IT Friday: Top 3 Reasons You Need to use a Phishing Simulators

Despite all your network protections, all it takes is one click from your end user to open your network.

Imagine, it is three o’clock on a Friday afternoon. Joe opened his email to check the responses from his clients. He sees an email from FedX saying his tracking number is available. Perplexed, Joe opens the e-mail to find what it is about. He wasn’t expecting something from a client. He opens the tracking PDF and sees a generic looking document that doesn’t appear like anything he is working on. Rolling his eyes, after confirming it has nothing to do with his job, he closes it and then deletes it.

After a relaxing weekend. Joe comes into the office and logs into his computer. He goes to open his sales document to be told that it is in an unrecognizable format. Document after document after document produces the same result.   After a 1/2 hour of frustration he finally reaches out to his IT.

His computer and shared drives were encrypted by CryptoLocker.

I would request a raise of hands if this has happened to your company but in this day and age, it probable that your company already has dealt with this horrible virus.

What can we do to protect ourselves?

Typically, a good firewall and anti-virus are recommended. These are the first line of defense against any intruders trying to brute force their way onto your network. Scammers are getting clever and going to old reliable tactics.  Spamming your inboxes with fake messages that launch viruses directly on your end user’s PC. Even a properly setup spam filter will miss a few of the items coming into your network. Which leads us to the last line of your networks defense.

Often the last line of defense against viruses are your users. Users can be tricky. Many end users are savvy and are able to keep up with technological advancements. Others don’t know the first thing about a computer except to turn them on and complete their daily work functions.  With various degrees of technological know-how, they are your last line of defense and it’s your responsibility to verify all of them are trained to not click on that one suspicious email.  If they do click on it, then to reach out to your IT ASAP to immediately start cleaning the PC.

How to provide effective training?

Knowing that it only takes one user, there is a better way to train all employees to reduce the risk of your company becoming a statistic. People learn best by doing. If you want to learn anything then active learning is best. You can send lists to your employees until you are blue in the face and all they will accomplish is a passive understanding. There are several options out there. The one that I have used in the past is knowbe4.   Knowbe4 is only one example of a phishing simulator.  Here are some more:

These types of services allow you to send test emails mimicking phishing emails.  They can be used in conjunction with training and a way to train how well your team is listening and applying what they learned.  If your team is struggling with one concept you can use the simulators to nudge them to remember.  The benefit is that you can train your users in a safe, secure method.  It also allows you to see the likelihood of someone in your network clicking on something they should not.  This is by providing proactive training instead of reactive training.

To summarize the article above:

1. Scammers are not going anywhere.
2. Firewalls, antivirus, and spam filters cannot catch everything and your users will be your last/first line of defense.
3. People learn best by doing.  Using the simulators will only allow your users to train in a safe way while expanding their security awareness knowledge.

Advertisements

Microsoft Dynamic GP Security Overview

In Microsoft Dynamics GP, users have access to nothing until security access to windows, reports, and files are granted. There are standard Roles and Tasks are the pre-defined set of windows, reports, and files based on the tasks they are granted. Microsoft built the system in a way that allows Administrators to edit the Roles and Tasks to fit our requirements or even create new ones.

There are specific building blocks that build on one another to create the security in Microsoft Dynamic GP.

  • Operation: Is the base level access to windows or reports. These are assigned to a task.
    • Ie. The Account Maintenance window
  • Task: A Task component is the group of operations that are needed to complete a business task.
    • Task CARD_0101*
  • Role: The Role component is the group of tasks that define a particular job in a company.
    • Account Manager*

A great tool to lookup security Roles and Tasks for specific windows or reports is GP Window.

The roles that are assigned to each user are company-specific and you would be able to assign different roles to different companies if needed.

Setting up a Task
Click Microsoft Dynamics GP, point to Tools, point to Setup, point to System, and then click Security Tasks.
Then lookup or create your task ID. If this is a new task then you would need to fill in the Task Name and Category.
Then Select a Product, Type, and Series and this will bring up a selection to provide access. If it is checked then the task will have access to the window or report.

p1

Setting up a Role
On the Microsoft Dynamics GP menu, point to Tools, point to Setup, point to System, and then click Security Roles.
Then lookup or create your Role ID. If this is a new task then you would need to fill in the Role Name.
You will then be able to select various security tasks to apply to the Role. If it is checked then the Role will have access to the Task.

p2

Applying user security
On the Microsoft Dynamics GP menu, point to Tools, point to Setup, point to System, and then click User Security.
Then look up your user and select the company that you would like to apply the Role. You will need to apply this to each company. If the same permissions are for the same for each company then you can use the copy button on the ribbon to copy the setup between companies.
You will then be able to select various security roles to apply to the user’s security.

p3