Let staff go phishing on a simulator

Imagine getting an email from your company’s human resources department –customized with the company’s logo – touting a new benefits program. It even offers a link to check out the details.

You’d click that link without hesitation.

Cyber attackers are counting on it, because HR didn’t send that link, which has malware at the end of it. So  how can you tell what’s legitimate and what’s not?

Despite increasing numbers of security breaches involving confidential data, security training in Canada is still woefully lacking. IDC says in its December 2012 Forecast of Data Breaches of Personal Information in Canada that there were an estimated 3.3 million incidents of lost or stolen confidential personal data in 2011, and that’s expected to increase to over 4 million by 2015. Yet only just over half of organizations have actively used employee security awareness plans in place, and, even more disturbing, about one quarter do not even have plans, despite all sizes of organisation listing employee knowledge as one of the top three critical roadblocks to improving security.

Worse yet, IDC’s research finds that IT security investments are lower here than those in the U.S., while Canadians have a higher degree of confidence in IT security. Says IDC, “this continued high level of confidence is not only unwarranted, but dangerous.”

Phishing attacks in which attackers attempt to extract credentials from their victims with communications masquerading as legitimate messages have become increasingly sophisticated. It’s often difficult for even alert, trained employees to spot them. Targeted phishing, known as spear phishing, aims at a small group of victims, often incorporating customized information to persuade recipients that the emails are from trusted sources.

And that’s where PhishMe comes in.

Chantilly, VA-based PhishMe Inc. is a four year old company that specializes in teaching employees how to detect and avoid phishing, malware, and drive-by attacks.  Its product is a software-as-a-service  spear phishing simulator that immerses employees in a realistic scenario without the negative effects of a real attack.

According to CEO Rohyt Belani, (pictured) the idea came when he realized humans were becoming the attack vector of choice. The core of his company’s offerings is managing employees’ security behaviour. “I shy away from saying we do awareness; there’s a passive undertone to it,” he says. “Actively managing employee behaviour is what we do.”

“Fighter pilots learn from putting them in the simulator and creating different situations and giving them feedback,” he went on. “That’s kind of what we’re doing here. We immerse people in a very controlled environment in simulated phishing attacks that closely replicate what the nation-state actors and the cyber criminals do.”

Companies use the service to set up and execute a simulated phishing campaign, and typically touch everyone in their organization every two or three months. If an employee clicks on something he or she shouldn’t, there’s instant feedback (but not, says Belani, a slap on the wrist – more “we’re here to help you”) and a training snippet of 90 seconds to three minutes. It focuses on one concept at a time. And just so alert employees don’t miss out on the nuances of the training, those who don’t fall for a phish get a congratulatory message and a link to the training material they hadn’t seen.

PhishMe has trained 3.8 million people in 140 countries over the past two years, according to Belani, gathering a massive amount of data about human behaviour as it tracks users’ progress. Companies track their own employees’ progress on a dashboard, and can customize their own phishing campaigns.
PhishMe is a subscription based service that charges per user a year. Belani wouldn’t go into detail on pricing, but said an organization with 200 employees could have unlimted campaigns for a year for about US$10,000, including full support. Larger companies would be looking at spending at least US$100,000, with a lower cost per user.

The built-in metrics have shown that overall 58 per cent of users fall for the phishes during early PhishMe campaigns. At the 18 month mark, Belani says the number has fallen to single digits. “It’s risk mitigation,” he says. “And it’s a fraction of the cost of a breach response.”

PhishMe has now launched a benchmarking feature that lets companies compare their results with those of other customers. Over the next few months, it will be expanded to allow filtering so customers can compare themselves to their peers.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now