to your fake site, using what you know about Social Engineering. Work out how the tracking and reporting works, and code that. Next, send the email to all users using a mail server that allows you to spoof the 'From: address'. Then keep track, and report to the relevant managers. If you know what you are doing this is a few days's work. There is some help from the open source arena though. The Simple Phishing Toolkit (link below) makes this option easier to get done. Brian Krebs has a good article about it: Link to Krebs Blog
*Engage an outside security consultant to come in and do all the above as part of a ‘mini PEN test’. From a cost perspective you are looking at roughly 40 hours at an average rate for security consultants at $250 an hour. If you can get the budget for that, this is an attractive option, but remember this is a one-shot project.
*There are companies that sell automated solutions to phish your employees. Two of the best known are Phishme and Wombat Security. Both started around 7 years ago, and are set up to have users fill out forms on simulated phishing sites. This makes the project easier and saves time. There is cost involved, however you work with professionals and you get support which is a plus. Both companies have minimum fees that might be out of your budget. Contact them at the external links below.
*Work with a third party company that has the process fully automated: 1) Initial phishing test to determine phish-prone percentages, 2) online on-demand Security Awareness Training, 3) Regular simulated employee phishing attacks with remediation and reporting. KnowBe4 is an example of a company that does this. External link below.
The goal of regularly phishing employees is to achieve an immediate and lasting change in the behavior of employees towards Internet Security, making it clear that Security Policies / Acceptable Use Policies are vital for the survival of the organization, and not as rules that restrict the employee being efficient at work. An employee that fails a simulated phishing attack should not be made public, it should be taken up with them by their supervisor and/or Human Resources.
 
< Prev   Next >