Failed a Phishing Test? You're In Good Company
With high profile data breaches becoming the new normal, effective cybersecurity has never been more crucial. But at the same time, the training gap for cybersecurity professionals and other workers has widened, leaving businesses vulnerable to evolving attacks.
The strain this places on cybersecurity professionals is considerable. Simply put, they don’t know what they don’t know. And if cybersecurity staff are on the back foot, the situation is even more dire for other employees. For example, a Kaspersky Lab report found 90% of corporate data breaches in the cloud are the result of social engineering attacks.
There is no automated control for the human factor. And whether employees aren’t aware of cybersecurity threats, or had a momentary lapse of attention at the wrong moment, the end result is the same: a breach with significant financial and even legal repercussions.
When working with other businesses and institutions, CBIZ Risk & Advisory Services often conducts phishing tests. Our preparation for these tests is often the same sort of “casing” hackers would employ: studying the organization, learning names and titles, and watching regular correspondence to see what regular communication looks like.
Thanks to this kind of preparation, these phishing tests trip up our clients when we send familiar-looking emails from unfamiliar addresses, or pick up the phone and say, “We’re from the help desk, can we have your login credentials?” Even people who are aware of the risks posed by such intrusions are caught flat-footed when they actually happen.
It can be absolutely mortifying for employees who are singled out for falling for these tricks. No one likes to feel like they’ve let down their employer. But the point of phishing tests and other cybersecurity evaluations is never to punish anyone for doing something “wrong.” For one, it is preferable for unwary employees to click on an ultimately harmless link sent in a phishing test, as opposed to falling for a genuine, malicious attack from an outsider.
What’s more, the cybersecurity battlefield shifts with such speed that even professionals who are conversant with the risks of data breaches can run afoul of some new attack. And not every organization can afford to build a robust, in-house cybersecurity team with the resources to stay abreast of the newest threats. What you knew yesterday might not protect you today or tomorrow.
There’s no shame in acknowledging the training gap and taking steps to address it through robust phishing tests and other precautions. The momentary embarrassment of being caught by a phishing mail may keep employees alert for the real thing, and that heightened alertness may make all the difference for your business.