Simulated Phishing Campaigns Can Improve Employees Awareness

Zack Prichard

Login Information Attached to Large Hook Under Water via Simulated Phishing Campaign.

Anyone who watched TV in the 90s will undoubtedly remember the NBC PSAs with the catchy jingle, “The more you know…”. It was sage advice then, and in today’s modern technological world, where cybersecurity is paramount, it still holds true. As such, businesses are increasingly embracing education related to cybersecurity. These organizations realize that there must be a focus on both external and internal threats, with increased awareness of the defenses that staff can employ.

Simulated Phishing Campaigns

Many businesses find that training services like those offered by OneNeck partner, KnowBe4, are effective options to protect both data and personnel. One specific strategy employed is to simulate common threats that focus on the human element through phishing campaigns. This approach is particularly valuable since, according to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human component.

Through these simulated phishing attacks, end users can increase awareness of the methods used by attackers and the proper procedures to follow upon identifying such an attack.

Pushback Against Simulated Phishing Attacks

I recently listened to a podcast where a story was shared about an arguably ill-timed simulated phishing attack that a company ran against its employees. This particular business was in the process of rolling-out organizational-wide Multi-Factor Authentication. The simulated phishing attack – allegedly not coordinated on purpose to coincide with the MFA effort – implied that recipients needed to follow the email link to complete an MFA task. The podcaster – who works from home and has youngsters at home – was among those inside the company who fell victim to the simulated attack.

As they shared the events, they placed some blame for falling victim to the attack on outside distractions – notably balancing work and home life with littles. (Whether it’s children, pets, mobile devices, etc., we all know distraction far too intimately.) While admitting ultimate responsibility for falling victim to the simulation, they expressed significant frustration surrounding the timing. They decried the simulated attack as counter-productive when the organization’s goal was to get employees to buy in and support the MFA effort.

The Perfect Time

While I appreciate the expressed frustration, there are a few reasons that I believe the timing was not only excellent but should, in fact, be coordinated to align with company initiatives, such as the implementation of MFA.

  1. Attackers and bad actors don’t exactly work within a system of morals and ethics. They will exploit as many opportunities and weaknesses as they can find. Testing employees using guerrilla-style tactics theoretically serves to better educate and prepare users within the target audience.
  2. Multitasking (read: distraction) is an attacker’s best friend. Most of us have our attention divided by at least a few things at any given moment. When we make snap judgments or act without thought or careful review of what we are looking at, the odds of making a costly mistake skyrocket.
  3. Security in layers is critical for any organization. Educating users is a significant step in the right direction, but as we’ve seen, other factors come into play – and ultimately, we’re only human. IT organizations should employ overlapping solutions that prevent a distracted mistake or clever attack vector. Policy and procedure should be augmented by solutions like MFA, email filtering, and DNS filtering, to name a few. Layers of human and technical defenses together are key.

The More You Know with OneNeck and KnowBe4

Cyberthreats remain highly dynamic and ever-changing to adapt to defenses and human nature. Proactive measures such as education and coordinated campaigns help condition users on what to look for and can be highly effective tools. Simulated phishing campaigns stand out as a particularly successful method to train employees and raise awareness about the importance of cybersecurity. By simulating common threats that focus on the human element, end-users can become more accustomed to the methods used and the proper procedures to follow when discovering such attacks.

However, it’s important to note that educating users is just one step in reducing the likelihood of a cybersecurity breach. Investment in procedure/planning and defensive technical solutions is crucial in adequately protecting your business. Organizations should employ overlapping solutions that prevent a distracted mistake or clever attack vector.

In today’s fast-paced technological world, businesses must take cybersecurity seriously to avoid costly and damaging breaches. By incorporating education, training, and defensive technical solutions, organizations can significantly reduce the likelihood of a breach and protect their data and infrastructure.

Have questions about awareness, training or any aspect of cybersecurity? Contact us today to speak with a OneNeck security expert.

Previous Resource
Don't Risk it All: The Case for Microsoft 365 Data Protection
Don't Risk it All: The Case for Microsoft 365 Data Protection

Discover the importance of Microsoft 365 data protection in our eBook, 'Don't Risk It All.' Learn how a Clo...

Next Article
To MFA or Not to MFA – It’s Not Really a Question Anymore
To MFA or Not to MFA – It’s Not Really a Question Anymore

If you’ve ever used Microsoft 365, you’ve likely encountered multi-factor authentication (MFA). And if you’...