Most of us would like to think we are cyber aware and know better than to respond to a phishing email from our bank, asking us for account details, passwords and other personal details. But what happens in your organisation if the email and links appear to come from a trusted sender, or a known person in authority?
Think Your Company is Safe?
- In 2016, the total number of phishing attacks was 1,220,523, a 65% increase over 2015 (Anti-Phishing Working Group report). [http://www.antiphishing.org/resources/apwg-reports/]
- As many as 30% of phishing emails still get opened (Verizon's 2016 Data Breach Investigations Report). [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/]
Dangers of Spear Phishing and the “Colonel Effect”
Dr. Aaron Ferguson, Technical Director of the Cyber and Information Analytics Office at the National Security Agency (NSA), calls it the "Colonel effect". Ferguson sent an email that appeared to come from a Col. Robert Melville of West Point out to 500 cadets, asking them to click a link to verify grades. Alarmingly over 80% of recipients clicked the link in the message.
In this instance, recipients received a notice that they'd been tricked and a warning that their behaviour could have resulted in downloads of spyware, malware, or even ransomware. Imagine the impact for your company.
Tech companies are not even immune.
In 2016, Snapchat’s payroll department handed over confidential employee information to a scammer impersonating the CEO. Executives are just as likely to be targeted as employees, so awareness of the risks must start from the top down.
Is Your Organisation Phish Prone?
Without proper awareness and education, no organization is safe. What you need to decide is how best to deliver phishing awareness and test your employees' readiness over time, but at least once a month.
Employees throughout the organisation need to know what the expected response is to requests for sensitive data or actions that don't make sense. For example:
- Question email requests for confidential data, whoever the apparent source is
- Require verification of any email requests and alert key people if the request appears at all suspicious.
We can deliver specialist and phishing training to reduce risky employee behaviour, with "real time" security reports and phishing tests. Wouldn't it be great to show your executives how effective an awareness program can be like below