Should Business Owners Phish Their Employees?

We’re living in a time where cybercrime and ransomware attacks are announced like the next big box office hit. They’re making an impact worldwide, and it’s causing many businesses to suffer downtime, loss of business, and increased costs to recover from attacks.

One of the most common types of scams affecting businesses is referred to as phishing. Phishing attacks are generally emails that entice users to perform an action, like clicking a link to an infected webpage, opening a malicious attachment, or even wiring money.

These aren’t the “Nigerian Prince” or “long lost relative” scams we saw ten years ago. Today’s scams are incredibly hard to spot. Hackers are clever, creating fake emails that look like real ones you’d be expecting. So real, that sometimes they even slip past your IT security measures.

Smart People Fall For Phishing Scams Too

If a phishing email makes it to an employee’s inbox, they need to recognize that it’s a scam before they interact with it.

You’ve told your employees a hundred times what they should be looking for – check the sender’s email address, hover your mouse over the links to see where they’re taking you, don’t open attachments that come from people you don’t know, etc. And yet, they’re still falling for them.

So, maybe the best way to train isn’t by telling, but by showing.

How Security Awareness Training Lets Employees Put Their Training Into Action

Security awareness training services are becoming more popular. The most common offering is a phishing simulator. Basically, it sends fake phishing emails to your employees.

If someone clicks on the email to “track their order” or opens the attached “invoice,” it doesn’t infect your system, but rather it uses it as a training opportunity. It guides the user through the red flags in the email, showing them the clues they should look for next time.

Let employees know that this type of training will be going on and that you’ll be monitoring the results. You could even offer an incentive for employees that avoid the most scams.

Ongoing cyber security awareness training is available through companies like PhishMe, IronScales, KnowBe4, and many others. The pricing varies, but consider the amount of money that could be saved if this training prevents even one attack.

Phishing scams can be extremely costly for businesses – whether it’s in dollars paid to scammers, or in lost business and recovery costs. The Ponemon Institute estimates, “the average price for a small business to clean up after their business has been hacked is $690,000. For middle market companies, it’s over $1 million.”

Phishing Scam Relief With Cyber Insurance

Since cyber attacks can be so devastating, cyber insurance policies are now available for businesses. Discuss the specifics with your insurance broker, but investing in security training courses for employees could save you some money.

According to Monica Keehfuss, Vice President at HUB International Riverside:

“Providing a proactive approach with loss control prior to investing in insurance protection could be most beneficial. Showing you have implemented strategic measures to mitigate cyber claims provides a positive outlook and a level of comfort for insurance underwriters…hence reduces cost.”

The process for managing security at your organization is as important as the technology itself. Somebody must be watching the whole network to see what’s going on, and proactively prevent threats from reaching the data.

Don’t let your high-tech IT security measures be unraveled by simple human error. Train employees with tools that help them learn and recognize the signs of phishing scams.

Related: Get the Executive Guide to Cyber Security: Essential Information for Managing Business Risk

As featured in July 2nd issue of The Press-Enterprise.