Test Your Employees with Internal Phishing Campaigns

Robinson+Cole Data Privacy + Security Insider

Phishing campaigns continue to be one of the most successful ways for malicious intruders to access company information, including personal information of employees and customers. Phishing emails continue to get more and more sophisticated and employees continue to fall victim to them, often putting the entire company at risk. Typical successful phishing campaigns end with the access and exfiltration of personal information that requires the company to notify individuals and regulatory authorities; or with the payment of ransomware; or a tremendous effort to activate the back-up system. None of these options are a good one for the company.

Employees continue to be uneducated about the fact that they are being targeted by hackers, and trust emails that are sent to them by familiar people with messages that look like they are real. Only after the fact do they see the clear warning signs that the message is fake.

Educating employees on phishing emails, the warning signs and how to recognize a scam is an important part of a company’s risk management program. Once employees have been educated, the next step is to test their knowledge and response rate. Many companies do not test employees to determine who are the riskiest employees, who learned from the education and which employees are careless. That’s where phishing tests come in.

Testing employees with internal phishing schemes can set the baseline for assessing the risk of an external threat, and can help companies focus on those employees who may need a little extra help. We have heard stories about companies who publicly belittle employees when they fall victim to a phishing email. It might make more sense to help the employee recognize the red flags in a phishing email and make that employee a champion instead of embarrassing him or her.

Once a company gets a baseline on how its employees fare with an internal phishing test, perform the tests periodically to continue to keep employees vigilant and reach out to those who continue to fail, including providing extra education.

Employees want to do the right thing. Monitoring how employees react to an internal phishing test is valuable to test the baseline of their education, but also to continue to monitor progress and manage the risk of an external phishing scheme.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Robinson+Cole Data Privacy + Security Insider | Attorney Advertising

Written by:

Robinson+Cole Data Privacy + Security Insider

Robinson+Cole Data Privacy + Security Insider on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.