To improve your cybersecurity, go phishing!
I don’t think there’s any question that the world is getting more dangerous every day, if only in the fact that due to our reliance on technology, there are more ways the bad guys can get to us.
If people and companies with incredible resources, like Sony, HBO, and the DNC can get hacked, what chance does a small business owner have?
Frankly, because of your size and your ability to monitor and communicate with your employees, I think you have a better chance to avoid cyber-disasters than bigger operations – if you are proactive about protecting yourself online.
Types of phishing scams
It seems that the biggest vulnerability right now are the phishing emails. These are emails designed to look legitimate and lure the recipient into clicking on a link. The link may download malicious computer code or trick the user into entering personal information on a bogus – but legitimate appearing – website.
In the case of the download, the users may believe they are receiving a Word file, an invoice, or some other document that is typically sent via an email attachment. In the case of entering personal information, users are often told that their bank account, PayPal account, or some other entity needs them to verify information or their account will be suspended.
Employee training, regular reinforcement, and updates are at the core of your ability to protect your business. Not long ago I directed you to a couple of online cybersecurity quizzes that can help you get your team up to speed on the basics. Checking, testing, and monitoring your employees must be an integral part of your strategy.
Send simulated phishing emails
Given the current dangers, one of the best things you can do is to set up a program that sends simulated phishing emails to your employees to train them as well as test their knowledge and vigilance. There are various free and paid services that will send these faux (phaux?) phishing emails to your team to see how they react. (I have a list below. Note that a few require good technical knowledge.)
You need to tell your employees that they should expect to receive these testing and training phishing emails as part of your cybersecurity program. The simple expectation of receiving these emails will heighten the awareness of your employees, which is one of the best benefits of the strategy.
You need to have a company email where these phishing emails can be forwarded to; employees need to have an “action” they can take when they suspect malicious online activity. Further, you need to examine and discuss these phishing emails in meetings. When you do this, the activity begins to act like your body’s immune system – you develop protection against each phishing email style and strategy. Your “immunity” builds and becomes stronger over time.
Paid and free phishing simulators
Here’s the list. Some are DIY and free and have a fairly easy user interface. Other DIY applications require more technical know-how. Finally, several companies are offering simulated phishing emails as either a stand-alone service, or part of a cybersecurity training package.
- Terranova (paid)
- Wombat Security Technologies (paid)
- Phishing Box (paid)
- Sans Securing the Human (paid)
- KnowBe4 (paid)
- Lucy (paid)
- SecurityIQ (free personal starter account)
- Gophish (free open source software)
- Phishing Frenzy (free software)
- SpearPhisher (free software)
- King Phisher (free software)