Despite all your network protections, all it takes is one click from your end user to open your network.
Imagine, it is three o’clock on a Friday afternoon. Joe opened his email to check the responses from his clients. He sees an email from FedX saying his tracking number is available. Perplexed, Joe opens the e-mail to find what it is about. He wasn’t expecting something from a client. He opens the tracking PDF and sees a generic looking document that doesn’t appear like anything he is working on. Rolling his eyes, after confirming it has nothing to do with his job, he closes it and then deletes it.
After a relaxing weekend. Joe comes into the office and logs into his computer. He goes to open his sales document to be told that it is in an unrecognizable format. Document after document after document produces the same result. After a 1/2 hour of frustration he finally reaches out to his IT.
His computer and shared drives were encrypted by CryptoLocker.
I would request a raise of hands if this has happened to your company but in this day and age, it probable that your company already has dealt with this horrible virus.
What can we do to protect ourselves?
Typically, a good firewall and anti-virus are recommended. These are the first line of defense against any intruders trying to brute force their way onto your network. Scammers are getting clever and going to old reliable tactics. Spamming your inboxes with fake messages that launch viruses directly on your end user’s PC. Even a properly setup spam filter will miss a few of the items coming into your network. Which leads us to the last line of your networks defense.
Often the last line of defense against viruses are your users. Users can be tricky. Many end users are savvy and are able to keep up with technological advancements. Others don’t know the first thing about a computer except to turn them on and complete their daily work functions. With various degrees of technological know-how, they are your last line of defense and it’s your responsibility to verify all of them are trained to not click on that one suspicious email. If they do click on it, then to reach out to your IT ASAP to immediately start cleaning the PC.
How to provide effective training?
Knowing that it only takes one user, there is a better way to train all employees to reduce the risk of your company becoming a statistic. People learn best by doing. If you want to learn anything then active learning is best. You can send lists to your employees until you are blue in the face and all they will accomplish is a passive understanding. There are several options out there. The one that I have used in the past is knowbe4. Knowbe4 is only one example of a phishing simulator. Here are some more:
These types of services allow you to send test emails mimicking phishing emails. They can be used in conjunction with training and a way to train how well your team is listening and applying what they learned. If your team is struggling with one concept you can use the simulators to nudge them to remember. The benefit is that you can train your users in a safe, secure method. It also allows you to see the likelihood of someone in your network clicking on something they should not. This is by providing proactive training instead of reactive training.
To summarize the article above:
1. Scammers are not going anywhere.
2. Firewalls, antivirus, and spam filters cannot catch everything and your users will be your last/first line of defense.
3. People learn best by doing. Using the simulators will only allow your users to train in a safe way while expanding their security awareness knowledge.