Blog
Arrow back
SHARE THIS ARTICLE
Blog

Why You Should Be Phishing Your Own Employees

22 June, 2018

By understanding the way users behave and approaching training exercises from an employee perspective, rather than an organisational one, you will revolutionise your security strategies.


Today, email is the number one delivery method for ransomware and other malware. A study in 2015 by Intel Security shockingly revealed that 97% of people around the world are unable to identify a sophisticated phishing email.


What is Phishing?


Phishing is the act of sending emails pretending to be from reputable companies in order to coax individuals into giving out sensitive information, such as passwords and bank details. The criminal practice of phishing dates back to 1996, stemming from hackers who broke into America On-Line (AOL) accounts by scamming passwords from unsuspecting users.


Cyber criminals view people as the weakest link in an organisations defence as they’re prone to making simple mistakes that compromise security. To prevent breaches, it is essential that you employ effective techniques to strengthen the human element of your cyber security defences to nullify these internal and external threats.


Internal threats can be either accidental; unintentionally sending confidential information to the wrong colleague, or deliberate; a disgruntled employee intent on stealing confidential data.


External threats can include the delivery of malware, such as trojans, viruses, ransomware through phishing emails to an organisation, as well as accidents caused by events beyond an organisation’s control.


At Bob’s Business, we deliver a comprehensive phishing simulation service to help you combat the ever-increasing threat of phishing emails. Aimed at providing employees with a well-rounded knowledge on the topic and introducing simple, yet practical changes to your daily routines both in and outside of work, education is at the heart of a phishing simulation.


What’s the best way to train employees against phishing threats?


It’s important to understand what makes employees tick when it comes to training and how you can avoid the common pitfalls when rolling out training.


These can include complications such as tedious course content, organisations considering learning to be too time-consuming, or employees simply having no desire to learn.


This can make it difficult for you to implement training strategies to develop employee capabilities and understanding. Likewise, it is important that you set out clear objectives for training campaigns and ensure that all involved are aware of the process and its benefits.


Some training providers simply send out mock phishing emails to the workforce without letting them know of the training campaign, employees can perceive this in the wrong way, creating an “us vs them” attitude, meaning that employees misconceive the motivations for the training believing that they are been tested and scrutinised behind their backs.


This misconception can create a long-term division between employees and the organisation, resulting in trust and communication issues.


Our CEO, Melanie Oldham, advises that simulated phishing campaigns should be applied in a transparent manner so management and employees are on the same wavelength. Prior to the training, employees should be walked through the process, highlighting how the approach will benefit all involved. Communication creates trust, therefore by pointing out to employees that the campaign is designed to educate them on the dangers of phishing, rather than punishing them, this builds the trust relationship amongst each and every employee.


As well as clear communication, Melanie encourages using gamification techniques in a simulated phishing campaign so that employees have the chance to earn rewards, this will provide them with a greater incentive to apply themselves to the training.


Initial simulated phishing emails enable you to identify any weak points within your human firewall, by which those who fall victim to the original phishing emails are redirected to a phishing eLearning module. The training allows for users to understand how phishing emails are sent, the objective and goals of phishing emails, and how best to avoid being caught out by them.


Our OSPA award-winning phishing simulation service, referred to as ‘Think Before You Click’ uses the same process. After using the service, some organisations experienced a reduction of click rates for phishing emails by over 75%, considerably reducing the vulnerability of sensitive data within the organisations.


‘Think Before You Click’ has received positive feedback from both the organisations and its end users. For one client, 22,370 staff completed the animated learning module, which received an approval rate of 80% (with 52% of staff giving an approval score of 100%) despite it not being mandatory. This demonstrates that this approach is beneficial, educational and positive for both the organisation and the employee.


Phishing employees in a controlled environment carry a multitude of benefits. The campaigns reveal vulnerabilities, where training resources should be dedicated and ensures that employees are equipped with the information for dealing with internal and external threats.


Your workforce is the human firewall protecting your organisation and testing it for weaknesses and helping to build strong and secure foundations is an essential part of ensuring that security is airtight.


You must ask yourself: would they rather an employee be caught out by a controlled training exercise, or fall hook, line, and sinker for a real phishing scam?


Click here to find out more about our award-winning phishing simulation service and how it can help you improve the human firewall in your organisation.


Back to resources

Ready to build your cybersecurity culture?

Whether you’re looking for complete culture change, phishing simulations or compliance training, we have solutions that are tailor-made to fit for your organisation.

Girl with laptop
Boy with laptop
man and woman with laptops
ISO27001
ISO9001
Global Cyber Alliance