The biggest threat to your firm’s security, by far, is sitting in front of the keyboard – your staff. You can secure your firm like Fort Knox (virtual machine guns, 18” steel doors, guards everywhere) but… if a person that has access invites a bad guy in… it’s all for nothing. We see this all the time.
Cybercrime is dramatically up and getting worse. Data is being stolen, firms ransomed, companies brought to their knees for weeks because of malware, spyware, viruses and ransomware. Most of the time it’s traced to an employee making a mistake.
We have always pushed for firms to do constant fundamental computer security education. Every staff meeting talk about it for a few minutes… every company newsletter, have a section on security… And it helps! But most of the staff tunes it out or nods their heads implying they already know what to do and not do.
So we started testing firms! Wow is that an eye opener. We can send in a phony email to all employees that is just like what the bad guys do. We can see who clicks on it and what percentage of the firm “falls for it”. Of course we don’t do anything malicious if they click it. The bad guys would and it would be all over if even ONE employee clicked it. But there was a twist that surprised even us!
We expected plenty of people to fall for it. After all, we see firms crippled all the time by similar emails and employee mistakes. But what shocked even us is how much everyone in the firm started talking about security and was so excited by the test! Everyone was asking each other “who fell for it?!?” or saying “I ALMOST fell for it!!”
We had been bringing up basic IT security almost monthly for years and yet in this tiny test we probably did more to secure the firm than all of those “lessons” combined. I would even argue it did more for security than big, expensive firewalls and other elaborate security measures. Instantly everyone is on their toes and many learned a very memorable lesson.
Cybersecurity is SO important and even fundamental today. We didn’t learn it growing up because it didn’t exist. Our parents and teachers had nothing to show us. They taught us to look both ways before crossing the street (duh!). To never take candy from a stranger (of course!). Any yet so many people think they know what to do or not do on a computer and make the most obvious and basic mistakes. Unfortunately, these tiny mistakes end up being super expensive, frustrating and in some cases devastating.
So now we can easily test and train staff, making the firm much more safe and secure with very little effort. We can send from a library of different types of attacks as often or as little as we like. A wide variety from clever to basic. The tests often send the person to a page that tells them about the mistake they just made and gives some points on what they did wrong and what to look for. There are also training materials.
It’s just pretty cool to be able to make such a huge difference so quickly, easily and it’s even pretty fun and interesting.