As part of the cyber security awareness training for many organisations, the IT department simulates phishing emails via a third party service to help educate their users and report on who is more likely to click on a phishing email. Some of these third party phishing services are even free like Gophish and Duo Security, and yet, I have a policy of not phishing my own staff.
The reason is, that for the past 5 years I have been encouraging all my colleagues to forward suspicious emails they receive to the IT department or to contact IT if they are unsure about the validity of an email. This feeds into the quarterly cyber security group training sessions so that it is based on actual ‘real world’ phishing emails we have received. Most of the phishing emails that make it past the email filters are via compromised business email accounts of our suppliers (or even clients) trying to get us to enter Office 365 credentials for a bogus file sharing service. They are coming from people we work with, the signature is genuine, just the payload and body text is fake.
My colleagues have been taught to question everything, including changes in how people greet them in an email and the normal way they expect to share files with that individual or company. So filling their inboxes with simulated phishing emails will erode the trust I have built up over time and may stop them from forwarding the genuine phishing emails. It’s a bit like having too many fire alarm drills, over time people just assume it’s not real every time they hear it. I don’t want that to happen with phishing emails, where they don’t tell us about them, and maybe just follow the links because they think it is just a drill and end up on an exploit landing page. Trust takes a long time to build, and my staff trust me to help keep them safe, so in return I won’t phish them.
For more information on cyber security, pre-order Nick Ioannou’s book A Practical Guide to Cyber Security for Small Businesses.
About the Author:
Nick Ioannou is an IT professional, blogger, author and public speaker on cloud and security issues, with over 20 years’ corporate experience, including 15 years using cloud/hosted software as a service (SaaS) systems.
He started blogging in 2012 on free IT resources (http://nick-ioannou.com) currently with over 400+ posts. Author of Internet Security Fundamentals, contributing author of two books Managing Cybersecurity Risk and the recently published Conquer The Web.
More free security advice and resources and information on how to contact Nick can be found at www.booleanlogical.com