Ethical hackers are especially well-positioned to use their knowledge of attack techniques to educate people, according to Zoë Rose, a white-hat hacker based here in the UK. On the CyberWire’s Hacking Humans podcast, Rose explained that since she knows what makes people fall for social engineering, she’s able to inoculate people against these attacks.
“I’ve found that the biggest thing is because I understand how to manipulate or influence a consumer into clicking my links or downloading a document, et cetera, I can understand how to correct that behaviour,” she said. “So I focus in on these key human behaviours and I look at how to change them.”
Rose said organisations often make the mistake of thinking that phishing tests should be carried out without their employees’ knowledge. While this can give you an accurate picture of how vulnerable your organisation is, it focuses on the employees’ failings rather than working with them to identify attacks.
“Unfortunately, a lot of times, phishing is looked at – well, let’s trick the users, let’s manipulate them and point out how they’re failing, versus saying, well, actually, let’s announce that we’re going to have a phishing campaign so that people are already aware and they know they should actively be looking,” Rose explained.
The best approach is to be open about these techniques so that employees immediately become more alert and can learn from the entire process. Rose said phishing simulations should illuminate what employees can do to improve their security, rather than focusing on what they did wrong.
“So you’re not just saying, oh, you failed,” Rose explained. “You’re saying this happened and this is how you protect yourself in the future….And the reason that whole positive point of view – that is so vital – is because if you want people to do nothing, you talk about the negatives and you scare them. But if you want them to actually take action, that’s when you talk about the positive and reinforce that they can do it and empower them.”
Realistic phishing simulations will change how your employees think about security. Simply being aware that they’re being targeted by phishing emails will make them scrutinise their inboxes more carefully, even if they know the people sending the emails don’t mean any harm. New-school security awareness training can build a culture of security within your organisation so that your employees can defend themselves against real phishing attacks.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-09-12.html
Free Phishing Security Test
Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.
Here’s how it works:
Immediately start your test for up to 100 users (no need to talk to anyone)
Customise the phishing test template based on your environment
Choose the landing page your users see after they click
Show users which red flags they missed, or a 404 page
Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
See how your organisation compares to others in your industry
PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW