The Southern Fried Security Podcast - Episode 191 - Gone Phishin’
Phishing your employees - Does it make them aware or do they feel mistrusted?
- Intro - Phishing - what is it typically?
-
- Example - Emails from a Prince in Nigeria, phished on Match.com, etc
- What is it? An email designed to get employees to click on suspicious links or give their credentials
- Discuss what I designed as part of my phishing campaign - Partnered with trusted vendor
- Designed an email, google doc, supplied AD user list, launch
- Stats from our phishing campaign
- How GMail caught it and started dumping the emails into spam but some employees even went into spam and clicked (RSA breach!)
- Employees used Slack to warn others. Can you avoid neighbors leaning over the cube telling each other? Is this when “see something, say something?” becomes a good thing? How to get employees to follow it?
- What about when you phish your employees to improve security?
- How often?
- Do you target specific areas you know are susceptible (Ex - Marketing, Finance)
- What about Engineering? How do you trick them?
- What are the benefits of a targeted phishing campaign?
- Start with education first. Then to sanctions.
- Use to teach - not ridicule.
- C-Levels *have* to be part of it.
- How do you prevent employees from feeling that Security doesn’t trust them?
- People are still the weak link! Solutions and hardware can’t prevent that one user from clicking on a link that creates havoc for the company.
- We blow holes in security to allow Phish email through. What if vendor gets compromised?
- Downsides?