If real, such a phishing attack could have put your company's sensitive information—such as usernames, passwords, credit card details or PINs of your customers—at risk. According to data from Kaspersky Lab, phishers launched attacks impacting more than 100,000 people daily last year.
Despite attempts by security software firms to stop them, cybercriminals are getting craftier by the day. A recent scam, uncovered by security firm Symantec, was targeted against users of Google Drive, which is frequently used by businesses for collaboration. Users were sent a message with the subject header "Documents" and directed to a sign-in page that closely mirrored Google's. After they signed in, users were sent to a PHP script on a compromised Web server. This page then redirected to a real Google Drive document, leaving visitors unaware that their login credentials had been stolen.
Based on the startled looks of the impacted employees, the mock phishing attack that Audrey and her co-workers experienced jolted the system, but did it make the company any safer from cyber threats?
Simulated attacks can't stand alone
Phishing impacts thousands of companies each year, but it's not the only issue they face: malware attacks; physical attacks on company data by workers posing as service personnel; and attacks aimed specifically at mobile devices are on the rise, and are just a few examples of the many threat vectors. The mock phishing attack orchestrated by the company's security team provides a wake-up call but isn’t the only security education solution the company needs. Here's why:
You have to worry about more than just phishing. Unfortunately, attacks on data don't stop at users clicking on a link or document in an email from their laptop. For example, access could be granted through a link the user receives via text or information given out by an employee over the phone. Malware can be downloaded through a mobile phone or by clicking something on a perfectly legitimate website.
It only teaches in the moment. Yes, the simulated attack did its job by creating shock factor, but what's next? How can you reduce the risk of it happening again in the same or a slightly different way? Do employees have actionable information about how to avoid the next attack?
It does not measure vulnerability to all attacks. If employees fell for a mock phishing attack, will they also fall for other types of attacks? How can you understand the complete vulnerability of individual employees?
As you can see, simulated attacks can provide value in assessing vulnerability but don't provide the complete answer for CISOs. A more complete approach is needed.
However, one big issue that security officers face is that most employees think they are immune to security threats. Despite the high news coverage that large breaches receive, and despite tales told by their co-workers and friends about losing their laptops for a few days while a malware infection is cleared up, employees generally believe they are immune to security risks. Those types of things happen to other, less careful people.