Phishing campaigns continue to be one of the most successful ways for malicious intruders to access company information, including personal information of employees and customers. Phishing emails continue to get more and more sophisticated and employees continue to fall victim to them, often putting the entire company at risk. Typical successful phishing campaigns end with the access and exfiltration of personal information that requires the company to notify individuals and regulatory authorities; or with the payment of ransomware; or a tremendous effort to activate the back-up system. None of these options are a good one for the company.

Employees continue to be uneducated about the fact that they are being targeted by hackers, and trust emails that are sent to them by familiar people with messages that look like they are real. Only after the fact do they see the clear warning signs that the message is fake.

Educating employees on phishing emails, the warning signs and how to recognize a scam is an important part of a company’s risk management program. Once employees have been educated, the next step is to test their knowledge and response rate. Many companies do not test employees to determine who are the riskiest employees, who learned from the education and which employees are careless. That’s where phishing tests come in.

Testing employees with internal phishing schemes can set the baseline for assessing the risk of an external threat, and can help companies focus on those employees who may need a little extra help. We have heard stories about companies who publicly belittle employees when they fall victim to a phishing email. It might make more sense to help the employee recognize the red flags in a phishing email and make that employee a champion instead of embarrassing him or her.

Once a company gets a baseline on how its employees fare with an internal phishing test, perform the tests periodically to continue to keep employees vigilant and reach out to those who continue to fail, including providing extra education.

Employees want to do the right thing. Monitoring how employees react to an internal phishing test is valuable to test the baseline of their education, but also to continue to monitor progress and manage the risk of an external phishing scheme.

View Original Source
Photo of Linn Foster Freedman Linn Foster Freedman

Linn Freedman practices in data privacy and security law, and complex litigation. She is a member of the Business Litigation Group and chair’s the firm’s Data Privacy and Security Team. She currently serves as general counsel to the Rhode Island Quality Institute. Linn focuses her practice on compliance with all state and federal privacy and security laws and regulations, as well as emergency data breach response and mitigation. She counsels clients on state and federal data privacy and security investigations and data breaches. Prior to joining the firm, Linn was a partner at Nixon Peabody, where she served as leader of the firm’s Privacy & Data Protection Group. She also served as assistant attorney general and deputy chief of the Civil Division of the Attorney General’s Office for the State of Rhode Island. She earned her J.D. from Loyola University School of Law and her B.A., with honors, in American Studies from Newcomb College of Tulane University. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.