Did you know that 90% of security failures in businesses are caused by a “phishing” email?
Employee Information Security Training
In the days before security awareness training and employee phishing simulation, there were few resources available to help you prevent embarrassing and damaging security breaches against your business.
In May of 2000, shortly after the fear of Y2K had subsided, a young man in Manila created a pesky virus that would use what we now call ‘social engineering’ to wreak havoc on business and personal computers around the world.
Using the text “ILOVEYOU” in the subject line, and spoofing the “from” field. the virus appeared to be a message from a known sender, the hacker was able to infect “fifty million computers, and reached an estimated 10% of the internet-connected computers in the world… To protect themselves, The Pentagon, CIA, the British Parliament and most large corporations decided to completely shut down their mail systems… and was one of the world’s most dangerous computer related disasters of all time.” The virus became known as “love bug.”
Embarrassment and the Real Cost of the Love Bug Virus
In my company, ground zero +1 for the virus was a married manager who opened the email sent by a lower level female assistant. The whisper around the office was, “Why did ‘Jack’ open an email with the subject line “ILOVEYOU” from his assistant ‘Jill’?” A question I am certain he would have preferred not to be required to answer.
The “love bug” was a costly virus not only because it spread so rapidly, but because after it was unknowingly executed by any employee, it began destroying files by overwriting them to unusable copies.
These human errors happen in spite of the best efforts from IT departments and HR explaining (usually via email) the issue and offering tips to help users make fewer mistakes. Today we have the following problem:
- Companies have more confidential, compromising, and sensitive, electronic data than ever before
- Hackers are more sophisticated and motivated than ever before
- Employees (and all end-users) need to be smarter than ever before
So, how do you actually prevent an employee from opening that email that says “ILOVEYOU” from the attractive co-worker in the office next door? Or ensure employees don’t respond to an email the boss that says “I need that password right away!”?
You have to train them.
Training Employees with Online Courses
ELC and other companies like us, provide online internet security awareness training for business that allow companies to train and text their employee workforce. These courses will train on a variety of internet security topics like social engineering, password security, phishing, social media concerns and others.
The training is done online, using a learning management system (LMS) – which is an increasingly common asset for enterprise companies. Alternatively, some companies offer hosting for their courses via their own LMS. Typically via an online portal.
Hosting with a service provider can be costly, but certainly less expensive than maintaining a system internally if security training would be your only use for the system. If you do have an LMS internally and prefer to keep all training within the system, be sure the security awareness company you choose offers the option to export their courses for use on another LMS. You will just need to know the file type required by your system and confirm with the provider that they can export in that format.
These classes are helpful in training employees to protect company information. But because email Phishing is such a persistent threat, some companies opt to go one step further to train their team with employee phishing simulation.
Training Employees with Phishing Simulation
So, what exactly is employee phishing and how does help you train your employees?
It’s pretty much what it sounds like. A company hires a service to send out an email just like a nefarious phishers would send. The service sends your company (IT or HR) feedback on what emails were clicked (urgent shipping notification, internal email, email from a bank), when it was clicked (was the employee at home? was it late?), and who clicked it (are there particular offenders who fall for multiple attacks).
The company can then take appropriate action to train employees who put them most at risk.
Employee Phishing Services
There are two common models available for “white-hat phishing” of a companies network; the service model or tool model.
Phishing as a Tool
With a phishing tool, an interface is provided via portal for a company’s IT department to create html phishing emails and send them at their will to whomever they choose within their company. Templates of common phishing emails are provided to offer creative guidance, and the interface allows users who understand HTML to create their own. A reporting interface that allows IT staff to target and track users who open and/or click – and therefore need more training.
The benefit here is that the company can manage these simulated attacks as they wish, without having to consult with an outside group to accomplish their training goals.
Phishing as a Service
At ELC we provide a service based program. We meet with you to find out what you suspect are your biggest vulnerabilities and offer our expertise on what our clients have found to be the most “successful” attack techniques used in the past. The benefit here is that we do the work for you.
We create templates, schedule the ‘attacks,’ and report back to you. We work with you to determine what kind of phishing emails have high data breach success rates so that we can catch and train the most end users. Find out more about our Phishing service.
We also offer an online course to help train against Phishing, and Phishing is one segment in some of our our broader online security training programs.
Phishing Awareness Training
You can always start or finish a phishing simulation with an online course in phishing awareness. At eLc, we provide course demos to clients so that they can preview the courses themselves and determine if our course is right for you. We also provide customization options for your business like accurate contact information, branding, and some topic flexibility.
Whichever training solution you choose to go, educating your workforce is critical to preventing damaging security breaches.
Our recommendation would be to bookend phishing simulation attacks with a general internet security course and a detailed phishing course – followed by successive tests of your user base.
Contact us for a free demo of security awareness courses and for more information about phishing simulation!