Ciara Sachkowsky

Conducting An Organization Wide Phishing Test

,
Macbook with codePhoto by Christopher Gower on Unsplash

Remote operation of your business means that protections your office building had, your employees’ homes may not. Cybercriminals are taking advantage of this situation by phishing out your employees’ data. Take the time to educate your employees on cyber safety. This safety training needs to expand beyond just email safety but also include cyber safety within the office. 

How To Conduct An Organization-Wide Phishing Test: 

Notify and train your employees on what phishing is:

If you don’t notify your employees how are they going to know what is going on? Let your employees know that you will be conducting an organization-wide phishing test. Teach your employees about the risks of phishing and how they can be better at recognizing the signs and stuff. 

Employees need to know that phishing is more than a link asking for login credentials. Phishing scams can an email sent company-wide from an unknown sender containing an attachment that is actually malware. 94% of malware was delivered via email in 2018. 

During this initial training session, define your organization’s cybersecurity expectations. Your employees can’t read your mind. Communication from management and the IT staff can help with educating your employees on cybersecurity best practices. 

 

READ MORE: Phishing Attacks Can Jeopardize A Business Of Any Size

 

Engage all relevant departments and managers on why phishing is a threat to your organization

Work closely among staff members such as managers, HR, and IT to develop and engage an organization-wide cybersecurity plan. If customer service is leaving the door open at the end of the day, your engineering department might be at risk for a cyber attack. 

Create an alias email account for your employees to report potential phishing scams.

An alias email allows for your organization to streamline your phishing reporting. The alias email address can be as simple as “Phishing@yourcompanysite.com”. This email address can redirect to the IT department or whoever is in charge of the network. 

This email address will allow your employees to forward the scam email right to an internal IT log specific for Phishing instead of going to the IT team and getting lost among other technical issues like website problems or a lost password. 

READ MORE: What You Can Do To Protect Your Business From Cyber Security Threats

 

Plan your phishing test

Plan to test your entire organization to see if there are any weak links in your cybersecurity. This means including senior management in your phishing test. To plan your phishing test, you can hire a 3rd party contractor to run the test and then measure things like link clicks,  which employees leaked information, the number of employees who reported a phishing email. 

 

 

 

Analyze important key metrics  

After running a phishing test, work with IT staff members and team managers to analyze key metrics. 

Key Metrics to keep track: 

  • The number of employees who click the link in the testing email
  • Number of employees who download a file from the unknown email address
  • The number of employees who report a phishing email to your IT staff or their manager. 

Take Action With Employees Who Failed The Test

Is there a portion of your staff who have continuously failed cybersecurity tests? Sit down with HR and IT to see what measures you can take to further educate and protect your business.  Work with HR to develop a plan for employee failure on every level. A breach in security is not a joke, but a high-level employee releasing admin information is a more serious offense than a low-level employee who only has access to email. 

Provide Your Entire Organization With Additional Information on Cybersecurity 

All of your employees can benefit from additional information on cybersecurity. Educate your employees on best practices to keep both business information and private information safe from hackers. This can include resources on different types of anti-viral software, best practices for end of day 

 

READ MORE: Ransomware is Evolving: Has Your Business Interruption Coverage? 


Retest Your Organization 

Test, test, and then test again to make that your organization understands what is at risk with their unsafe digital activity. Every 6-months to 1 year, a random phishing test should be sent out throughout your organization. This consistent retesting keeps employees on their toes and helps employers determine which employees may be at risk of falling prey to an outside phishing attempt. 

 

 

Still want more info on how your organization can better protect itself from cybercriminals? Contact one of our risk advisors at 914-357-8444. 

Resources

2019 Data Breach Investigation Report by Verizon

 

/by
You might also like
Changes To Employment Practice Liability Laws Could Affect Your Business If You Are Not Careful Is Your Organization Prepared For The Coming Changes That Could Increase Your EPL Risk?
Risk Management is the Road Less Traveled By Record Keeping for Workers Compensation Audits
December 14 News From Around the Marketplace
How These Companies Experience 48% Less Safety Incidents
Risk Management is the Road Less Traveled By Risk Management : The Road Less Traveled
Risk Management is the Road Less Traveled By Developing/Maintaining Efficient Work Systems