Phishing your employees - Does it make them aware or do they feel mistrusted?
- Intro - Phishing - what is it typically?
1. Example - Emails from a Prince in Nigeria, phished on Match.com, etc - What about when you phish your employees to improve security?
1. What is it? An email designed to get employees to click on suspicious links or give their credentials
2. Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
3. Designed an email, google doc, supplied AD user list, launch
4. Stats from our phishing campaign
5. How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
6. Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when "see something, say something?" becomes a good thing? How to get employees to follow it? - What are the benefits of a targeted phishing campaign?
1. How often?
2. Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
3. What about Engineering? How do you trick them? - How do you prevent employees from feeling that Security doesn't trust them?
1. Start with education first. Then to sanctions.
2. Use to teach - not ridicule.
3. C-Levels have to be part of it. - People are still the weak link! Solutions and hardware can't prevent that one user from clicking on a link that creates havoc for the company.
- Downsides?
1. We blow holes in security to allow Phish email through. What if vendor gets compromised?