Failing the Phish Test

Phish testing your employees is a vital part of any security awareness program.  It seems logical that by exposing employees to phishing and helping them identify tactics, the chance of anyone in your organization to be phished lessens.  But does it?

When employees who failed phish tests are called out, made to feel poorly or singled out in a group the exact opposite can happen.

End users are the largest, most vulnerable target in most organizations. In real-world attacks, end users are relentlessly bombarded with spear-phishing and socially engineered schemes.

As the champion of your organizations cyber security, it is imperative that these tests be used as teachable moments to educate and encourage your end users.

Use Failure as a Teachable Moment.

Look at the failure of phish testing in a different light: you’ve identified a weakness in your security that can now be remedied.

Effective Phish Testing Checklist

Every phish test should follow some basic tenets in order to educate users:

  1. The links in a phish test campaign should go directly to a site with immediate education.
  2. Do not call out or embarrass users who fail the test.  Public shaming results in decreased threat reporting.
  3. Do not tie user responses to employee evaluation testing.  Doing so can can create resentment towards security, which is not good for the organization.
  4. Offer encouragement and education by directing users to additional training.  This can be optional or required depending on how many times the user has failed.
  5. Provide additional written materials such as articles and information from other sources.
  6. Reward people who report incidents.  This can be as simple as a kudo’s in the company newsletter or even prizes and contests.  Make sure that your organizations culture gives positive support to employees who report incidents.

Protecting Your Network 

JDL Group can help you put in place the right cyber security measures for you and your organization. If you want to learn more about protecting yourself and your employees from phishing campaigns check out our free anti-phishing toolkit.  

References: 

https://www.infosecurity-magazine.com/next-gen-infosec/reward-flag-phish-highlight-failed/

https://www.sophos.com/en-us/products/phish-threat.aspx

 

Phish testing your employees is a vital part of any security awareness program.  It seems logical that by exposing employees to phishing and helping them identify tactics, the chance of anyone in your organization to be phished lessens.  But does it?

When employees who failed phish tests are called out, made to feel poorly or singled out in a group the exact opposite can happen.

End users are the largest, most vulnerable target in most organizations. In real-world attacks, end users are relentlessly bombarded with spear-phishing and socially engineered schemes.

As the champion of your organizations cyber security, it is imperative that these tests be used as teachable moments to educate and encourage your end users.

Use Failure as a Teachable Moment.

Look at the failure of phish testing in a different light: you’ve identified a weakness in your security that can now be remedied.

Effective Phish Testing Checklist

Every phish test should follow some basic tenets in order to educate users:

  1. The links in a phish test campaign should go directly to a site with immediate education.
  2. Do not call out or embarrass users who fail the test.  Public shaming results in decreased threat reporting.
  3. Do not tie user responses to employee evaluation testing.  Doing so can can create resentment towards security, which is not good for the organization.
  4. Offer encouragement and education by directing users to additional training.  This can be optional or required depending on how many times the user has failed.
  5. Provide additional written materials such as articles and information from other sources.
  6. Reward people who report incidents.  This can be as simple as a kudo’s in the company newsletter or even prizes and contests.  Make sure that your organizations culture gives positive support to employees who report incidents.

Protecting Your Network 

JDL Group can help you put in place the right cyber security measures for you and your organization. If you want to learn more about protecting yourself and your employees from phishing campaigns check out our free anti-phishing toolkit.  

References: 

https://www.infosecurity-magazine.com/next-gen-infosec/reward-flag-phish-highlight-failed/

https://www.sophos.com/en-us/products/phish-threat.aspx

 

 

data protection NJ NYC

While many cyber-risks exist, it’s the users of the protected system who constitute the greatest danger to effective cybersecurity procedures. An overwhelming majority of cyber attacks begin when a user clicks a link they shouldn’t. How are users tricked into clicking these links?

This is accomplished through what is known as a phishing email. This describes an email designed to look like a communication from a well-known, trusted entity, (e.g., Facebook, Bank of America, etc.) which tricks the recipient into clicking the link, and exposing the system to the cyber-attack. The best defense against this attack is an informed workforce, trained to remain vigilant, and to recognize a scam. Here are some best practices your law firm can put in place to protect your employees and clients from these attacks.

Password Managers

Phishing sites pretend to be real entities to fool a user with near identical-looking sites or URLs. To avoid being tricked, train your lawyers and employees to not rely on their own judgment, but to use a password manager to check the authenticity of the site. These programs auto-fill usernames and passwords on the correct domains, but refuse to do so on an incorrect website.

Two-Factor Authentication

This form of security, also known as multi-factor authentication, requires a username and password be used in conjunction with another factor only the user possesses, like information, a token, or a device. Many law firms already require this for physical and information system access. Adding this layer to an email system further protects sensitive data, blocking unauthorized users from viewing protected data.

Employee Metadata and PII

data protection NJ NYCDocuments carry certain data unique to the user who created it, also known as metadata. To prevent client or employee Personally Identifiable Information (PII) from accidentally being exposed, users should be required to convert email attachments into PDFs or inspect documents in Office to remove hidden metadata.

Emails present the same threat, data that is targeted with spymail containing code that steals embedded recipient metadata. This data can include physical location, email statistics, and sending history, which aids a phisher in creating more deceptive emails. Law firms should employ a centralized anti-spymail tool, but users can also reduce risks by stopping external content from automatically loading (e.g., preventing pictures from being displayed when the email is opened).

Increase Awareness with Cybersecurity Training

Users form the first line of defense against phishing scams, so law firms should require training programs teaching steps their lawyers and  employees can use to protect themselves and the firm. Train all users to be discerning regarding who the sender is, refusing to open emails or attachments from unknown senders. Users can compare the actual company URL the phishing email is imitating to the link provided in the email. If an email arrives with embedded or attached forms, never insert sensitive data into the form.

Users should question any email asking for financial information, especially account update notifications, wire transfer requests, or failed transaction alerts. Threats to disable an account or reduce service support are a clear sign of a scam. In all cases contact the merchant directly, rather than responding to the email. The best defense against phishing scams is an educated workforce. Investing in cybersecurity training will reduce the risks to sensitive data and prevent costly responses to a cyber-attack.

Contact Us

Looking for more help with phishing protection? Contact us today.

Additional Resources:
https://www.darkreading.com/endpoint/91–of-cyberattacks-start-with-a-phishing-email/d/d-id/1327704
http://www.law.com/sites/almstaff/2017/06/29/dla-piper-isnt-alone-40-percent-of-law-firms-unaware-of-breaches/?slreturn=20170827131100
http://www.abajournal.com/news/article/dont_click_lawyers_get_fake_emails_about_a_complaint_hyperlink_installs_mal
http://abovethelaw.com/2016/12/dont-fall-for-scams-in-smalllaw/?rf=1
https://www.law360.com/articles/957163/law-firm-duped-by-email-scammers-in-wage-and-hour-case
https://www.consumerreports.org/money/how-to-protect-yourself-from-phishing/ 

 

ransomware attacks on law firms