“Employees are stupid, they’ll click anything.”

I’ve heard it from plenty of IT teams.

Employees are busy

Just like a wide receiver in football that looks to make a play before catching a ball (and drops the ball), employees are looking at their next critical step – help a customer,  get to a meeting, finish their TPS reports – and ultimately miss the warning signs of a phishing attack…or forget to lock their computer…or leave their work phone at the coffee shop.  

When you’re focused on the next step it’s easy to miss what’s right in front of you – especially with social engineering attacks like a well designed email that looks like something you’re expecting anyway.

Attacks are well designed 

I am the account holder for my household Amazon Prime account, so I get emails daily with new orders purchased by someone else, shipping updates, and delays.  So when our team designed our new Amazon phishing simulation campaign they needed someone for the first beta attack test.  Yes, I failed.  

The CEO of an information security training and phishing company failed his own phishing test.  It’s slightly embarrassing (and kudos for the team for such a great design), but then I remember that the CIA Director was once hacked, and it doesn’t sting so badly.  Here’s what I fell for –

There are a few warning signs that I missed from the sender and hovering over the links – but what really drives me crazy?  The iconic Amazon smile…it’s backwards.  How did I miss that.  Am I stupid?  Maybe.  But not because of this.

Security is not front of mind

Employees aren’t stupid either, but they are busy. You, or their boss, are constantly pushing them to meet their objectives, they have family matters to address, and the literal last thing on their mind is whether this email is legitimate or not. 

One option to reduce this risk is to revoke all internet privileges for employees, but while that’s possible it’s not plausible.  Another option is teaching employees to recognize potential cyber threats and how they can mitigate risky situations.  We call this making employees active participants in information security.

Raising awareness is free

It’s normal to think that cyber attacks are incredibly sophisticated, and ignore them because you just don’t know where to start, but you can reduce the risks of your employees falling for a social engineering phishing attack.  

The FTC has a few guidelines and places to report if you’ve been hacked.  We recommend talking to your employees about potential threats, how to recognize these threats, and what to do if they see something suspicious.  That will take you an hour – and it’s free.  Have that talk in your team meeting this week.  

Make employees active participants

We provide an employee awareness platform  that trains employees, automates phishing simulation campaigns, and audits employee progress (while not free…it’s quite reasonably priced).  Our goal is to make every employee an active participant in information security through employee security training and regular phishing campaigns that ensure security stays front of mind.

I love meeting new people and talking about information security – so if you’re wondering how to have a conversation with employees about information security or you’re just not sure about the risks for your business, give me a call or shoot me an email at Jon@wuvavi.com.  Thanks for reading!  

 

Jon