A few weeks ago, a massive phishing attack was unleashed, seemingly within a small window. It made security experts stop and pay attention. Let me paint two scenarios for you.
Several office mates pop into your office to say they just received an e-mail from you sharing a Google Doc. Your phone starts ringing. It’s a confused coworker saying they opened up the Google Doc, clicked through the permissions screen, and now want to know why they can’t find the document.
Uh oh. You never sent an e-mail to your co-workers. It looks like your account may have been hacked. You scramble to get the word out to folks to delete the e-mail and call the Help Desk if they clicked on the link.
You know there’s going to be some hoopla over this.
The Help Desk gets a large influx of reports from users regarding an odd e-mail received from several other staff members about a shared Google Doc. They didn’t click on it because it seemed “off” to them.
You quickly put together a PSA to let the entire workforce know to be on the lookout for this e-mail. Your mail server team begins blocking new messages of this kind and deletes existing messages from mailboxes. The team also makes note of users whose accounts were sending the e-mail and submits that to the Help Desk, Information Security Manager (ISM) and/or Director.
Your Help Desk fields calls from users who clicked on the e-mail and provides technical assistance to recover their accounts. They also assist users whose accounts were sending out the e-mail. The ISM coordinates with team members to monitor for additional suspicious activity on affected accounts. An after action report is completed at the end of the week, and the ISM or Director reviews it with the entire tech team and workplace stakeholders.
You can see that one scenario is ideal, while the other is not. In Scenario One, people outside of the tech team aren’t aware of phishing e-mails and there’s a sense of panic when an incident occurs. In Scenario Two, the majority of the workforce is aware, but some users still fall for the phish. However, the tech team has a plan in place to respond and recover. While security awareness doesn’t prevent all incidents, early reports of potential problems result in a faster response and recovery time.
I personally received several of these phishing e-mails within a ten minute window. Immediately, I contacted the senders. I called their numbers and talked to them. A couple were already aware and had been receiving reports from coworkers. One was out of the office, but I shared as much information as possible with the assistant so she could take it to her business manager.
This is the difference we want to bring to your workplace with security awareness. We’re not selling snake oil. We know that education and training can’t prevent every scam that’s going to come down the line. But we can help you get to Scenario Two, where the workforce is more prone to report suspicious activity and ASK before taking an action. We can provide security awareness content, a platform to put that content in front of your users, and a patient ear for your tech team on how to reach users.
If you haven’t had the opportunity to put together your own security awareness program, please consider us.