Discover vulnerability to phishing attacks from your organization's employees
About this good practice
In recent years the problem of the increase in phishing attacks is causing many negative impacts in all organizations: Loss of sensitive personal data, deceptions that can involve major economic fraud, loss of control of own infrastructures...The effect is not only technical, but it also implies a high level of awareness among the people working in these organizations, and training should be promoted and people who still do not know how to detect this should be identified. Each organization that contributes a significant sample of participants gets:
- a personalized report is prepared for each participating company with the result of a test (what workers have impacted the drill and its characteristics % of clicks to links made and what data may be filtered);
- proposal of Recommendations for Technical Measures of Protection;
- aggregate summary and comparison of results by sector economic.
The beneficiaries are all the companies that want to participate subscribing to a confidentiality agreement that allows to know the internal situation, the economic sector and the comparison with other sectors. Training companies, business associations and the cybersecurity sector are an important player in involving the actions of the project, to promote the dissemination of aggregated results or promote investments in cybersecurity.
Resources needed
During 2023 this service was directed to about 40 companies or large entities with an average of 450 workers per company at a cost of 30.000 euros. Currently with an automated process allows a resource consumption of less than 0.60€/user.
Evidence of success
Emails contributed by SMEs,Phishing campaign mailings,Record of emails opened,clicked or entered,Non-disclosure agreements signed to participate in the drills,Reports of the results that have been presented to the participants,Point of view of the heads of the companies of the actions that may be derived from the information obtained in the reports received,Discovery of situations that commonly impact businesses and enable finer training and prevention tools to respond to phishing email attacks
Potential for learning or transfer
When companies where cybersecurity was not a priority issue (SMEs especially) but that did not know how to find technological solutions that would avoid the mitigation of increasingly critical risks. The simulations of phishing attacks are coordinated in different points of interest of the company: the technical, the legal and the organizational. This point allows to intervene in cybersecurity at a point identified by companies without compromising large economic investments but allows to know the extent of the business risk that it entails.
Some key success factors are establishing a competent cybersecurity entity (recognized as market neutral) that makes a proposal and can establish agreements with business entities from different business sectors where they can compare results.