Boost security by phishing your staff
🕒 5 min read
✏️ Andrew Hickey
According to the small business special edition of our 2018 Cybersecurity Report, 79% of businesses with 250–499 employees said that targeted attacks like phishing were a challenge. They ranked it above ransomware and DDoS as their biggest security headache.
Small businesses make tempting targets for criminals, who know that they have fewer resources to block the attempts as they come in, and less to spend on educating staff about the risks associated with phishing emails if they do make it into inboxes.
Educate employees about cyber security
Keeping your employees on their toes is the best method of protection. In its cybersecurity guide for small businesses, the National Cyber Security Centre recommends teaching your staff to be wary of any unsolicited communication – especially when it contains attachments. Common causes for concern, for example, would be an invoice for a service they’ve not used, or an email that appears to be from an organisation you don’t normally do business with.
This April Fool’s Day, why not put your employees to the test while having a little fun at the same time? Last October, Cisco acquired trusted access company Duo, which provides a free phishing assessment tool called Duo Insight. Within minutes, you can identify vulnerable devices and users and – more importantly – begin protecting them right away.
We can help you understand the latest threats, and how to defend your business against them – see our small business security solutions for more details.
Phish your staff in 10 minutes
You don’t need to download any software or sign up to any service. To start, you’ll need to go to the Duo Insight page and click “Go Phishing!”
From there, you can build your email. Enter your details, which Insight uses to make your phishing attempt more convincing. The tool then scours the web to find information it can use. It also lets you select a service to impersonate in the phish – these include Google Docs, Microsoft Office, and Microsoft Outlook – or you can craft your own email. You then manually add recipients or upload a list of addresses as a CSV file.
Finally, you need to approve your campaign using an admin email address (to ensure that people aren’t abusing the service by spamming companies at random). That admin address will also be where recipients can report the phish – if they spot it.
So your users took the bait? Now what?
When Duo launched the service, Duo Insight’s fake phishing campaigns had a 31 percent click rate and a 17 percent phish rate. That was across more than 11,000 recipients. You can compare your company’s results against these averages here.
As well as identifying who fell for the spoof and (privately) helping them understand what went wrong, it’s important that you (publicly) reward those who did report it. If this were a real attack, they might have saved your company. We recommend running similar campaigns at regular, but not predictable intervals, to encourage staff to remain vigilant and track improvement over time.
You should also invest in endpoint protection to limit the damage if a phisher is successful. Duo has a range of options, and explains more about the concepts here. If an attacker did manage to download an exploit kit onto one of your devices, they could take control of the device, steal data and credentials, and potentially take over your entire network.
There’s more advice for small business owners about protecting against phishing and other common attacks in this series of short videos. We also have tips and advice on our dedicated small business security page.
For a more in-depth look at phishing and how to protect your business against it, Duo has produced this fantastic, free, e-book.