No company wants to become the next Sony or Target. Hacks affecting high-profile companies have caused major headlines and businesses have become increasingly wary. Data shows phishing emails are often the entry points for hackers. Employees who click on links in scam emails could potentially unleash malware or provide access to fraudsters.
Canada ranks second worldwide for hosted phishing sites, ahead of Egypt and Russia. In past years, companies’ tech gurus handled cyber issues. Now high-level management is involved. While intruders used to be pranksters, they now may be criminal organizations or nations.
Cyber scams are increasingly sophisticated and difficult to detect. Many security breaches are the result of human error. For example, 90% of the more than 1,000 breaches in the first half of 2014 were preventable, according to a study by Online Trust Alliance. Employees accidentally caused more than 1 in 4 of the breaches. Verizon’s data breach investigations report found 18% of users visit links in phishing emails that could compromise their data. Instead of blaming the user as inept or gullible, businesses need to take measures to better train workers.
Meetings & Memos Aren’t Enough
Reminders to change passwords and talking about cyber security might not be enough. More and more companies, such as Twitter, are opting for more hands on, practical approaches by giving their employees pop quizzes. They test to see how computer savvy their employees are by sending spoof emails to see who bites. “New employees fall for it all the time,” said Josh Aberant, at Twitter.
Falling for the spoof scam email provides a risk-free teachable moment. It could ensure that when a genuine phishing email hits an employee’s inbox, he or she won’t fall victim to a real threat. It could save a company from financial losses, angry customers, and embarrassing headlines.
Failing the Test
What happens if employees don’t pass the test? When an employee clicks on a fake phishing email, a web page may pop up. It may say: “Oops! The email you responded to was a fake phishing email. Don’t worry! It was sent to you to help you learn how to avoid real attacks. Please do not share your experience with colleagues, so they can learn too.”
Pinnacle Financial Partners in Nashville, Tennessee employees 800 individuals. Once every few months, Pinnacle’s employees receive fake phishing emails. The results are reported to the company’s audit committee and board of directors. Since the company started the program, it has seen a 25% drop in successful phishing attempts. Workers “take it very personally” when they fall for it, says Randy Withrow, the company’s chief information officer. “They become apologetic and wonder, ‘how did I miss it?”
The Long-Term Solution
Phishing training emails are a “good cautionary measure,” says Patrick Peterson, CEO of the email security company Agari. “But they aren’t actually going to strike at the core of the issue.” Peterson, and internet companies such as Google and Microsoft support establishing new standards. Standards, such as an email verification system, could lead to the death of email scams—making it impossible for scammers to impersonate your bank, social network, or business. Until then, education is the key.