WHAT IS THE BLOG ABOUT?
- MISCONCEPTIONS ABOUT CYBER THREAT
- LACK OF RESPONSE AFTER A CYBER INCIDENT
- WHAT ELSE COULD PEPCO HAVE SPENT ITS 15 MILLION EURO LOSS ON?
Phishing simulation, cyber security, IT consulting
FREE PHISHING TEST?
The idea comes from the fact that we have a security awareness development partner, KnowBe4, who provides many opportunities for testing with various simulations. Their role is enormous in the organization of cyber security, because it is obviously important to know the vulnerabilities of hardware and applications, but the human factor, the awareness of the workers, can be more important in many cases. In a successful phishing attack, users practically offer the key to hackers on a tray, who can then access company data without much effort. But the hackers can even issue an invoice on belhaf of your company with their own bank account, moreover your colleagues can even transfer 15 million euros to them.
For this reason, we chose the free phishing simulation as one of the motivational elements of the campaign, which is completely safe and gives a transparent picture of corporate awareness. The test itself is free, and takes several days or weeks – depending on the size of the business. After the test, we do not oblige anyone to do anything, we only provide a report on the current security situation among users and what we recommend in light of it. Nothing else is required for the test, only company email addresses, which we receive as part of a non-disclosure agreement and treat as strictly confidential. There is nothing more for businesses to do.
In a small percentage of the campaign, we were able to reach the person in charge of cyber security. This could have been good news, because why would a professional manager want to talk to a cyber security company about? By the way, they are the most willing to talk to us, but we received different feedbacks through the campaign. It turned out that in most places there is no responsible person for cyber security, or if there is, he occupies the most surprising positions in the company, such as export manager, plant engineer, production manager.
The other overwhelming information of our research we obtained, was that where there is no internal cyber protection, a mysterious, external IT team “protects” IT and digital assets. At these companies, no one could answer to our question, whether the company managers regularly receive reports about security, but they even could not say what kind of protection they use either. In other words, if no one knows anything about cyber security or incidents, then everything is probably fine.
The third and most shocking answer was the following. “We are not affected by cyber security.” One fifth of the respondents said this or gave a similar answer. The respondents were domestic medium-sized companies with a turnover of euro millions. There are also those where, for example, a police investigation of an incident related to domain spoofing that caused financial damage, has already occurred or is currently underway. And here we are forced to take out the specific example, and let the incredible answers come! When we asked this company how they resolved this cybersecurity issue, we were told that they were not affected by the issue. Hackers misused their name, DNS records, correspondence, order database, and invoices were issued on behalf of the company, but they are not affected. Because only their partner company suffered financial damage. The icing on the cake is that they reassured us, that they are indeed protecting themselves against cyber attacks and phishing, because they have a printed policy for colleagues, in which everything is described.
THE OSTRICH POLICY DOESN'T PROTECT YOU FROM ANYTHING!
A relevant quote from the late 30-year-old Mathieu Kassovitz’s film The Hate:
“You know when a guy falls off the fiftieth?
As he falls down, he reassures himself: Everything is fine so far. Everything is fine so far. Everything is fine so far.
You know, it’s not the fall that counts, it’s the landing.”
And a relevant domestic case. At the domestic subsidiary of the Pepco Group, a phishing attack based on sophisticated fraud caused 15 million euros in damage. The hackers used hacked business email accounts, e.g. by a domain-spoofing, what they probably obtained from a third party, to trick targeted company employees, likely finance employees, into transferring money to a bank account they controlled. In this case, human error is also clearly present. It is possible for a phishing email to slip through a secure email system. If an email is received from a legitimate, uncompromised DNS address, and fraud cannot be determined based on its content, DNS filtering will forward it to the given account. Of course, it also requires research from the hacker’s side if the fraudulent email is addressed to targeted persons, which may also indicate that they have already got access into Pepco’s system. It is more than likely, hackers may have been serious cybercriminals. Despite all this, there could have been tell-tale signs in the phishing emails, which users could have detected, but at least they could have found suspicious. In this case, by clicking on a phishing button integrated in email system, they could have been sent for review, which would probably have revealed the email scam.
That’s why it’s worth trying out for free how susceptible our employees are to phishing. If it turns out that they need development, you can train them for the price of a coffee each months. And for the price of a phone subscription, we provide full user protection. We do not know how many digital employees Pepco has (total number of employees: 2,659 in 2023). But if we calculate the cost of user protection for 500 colleagues, which is covered by the Syswind Strong Breeze package, the annual bill would have been at 237,000 euros. But if all the existing colleagues, i.e. another 2,159 people, had only been trained in security awareness without device protection, the annual bill would not have gone over 282,000 euros. The loss of 15 million euros could be used to cover the protection of the users and develop awareness for more than 53 years.
Of course, if we had also called Pepco in the campaign, there is a good chance that they would have said that everything is fine with us, we protect our servers, we have a good firewall and we use the latest antivirus, so we don’t need a free phishing simulation.
As a business, we don’t offer free simulations to occupy ourselves on boring days. We make money with it. For ourselves and for our business partners.
The ostrich policy does not protect you! As Stephen Hawking said: “The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.”
ONE MORE HINT
And one more thought on our part: If you don’t know something, you better find out! The ostrich is not a good companion in a business venture.