Every business owner is aware of the threat posed by cybercriminals. If a hacker were to gain access to the sensitive data about your business, customers or employees, the damage to your reputation and profitability could be severe.
You’re also probably aware of the specific danger of “phishing.” This is when a fraudster sends a phony communication (usually an email, but sometimes a text or instant message) that appears to be from a reputable source. The criminal’s objective is either to get recipients to reveal sensitive personal or company information or to click on a link exposing their computers to malicious software.
Many businesses are intentionally sending fake emails to their employees to determine how many recipients will fall for the scams and how much risk the companies face. These “phishing simulations” can be revealing and helpful, but it’s important to be mindful of the challenges – both financial and ethical.
An upfront investment
On the financial side, a phishing simulation generally calls for an investment in software designed to create and distribute “realistic” phishing emails and then gather risk-assessment data. There are free, open-source platforms you might try, but their functionality is limited, and you’ll have to install and use them yourself without external tech support.
Or you can hire a firm, such as ours, that has the necessary tools and expertise, to conduct the simulation for you. For example, when Miller Kaplan’s information security team conducts a simulated phishing attack, staff who take the bait and click the link are directed to a landing page where they receive phishing defense training. Our experts then send your management a report identifying the staff who clicked on the link, and remain available to advise your management on the best path forward based on your specific situation.
As mentioned, phishing simulations present ethical risks. Some might say that the very act of sending a deceptive email to employees is a betrayal of trust. What’s worse, if the simulated phishing message exploits particularly sensitive fears, you could incur a backlash from both employees and the public at large.
A major media company recently learned this the hard way when it tried to lure employees to respond to a phishing simulation email with promises of cash bonuses to those who remained on staff following layoffs related to the COVID-19 pandemic. Users who “clicked through” were met with a shaming message that they’d just failed a cybersecurity test. Angry employees took to social media and the story went viral.
Adding phishing simulations to your cybersecurity arsenal may be a good idea. Just bear in mind that these aren’t a “one and done” type of activity. Simulations must be part of a well-planned, long-term and broadly executed effort that seeks to empathetically educate users, not alienate them. We can help design and implement the right information security testing, strategies, and resources for your company.
We highly recommend you confer with your Miller Kaplan advisor to understand your specific situation and how this may impact you.