How would your business do in a phishing test?
It seems as though data security is all the rage these days – and rightly so. After all, data breaches have become a formidable part of the risk landscape. And some businesses are getting creative about the ways they test their security measures.
According to a report by Advisen in 2015, Kansas City auditors conducted a test to see how employees and the IT team would respond to a phishing email attack. Unbeknownst to the employees, the auditors sent a phony phishing email asking for login credentials.
Here are the results:
- 3,115 fake emails were sent to all city departments.
- 280 employees fell for the scheme and handed over the keys to the kingdom.
- Within four hours, the IT staff spotted the phishing email and started notifying employees.
- It took one day for the IT staff to delete the email from the system so no one else could access it.
- 30% of employees who had clicked the email had not changed their passwords 48 hours after the attack, even though they were instructed to do so.
In real life, these results could jeopardize the entire municipal computer system – hackers would essentially have 280 chances to infiltrate it.
The report notes that some employees caught on to the fact that the email was a phishing scheme and provided fake credentials. But that isn't the way to go – simply clicking on the email link can introduce malware to the system.
All in all, the test results are a reminder that your business's data security defenses are only as strong as your weakest link. Though you may have the savviest IT team around, breaches often hinge on what your employees do. (For more on that, see "How dating apps can lead to business data breaches.")
Let's review some best practices that you can share with your employees to bolster your data security.
Data protection starts with employee education
Educating your employees on how to avoid data breaches is one of the most effective forms of risk management. But if you're like most small business owners, time is a precious commodity. Save yourself some time by sharing these tips on how to dodge phishing scams with your team:
Be wary of email links. As a rule, don't click on email links from people you don't know or if the link is suspicious. For example, a friend or associate's email account may be hacked, and scammers could use the account to send out malicious links. Think twice when a message offers no context and says something like, "Check this out: URL."
Never offer up credentials via email. Legitimate organizations never request sensitive information through email. Company leaders won't ask for that information online, either.
Watch out for scare tactics. Hackers often threaten to disable accounts to get users to give up the information they're after. When in doubt, type in the website URL in the search bar to go check on your account.
Update passwords regularly. Passwords should be complex and updated regularly. For example, "123456" is easy for hackers to guess. Make sure passwords use a mix of capitalized letters, numbers, and symbols. The harder it is to remember, the harder it will be to crack.