"Every company should phish itself”

IT expert says internal hacking is an effective way to train employees about data security

"Every company should phish itself”
Cyber attacks can range from e-mail scams, such as CEOs asking for wire transfers, to ‘phishing’ for information through direct phone calls or social media. But, while these attacks are effective and common, Ryan Barrett, VP of security and privacy at Intermedia, said their very nature makes them easy to defend against.

“Cybercriminals can steal company or personal data, delete files, and deploy ransomware with just one e-mail or one instant message,” he said in a recent Forbes article. “[However], they do follow patterns and can be detected with the right education. This is why every company should phish itself.”

He said that internal phishing allowed employers to identify weaknesses in their data security, giv-ing them the opportunity to educate staff without the risk of losing valuable information and data.

Barrett said employers should consider the following six tips when planning an internal phishing campaign:

1. Get clearance
All relevant parties – executives, board of directors, IT department, legal department, HR, and fi-nance – should agree to the plan, particularly as there’ll need to be a “mild investment” to execute the plan, Barrett said.

2. Decide whether to outsource or go in-house
If you’re looking to save money, and you have a capable IT team, go in-house, he said. But, if you have some spare cash, consider outsourcing to contractors who specialise in internal phishing. They may be able to present more realistic scenarios and have “robust training platforms for em-ployee education, should they fail the phishing test.”

3. Specific data collection
Barrett said you should gather data on who clicks fake links and enters login information into fake fields during a faux phishing attack. “[You’ll] have a better understanding of who is vulnerable to what types of attacks,” he said. 

4. Notify employees of anonymised results
Once the programme is over, notify employees of the results. But remember: you are not there to shame or discredit them. Emphasise that the purpose of the faux attack was to educate people about how to secure their data properly and prevent future mistakes.

5. Educate employees who failed
Some staff are bound to fall for the scam, so be sure to give them lessons on how to recognise a phishing attack in the future.

6. Repeat the test
Barrett suggested repeating the test quarterly, or at least twice a year, to ensure all security measures are up to date.

“You’ll build a safer company and your employees, even if they don’t admit it, will be thankful for the security education,” he said.

Related stories:

Why HR is critical in cybersecurity 

Avoid ‘check-the-box compliance’ when it comes to cybersecurity

Culture to blame for massive HR hack