Want to know if your employees are security savvy? Run your own phishing campaign

In a Q&A with ZDNet, the vice president of Cybersecurity Services at Fidelis explains why top-level management has to be the security-focused example for others to follow.
Written by Charlie Osborne, Contributing Writer

Humans do not have to be the weak link in the security chain -- and running mock tests is a sure-fire way to prevent phishing attacks and network infiltration becoming successful.

Few would deny cyberattacks are now a key threat to businesses worldwide. From Target to Sony, Lastpass to the IRS, cyberattacks can be targeted or strike at random at both businesses and individuals.

The security landscape is in a constant state of evolution, and we are often hard-pressed to keep up. There are not enough skilled security professionals available in the talent pool to adequately protect every corporate network, and the rising number of attacks levied against these often-lucrative targets has caused a shift in security management; it is now not completely about keeping intruders out; instead, tackling cyberattacks often revolves around damage control and risk management.

This is an important shift in how we look at cybersecurity as a whole. If we accept the idea that an intrusion is going to happen -- and it is a matter of when, not if -- then we can look at improving defenses but also educating staff in how to prevent these attacks as far as we are able to, while at the same time being realistic and making sure there are procedures in place to tackle cyberattacks as and when they happen.


According to Mike Buratowski, vice president of Cybersecurity Services at Fidelis, every device and technology has its vulnerabilities -- and the enterprise needs skilled and knowledgeable employees to operate, maintain and update them. However, the majority of data breaches occur because someone wasn't paying attention. As a result, keeping corporate data safe comes down to having an effective approach to employee training.

In a Q&A session with ZDNet, Buratowski commented:

"One of the biggest threats that employees need to be made aware of is phishing. Today's cyber criminals use highly sophisticated social engineering tactics, which can make phishing attempts hard to spot, especially for the untrained. The best way to begin combatting this threat is to run mock phishing attacks. This way you can get an insight into how security savvy your workforce is, and then take steps to address any issues."

Phishing campaigns most often occur through fraudulent emails which pretend to be legitimate services or companies in order to lure victims to part with sensitive information. If a malicious link is clicked, malware downloaded or account details handed over, this can give hackers an avenue to infiltrate corporate networks -- which in turn places business data, sensitive information and security at risk.

However, if employees are trained to recognize phishing campaigns -- through education and mock tests -- rates of infiltration could potentially lower.

If enterprise players and CTOs are interested in exploring this concept, where should they start -- without causing damage to corporate networks? Buratowski says:

"I would absolutely encourage businesses to run mock phishing attacks to assess how security savvy their employees really are. These are not particularly time consuming or costly to do and if you set them up yourself (or get a professional company to help) then they won't do any damage, but they do get your employees thinking about how they are always a potential target.

For a CIO or CTO, it can often be very concerning just how many employees fail this kind of exercise. However, it is better for them to fail in a safe environment and this kind of exercise can then be used as justification for additional support and funding.

Longer term, cybersecurity training should be done much more frequently but in smaller "bites." Training can be an email from the CISO, a 10 minute reminder during staff meetings, or even a poster by the coffee machine just to remind folks to be aware of the threats. Running these programmes get employees thinking about why their organization may be attached. Once you understand this, cybersecurity can start to be reflex."

However, is it not just the responsibility of individual employees to know how to recognize potential threats when they land in their inboxes. The Fidelis executive believes a security-focused culture "needs to be driven from the top down," and therefore those at the top of the chain need to set an example for others to follow.

"If an organisation's leaders don't follow best practice advice, they should not be surprised when employees don't see cyber security as a priority," Buratowski noted. "In my opinion, security heads should involve other relevant departments and functions across the company in order to build multiple layers of defense."

Human error will always be a factor. Mistakes happen, and no matter how well you educate employees, some attacks will slip through the net. But should employees be held accountable when security lapses take place?

According to Buratowski, punishment may be counter-productive:

"Personally, I don't think that employees should be disciplined for genuine mistakes, certainly not the first time, and probably not for the second either. We need to remember that attackers know what they are doing and are good at what they do. The first or second instance should therefore be about remedial training, about making sure employees have the knowledge and awareness to do the right thing.

If incidents continue, then of course there should be some consequences. However, putting the emphasis on punishing employee mistakes is unfair and unhelpful. It is the organisation's responsibility to balance educating employees with mitigating risk."

When asked whether businesses are taking network security seriously enough, the executive said:

"The majority of businesses do take security very seriously but when it comes to the human element I think there is a tendency for many businesses to just "check the box". They run a couple of hours of training or include a policy on security but this reflects a bare minimum approach and only scratches the surface of what's needed in terms of training and education to really develop a culture of cyber security.

Ultimately it comes down to the people, processes and technology. Your employees have to understand the very real dangers of cyber attacks. Those at the executive level have to then supply the processes and policy that employees can stand on as the basis for how they behave.

Finally robust and reliable technology needs to be put in place to support your employees. As you can see process and technology are important but people are involved in everything so focus on getting the people part right."

While the enterprise is not legally required to reveal the existence of data breaches and security failures, as rates increase and sharing threat data becomes an important tool in keeping business safe as a whole, the current corporate culture of often keeping quiet may change.

When asked what the future holds and whether companies should be legally required to reveal failures in the system, Buratowski said:

"I think it's inevitable that companies will eventually be obligated by legislation to reveal data breaches and share the threat data. We see that already with the SEC requirements. However, like anything else there are strong pros and cons to disclosing data breaches. The sharing of threat data is obviously the biggest benefit to disclosing the information and only by sharing this information and operationalising it can we really start making an impact.

Disclosing a breach also allows us to understand who is being targeted and gives us the change to be proactive in our defense.

I believe one of the biggest concerns corporations have about disclosing is obviously the impact to their stock price and potential law suits, but just as important is the possibility of reputational and brand damage. This is a harder cost to quantify but still poses an enormous impact to their business.

News also spreads very quickly and can often be published without all the facts. A corporation can disclose that they were the victim of a breach, but it takes time to fully understand what happened and what data was stolen. Once news has been released, naturally readers are eager for the details to follow and "undisclosed sources" or "sources that are not authorized to comment" can sometimes be used to fill in the details which then get published as fact.

Organisations can disclose the correct information when it becomes available but the damage may already be done."

Top apps to keep your iPhone, iPad private and secure

Read on: Top picks

Editorial standards