Test Your Phishing Skills
You've read about phishing expeditions over and over and you just wish a game warden would haul these folks off. Not gonna happen.
You personally are smart enough not to give the PayPal, E-bay and various bank emails any nibbles on your PC. You know that some of your customers may fall for these phishing messages. And you know that you need to educate them to protect the funds that you may have to repay. Have you also educated your employees?
Employees are customers too, and they access to very confidential data, and lots of it. Realize that sometimes everyone needs some hand holding. Gone are the days when you would see a phishing email and you knew it just by the poor grammar. These today are sophisticated and crafty. I read about one recently that told the receiver NOT to send confidential information over email. Instead there was a form for them to print, complete and fax back. Now that was much safer; except that it wasn't from their institution and the fax number went to the bad guys.
You monitor and audit to ensure your policies and procedures are being followed. Have you thought about testing the effectiveness of your anti-phishing training? Two such organizations that have are the State of New York and West Point, the Army military academy. The good guys pretended to be bad guys, pretending to be good guys. And as you guessed it, many fell for the phake phishing messages.
While you don't want to destroy any trust you have with your employees, you may decide to dip your toe in the water with a limited sample of messages sent and see if there are any bites. If you see signs of piranhas, you might increase your scope and see who responds with bank sign-on info, personal info, or who clicks on links that could have had a malicious payload. This is one way you can ensure you are doing the right things with the right personnel. You'll also know if you are adequately protecting your system integrity and the confidential information it stores.
I would do this with employees. You may or may not want to. I wouldn't do this with customers, but would instead use any lessons learned to reinforce customer education efforts.
If you choose not to audit, what else can you do to protect your systems? These attacks are not going away. And just because there isn't a masked man in front of a teller, it doesn't mean someone isn't trying to rob you.
You personally are smart enough not to give the PayPal, E-bay and various bank emails any nibbles on your PC. You know that some of your customers may fall for these phishing messages. And you know that you need to educate them to protect the funds that you may have to repay. Have you also educated your employees?
Employees are customers too, and they access to very confidential data, and lots of it. Realize that sometimes everyone needs some hand holding. Gone are the days when you would see a phishing email and you knew it just by the poor grammar. These today are sophisticated and crafty. I read about one recently that told the receiver NOT to send confidential information over email. Instead there was a form for them to print, complete and fax back. Now that was much safer; except that it wasn't from their institution and the fax number went to the bad guys.
You monitor and audit to ensure your policies and procedures are being followed. Have you thought about testing the effectiveness of your anti-phishing training? Two such organizations that have are the State of New York and West Point, the Army military academy. The good guys pretended to be bad guys, pretending to be good guys. And as you guessed it, many fell for the phake phishing messages.
While you don't want to destroy any trust you have with your employees, you may decide to dip your toe in the water with a limited sample of messages sent and see if there are any bites. If you see signs of piranhas, you might increase your scope and see who responds with bank sign-on info, personal info, or who clicks on links that could have had a malicious payload. This is one way you can ensure you are doing the right things with the right personnel. You'll also know if you are adequately protecting your system integrity and the confidential information it stores.
I would do this with employees. You may or may not want to. I wouldn't do this with customers, but would instead use any lessons learned to reinforce customer education efforts.
If you choose not to audit, what else can you do to protect your systems? These attacks are not going away. And just because there isn't a masked man in front of a teller, it doesn't mean someone isn't trying to rob you.
posted by Andy at
11:18 AM
0 Comments:
Post a Comment
<< Home