KNOWBE4 CYBERHEISTNEWS REPRINT Now and then, when I talk to the IT people in larger organizations, they tell me they experience political headwinds in trying to get an awareness program rolled out that includes simulated phishing attacks. They tell me that in their culture, it's a no-go to "trick" employees, as they might be made to look bad. Well, I understand where that perspective is coming from. However, let me give you some ammo here that you can use to enlighten your organization, help to create some cultural change in the direction of better security and prevent an enormous amount of damage, lost money, and IT heartache. 1) The viewpoint that employees should not be singled out comes from HR and Legal, and is basically correct, but you cannot apply that generally to IT security. In that area, it is an outdated and dangerous policy. Granted, you should never point to someone and embarrass them before other employees. However, there is a very workable (HR approved) strategy used by thousands of organizations in the U.S. to confidentially correct end-users who continue to click on phishing links and endanger your network. 2) If you don't send simulated phishing attacks to your users, sooner or later the bad guys will succeed with a real one. 3) Security software layers are porous, end-point antivirus and firewalls have years ago ceased to be effective. There is no perimeter left with BYOD, your employee is your perimeter. Today, you need a human firewall. 4) The bad guys have gone pro. They have very well equipped labs with the latest versions of the very security tools that you use yourself. They test, test, test until their new attack gets through and so they always have the advantage. 5) Untrained end-users that click on malicious links and open infected attachments cause malware infections. These days that is likely to be Cryptowall 4.0 ransomware which encrypts the workstation and/or network drives. The downtime is considerable. 6) When your Board members read on the front page of the Wall Street Journal that your customer database was hacked and is now being sold to other hackers on the dark web, they are going to ask some very pointed questions. Once it becomes clear that your organization did not deploy a simple, effective strategy that could have prevented this, quite a few (highly placed) heads will roll. Target's CEO is an example. Help your CEO to keep their job. 7) Legally you are required to act "reasonably" and take "appropriate" or "necessary" measures to cope with a threat. If you don't, you violate either compliance laws, regulations, or recent case law. The business must take into account the risk presented and do what is reasonable or necessary to mitigate that risk. From standards organizations like ISO and CERT to industry standards like the PCI DSS to governmental entities like the FFIEC, it is clear that implementing a security awareness program is both reasonable and appropriate. Put another way, the failure to have such a program would likely be unreasonable and inappropriate given the risks involved. Class action lawsuits that are always filed after a data breach are going to have a field day if that is the case. More about that in the next item below. 8) Your estimation of the percentage of your end-users that will not fall for a simple phishing attack is too low. We frequently hear a groan on the other end of the phone when the IT team sees the actual Phish-prone percentage of their users after they run our complimentary Phishing Security Test. The Five Steps To Phish Your Own Users 1) Get agreement from top management to do a small initial test. Just 100 people and see what the percentage is. That's great ammo for the next step, because everything over zero is too high and the average is 16%. 2) Once you know that around 16% of your users are Phish-prone, C-level execs and Board members wake up to the threat and ask what can be done about it. Get a quote for a subscription to an integrated platform that does both effective on-demand security awareness training and provides easy-to-manage simulated phishing attacks. 3) Let a C-level exec announce company-wide that a test was done and that the percentage of people clicking was too high. An awareness training program will be rolled out and part of that is that everyone from the mail room to the board room will be getting frequent simulated phishing attacks. People that continue to click on things they shouldn't will get remedial training. 4) Roll out the training campaign: on-demand, web-based interactive training featuring an expert who will teach them the dangers of the Internet and what they can do about it to stay safe. 5) Schedule frequent simulated phishing attacks using the hundreds of ready-to-send templates, and configure fully automatic remedial training for chronic clickers. And what is the first thing after the training that comes out of your end-user's mouth? "Wow, I did not know that it was that dangerous on the Net, how can I share this with my family?" And we're happy to say that we have the perfect answer for that, we have an awareness course for all your employees they can take at home with their family.