Why HR should scam its own employees

The CEO of a leading cyber security firm says HR professionals stand to benefit from being a bit unorthodox.

Cyber security is fast becoming a major concern for many organisations but one industry expert has offered some unorthodox advice that might just surprise some HR professionals.

“Companies need to send out a simulated phishing attack to their own employees,” says Stu Sjouwerman, CEO of KnowBe4. “From this, they can find out their phish-prone percentage,” he explains.

According to Sjouwerman, most employers underestimate how many workers will be fooled by such an attempt – he told HRM that between 15 and 50 per cent of employees typically fall for simulated phishing attacks.

“This tends to be the moment when businesses realize how much danger they are in,” he revealed, adding that employees are by far the weakest link in any organization’s security system.

“Organizations can have IT departments that rival Microsoft but if their employees aren’t properly trained, it’s all for nothing,” he told HRM, before stressing the importance of genuine and engaging education.

“Old school training where employees meet in the break room and are kept awake with coffee and donuts while they view a PowerPoint presentation simply doesn’t work anymore,” he told HRM.

“You can check your compliance box, but you're really no more secure than you were a year ago,” he warns. “Security awareness training needs to be constant.  The bad guys are always creating new tools and methods to help them trick employees so training needs to be constant.”

Sjouwerman encouraged employers to provide training on how workers can spot red flags and identify potential dangers before they open a document, click on a link, or use a thumb drive.  After the education, however, the friendly-phishing shouldn’t stop.

“Employees should continue to receive simulated attacks,” he told HRM. “This keeps them on their toes with security top of mind. When employees know they are being phished by the company, they begin to pay close attention the emails they receive.”

According to Florid-based Sjourwerman, this approach can easily slash the phish-prone percentage down to around one per cent. 

“As new types of attacks are developed by the bad guys, these are reflected in new attacks that can be selected or customized by IT,” he continues.

“For example, the Business Email Compromise (BEC) has bilked billions out of businesses of all sizes. A spearphishing email that appears to be from the CEO is sent to the CFO or someone in the finance department asking them to wire funds.  Many have. A simulated phishing attack to your finance people would ensure they don’t fall for the ruse.

“Automating simulated phishing will help companies keep employees on various forms of attacks and randomize them, so that no employee gets the same phishing email (so they can’t warn each other). Simulated attacks can get as sophisticated as the IT staff prefers which helps them to create a human firewall.”

Companies can do their own simulated phish test here at no cost - https://www.knowbe4.com/phishing-security-test-offer

Recent stories:

“I failed exceptionally fast” – Saatchi exec

Why HR should hire the wildcard

Why you should encourage workplace criticism