Blog/Infosec 101/

Does your team need security awareness training? Phishing can help

Jul 10, 2020

security check

Are you concerned that your employees don’t take cybersecurity seriously enough? Of course, they don’t. Everybody’s focused on doing their job because that's what they're paid for. Here’s a better question:

Do company employees think about cybersecurity when it matters? And do they stay safe when browsing online, creating new passwords, and checking emails?

If you want to know, you can check. Many companies now perform tests to see whether their cybersecurity awareness training is working. Maybe it’s time for your company to do the same?

Cybersecurity awareness training and testing

Today, every company needs cybersecurity awareness training. Unless you don’t store any data and don’t use emails, money, or the internet, you and your team should know about online threats and how to avoid them.

But even when you pass on the knowledge, you can’t guarantee that anyone will follow the established rules, no matter how much you drill. Take, for example, all those institutions you would consider too secure to be hacked — a prison, for instance. They know what security is and understand why it matters. And yet hackers still manage to sneak in, even into a prison.

To facilitate their cybersecurity awareness training, companies now perform security tests on their employees. GitLab, a popular DevOps platform, is one of the companies that have shared their tests with the world. How well do you think they did?

How GitLab tested their employees

In May 2020, GitLab sent a phishing email to 50 randomly selected employees. The goal was simple: to test users’ preparedness for phishing and promote cybersecurity awareness. The email offered users to upgrade their work laptops and click a link to apply. Whoever clicked on the provided link was sent to a fake GitLab login page almost identical to the original one. The only clue was the domain of the fake website: gitlab.company instead of gitlab.com. As the last step, users were asked to enter their credentials. Those who did were redirected to GitLab’s cybersecurity handbook.

In a recent report, GitLab revealed that 17 out of the 50 recipients (around 30%), clicked on the link in the company’s phishing email. Out of the 17 employees who clicked, 10 entered their credentials into the fake sign-up form.

On the flip side, 6 users out of 50 successfully recognized the phishing attack and reported it to the GitLab security team. Still, you have to wonder about the remaining 27 employees who did not take any action. Did they recognize it as phishing and didn’t report it? Or maybe they couldn’t make up their minds about the computer? Both possibilities are alarming. Notifying the company's security team should be the first thing you do after coming across something suspicious. And if the lack of action is caused by uncertainty, chances are a follow-up message could've persuaded them to click.

The truth is that every company should be doing these cybersecurity tests, which GitLab vowed to repeat soon with another batch of 50 people.

How cybersecurity training can have a lasting effect on employees

As our recent survey showed, the majority of people have fallen victim to cybercrime at least once. If you want to keep your company safe, you should often remind employees about the dangers lurking online.

The problem is often in the delivery — it’s hard to make a lasting impact with a presentation. But various tests within the company will keep your employees on their toes for longer.

Phishing email test campaigns are cheap and cost-effective. Plus, they are easy to repeat and give you a clear indication of how well your company is doing.

Penetration tests are also a common way to test the company’s security. During these tests, a hacker tries to get into the building using various social engineering techniques. In fact, the prison story we mentioned earlier was a penetration test.

The point is, the best way to learn is by putting theory into practice, and this also applies to security awareness training. Even if the results are not good, they can be a positive learning opportunity.

Stay proactive with cybersecurity

Nothing is stopping you from replicating GitLab’s method and testing your employees with a phishing email. But is there anything else to bear in mind? Of course, there is.

Set realistic goals

The goal of phishing tests is not to get the perfect score. Instead, it's a way of identifying problems before they turn into disasters.

Replace emails with instant messaging

Most malware is spread via email. So limit the number of emails you send. Often, an email can be a direct message via Slack.

Introduce processes like secure sharing

If you share files via email, a phishing email may be easily mistaken for a genuine one. But if you use NordLocker to share encrypted files only, unencrypted attachments will stand out.

Remind everyone about cybersecurity principles

We’ve said it before, and we’ll say it again: cybersecurity involves everyone at the company — not only the IT security team. Everyone from an intern to the CEO is vulnerable to cyber attacks.

Encourage competition between departments

If your company is large enough, get different departments to compete on who gets the best score. Or produce a lasting impact by encouraging departments to create tests for other departments.

Cybersecurity training does not have to be boring. There are numerous ways of making an impact while having fun. Stay safe.

Oliver Noble

Oliver Noble

Verified author

A nerd with a laser focus on all things cybersec. His own words. Oliver’s hobbies away from the computer include reading, Netflix, and testing the limits of yet another Raspberry Pi. To our surprise, this 130-pound ‘nerd’ also bakes a killer pumpkin pie.