Why HR should scam its own employees

by |
Cyber security is fast becoming a major concern for many organizations but one industry expert has offered some unorthodox advice that might just surprise some HR professionals.

“Companies need to send out a simulated phishing attack to their own employees,” says Stu Sjouwerman, CEO of KnowBe4. “From this, they can find out their phish-prone percentage,” he explains.

According to Sjouwerman, most employers underestimate how many workers will be fooled by such an attempt – he told HRM that between 15 and 50 per cent of employees typically fall for simulated phishing attacks.

“This tends to be the moment when businesses realize how much danger they are in,” he revealed, adding that employees are by far the weakest link in any organization’s security system.

“Organizations can have IT departments that rival Microsoft but if their employees aren’t properly trained, it’s all for nothing,” he told HRM, before stressing the importance of genuine and engaging education.

“Old school training where employees meet in the break room and are kept awake with coffee and donuts while they view a PowerPoint presentation simply doesn’t work anymore,” he told HRM.

“You can check your compliance box, but you're really no more secure than you were a year ago,” he warns. “Security awareness training needs to be constant.  The bad guys are always creating new tools and methods to help them trick employees so training needs to be constant.”

Sjouwerman encouraged employers to provide training on how workers can spot red flags and identify potential dangers before they open a document, click on a link, or use a thumb drive.  After the education, however, the friendly-phishing shouldn’t stop.

“Employees should continue to receive simulated attacks,” he told HRM. “This keeps them on their toes with security top of mind. When employees know they are being phished by the company, they begin to pay close attention the emails they receive.”

According to Florid-based Sjourwerman, this approach can easily slash the phish-prone percentage down to around one per cent. 

“As new types of attacks are developed by the bad guys, these are reflected in new attacks that can be selected or customized by IT,” he continues.

“For example, the Business Email Compromise (BEC) has bilked billions out of businesses of all sizes. A spearphishing email that appears to be from the CEO is sent to the CFO or someone in the finance department asking them to wire funds.  Many have. A simulated phishing attack to your finance people would ensure they don’t fall for the ruse.

“Automating simulated phishing will help companies keep employees on various forms of attacks and randomize them, so that no employee gets the same phishing email (so they can’t warn each other). Simulated attacks can get as sophisticated as the IT staff prefers which helps them to create a human firewall.”

Companies can do their own simulated phish test here at no cost.
 
Recent stories:

Tech giant pays $25M to settle gender discrimination lawsuit

How to use social media in the hiring process

http://www.hrmonline.ca/hr-news/workplace-power-this-time-its-personal-211252.aspx
 
 
  • Ted McNicol on 2016-08-08 9:56:53 PM

    Before you start using HR to "catch" those who fall prey to a "phishing" expedition, think about the loss of trust such an email causes. For many employees they will simply avoid reading emails from HR, restricting communication to staff.

    While it's a huge problem and worthy of finding solutions, actually "phishing" your employees has negative results for HR. My last company's IT group did it and were very happy to have "caught" a lot of employees, sentencing them to retake the anti-phishing course. I was not happy with the reception I received from those employees who thought HR was in on catching them.

HRM Online forum is the place for positive industry interaction and welcomes your professional and informed opinion.

Name (required)
Comment (required)
By submitting, I agree to the Terms & Conditions