InfoSecurity Magazine reports on the proactive approaches more IT professionals are taking when it comes to their client's data security, including setting traps for employees. Wait, what?
A number of IT departments are starting to send fake phishing emails to employees. If employees fall for the phishing email, they get a message telling them they've been phished and explaining how they just exposed the entire company to risk.
The Next Wave of Data Security Is Training (and Trickery)
To actively address their professional liabilities, IT consultants need to adopt best practices to make sure their company (or their client's) is secure. And that may involve some "creative" training, including phishing your own staff.
It's easy to see why some IT departments opt for this kind of trickery. Traditional employee training involves seminars and employee handbooks that might put your staff to sleep. Once this training is over, there's little reinforcement.
By contrast, these phishing traps closely resemble cyber attacks happening in the wild. Phishing emails can occur at any time. This training keeps employees on their toes.
Before you start sending phony emails to employees, plan out your training campaign:
- Get approval. KnowBe4 security blog warns that these tactics might shock HR and other staff. Even though internal phishing campaigns aren't harmful, to someone unfamiliar with IT, they sound scary. So get high-level approval and explain this strategy is a part of best practices.
- Tell your clients the big guys are doing this. Other companies are already using this strategy. In fact, data security companies like Wombat make this a key part of their offerings. While it may seem novel, it's not.
- Phishing attacks are responsible for many big breaches. Data breaches at Anthem, JPMorgan Chase, and others have been traced back to spear phishing campaigns. Phishing is one of the go-to methods cyber criminals use to find an entry point in your security.
- Phishing hits where it hurts. Kaspersky Labs reports that over a quarter of phishing attacks targeted financial data in 2014. In fact, Scoular lost $17 million in a spear phishing attack.
- Phishing attacks are smarter. As we reported in "Re: Your Recent Spear Phishing Attack," fraudsters have increasingly targeted small businesses and executed more careful, focused attacks.
Now Is the Time: IT Best Practices and Professional Liability Insurance
As more companies are talking about InfoSec at the board level, your client might be looking to spend more on data security, too. To capitalize on this awareness, you'll need to stay up-to-date with best practices in the security world.
You're responsible for following industry standards, and failure to do so can lead to lawsuits. While Professional Liability Insurance can provider coverage for lawsuits when a client alleges you've made an error or omission, you'd obviously rather avoid litigation altogether.
If you are sued, you'll want to be able to point to strategies you executed to prevent data breaches and secure your client's network. That's why it's crucial to approach IT security practice like you would technology – always look to upgrade.