Are you in the midst of a breaking crisis? Call +1 (514) 458-7101

The Crisis Intelligence Blog

Fishing for Internal Phishing Vulnerabilities

23 Oct

phishing-exerciseAtlantic Media, a print and online media company, recently put their employees through an awesome test.

The test: To send a “phishy” (pun intended!) email to employees, requesting them to verify their accounts.

The goal: To identify how easily it may be for others to hack the Atlantic Media system, and to evaluate how unprepared their team really was in dealing with this risk.

The outcome: Nearly 50% of Tom Cochran’s, the company CTO responsible for the exercise, employees opened the email, and 58% of those who opened it, followed through and clicked on the phishing link provided within it.

What is phishing and how can it compromise your organization?

Wikipedia defines phishing as “the act of attempting to acquire information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

Last year, huge digital corporations, including The Guardian and The Onion, were brought down by targeted phishing attacks. The reality is that phishing is a huge risk that many organizations fail to evaluate or even know about. It’s a risk that can leave your corporate information, trade secrets and stakeholders vulnerable and exposed.

The type of test that Atlantic Media put their unsuspecting employees through was truly brilliant. Not only did it allow them to determine how vulnerable the organization truly was, but it also allowed them to assess how to better protect and prepare their staff for such a risk. Hats off to Atlantic Media!

Now let me ask you this…

How aware and prepared do you think your team is to such a menacing threat? Have you considered testing and/or training your team on the realities of this risk, what to look out for and what to do if they are ever suspicious of an incoming message? If you haven’t, you aren’t alone, but it’s certainly not something you want to leave to chance.

Tags: , ,

2 Responses to “Fishing for Internal Phishing Vulnerabilities”

  1. MC October 24, 2013 at 10:59 am #

    After we experienced a few phishing events this past summer, we spent some time and effort educating our employees, and published a series of stories that included tips on avoiding a phishing scam on our company intranet. I think the testing idea would be a great way to see if our message got through.

    • Melissa Agnes October 24, 2013 at 11:11 am #

      Great idea and tool for your team to be able to reference back to. An exercise that tests your staff would definitely be a strong way to put their knowledge and awareness to the test. Thanks for sharing your experience with us!

Leave a Reply