Even if you have the best security on your computer network, you might have noticed that you still seem to get hacked…or worse. Ask Equifax. Why is this happening? It’s probably because a member of your staff has made it easy for cyber criminals to get inside. It’s really important that you find out who this person is, and keep in mind…it might be more than just one. And it may not even involve security technology.
Part of the problem here, is that employees who “open the door” for these criminals probably don’t even realize they are doing it. These criminals are smart, and they make themselves look really authentic. Sometimes, these crooks even disguise themselves as people your staff know. So, how do you find out who’s letting the bad guys in? Here are some things to try:
- Set up a fake website, and then create a fake email campaign. Send these out to your staff members from a fake address, or better, a real looking address similar to your corporate domain, and see how many people take the bait. You might have to work with someone on your IT staff to spoof the sender’s email address. Make sure it looks legitimate or they will see right through it.
- Though this might take some time and effort to do, it is a good way to find out where your worries might lie in regards to the cyber security knowledge of your staff.
- You can also hire a security expert to do this for you. They will create, run, and track your campaign. However, these experts are not cheap, and the campaign isn’t just a one-time thing. Instead, it’s ongoing.
- There are also many phishing simulation security awareness vendors offering free trials just to see how vulnerable you may be.
- It only takes a single click to cause a data breach. So, your main goal with this experiment is to find out who that clicker is. Or, who ALL those clickers are.
- You should send out several fake emails, which ask your staff to click a link. Make sure, however, that they are very random. They shouldn’t be on any type of schedule.
- Remember, you want to make it look like these are coming from a trusted source. Like a charity, existing vendor, coworker, company officer etc.
- When you find out who is prone to clicking, you should take them aside and fill them in on the campaign. Don’t lecture them or discipline them. Instead, show them what they did wrong and fill them in on the consequences.
- Some phishing simulation security awareness vendors offer ongoing computer based training specializing in bringing these clickers up to speed and changing their behavior.
- Now that you know who the clickers are, send them other staged emails a couple of times a month. See if they click again.
- You may choose to make sure they know that the random fake emails are coming. This helps to keep them alert to this issue. Or, not and see how that affects their behavior.
- By using this approach, you can help your staff slow down a bit, and really think about what they are doing when they get an email with a link.
- You can also create a company policy: Do NOT click on any links in emails on company computers. This helps to stop the need for that employee analysis and will make your staff question each email that comes through.
- Even with this policy in place, continue to send fake emails to see if someone is disregarding the new rules.
Criminals use fundamental principles of influence and the basics in the psychology of persuasion. There is a science to their process no different than how advertisers, sales and marketers get us to buy stuff. Getting snared isn’t difficult. Being smart and cautious isn’t difficult either. It just requires a little training and reprogramming.
Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.