Finding out which Employees keep clicking on Phishing E-mails

You have the best IT security, but dang it…the bad guys keep getting in. This means someone inside your house keeps opening the back door and letting the thieves slip inside. You have to find out who this enabler in your company is, and it may be more than one.

They don't know they're letting in the crooks, because the crooks are disguising themselves as someone from your company or a vendor or some other reputable entity.

After figuring out who these welcome-mat throwers are, you then have to continuously keep them trained to recognize the thieves.

So how do you locate these gullible employees? The following might come to mind:

• Create a make-believe malicious website. Then create an e-mail campaign—toss out the net and see how many phish you can catch. You must make the message seem like it's coming from you, or the CEO, or IT director, a customer, a vendor, the company credit union, what-have-you.
• You'll need to know how to use a mail server to spoof the sender address so that it appears it really did come from you, the CEO, IT director, etc.
• This giant undertaking will take away good time from you and will be a hassle, and that's if you already have the knowledge to construct this project.
• But if you hire an extraneous security expert or phish-finder specialist to create, execute and track the campaign, you'll be paying big bucks, and remember, the campaign is not a one-time venture like, for example, the yearly sexual harassment training. It needs to be ongoing.
• What leads to a data breach is that one doggone click. Thus, your "find out who the enabler is" should center on that one single click.
• This means you don't have to create a fake website and all that other stuff.
• Send out some make-believe phishing e-mails to get an idea of who's click-prone.
• Set these people aside and vigorously train them in the art of social engineering. Don't just lecture what it is and the different types. Actually have each employee come up with five ways they themselves would use social engineering if they had to play hacker for a day.
• Once or twice a month, send them staged phishing e-mails and see who bites.
• But let your employees know that they will receive these random phishing tests. This will keep them on their toes, especially if they know that there will be consequences for making that single click. Maybe the single click could lead them to a page that says in huge red letters, "BUSTED!"
• This approach will make employees slow down and be less reflexive when it comes to clicking a link inside an e-mail.
• Of course, you can always institute a new policy: Never click on any links in any e-mails no matter whom the sender is. This will eliminate the need for employees to analyze an e-mail or go "Hmmmm, should I or shouldn't I?" The no-click rule will encourage employees to immediately delete the e-mail.
• But you should still send them the mock phishing e-mails anyways to see who disregards this rule. Then give them consequences.