What does that mean? A company’s phish prone percentage is the percentage of employees, staff or volunteers that would fall victim to a malicious email. One that would either prompt the recipient to download an attachment, or click an embedded link. The link would deliver the unsuspecting user to a web site, that would begin downloading its content (text, images, etc), but would also download a small software program that a cyber criminal could exploit to gain further access to the organizations network.
Recent news stories on 60 minutes, and CBS Sunday Morning along with other media outlets are hopefully drawing attention to this very real threat. Even though the news stories are about the threats to government, utility companies and major corporations (think Sony) are real, they don’t talk about the small company or organization that is also very susceptible to this very real danger. The cyber criminal views these smaller organizations as “low hanging fruit.”
Many of the small to mid-sized businesses I talk with don’t understand how they could be affected. Here is the short list:
1. Theft. A small 30 person energy services company I know of had $80,000 wired right out of there bank account. Another 250 person company lost $750,000 wired to an account in Hong Kong. The accounts payable person was tricked into wiring the money at the direction of the CEO. But that email from the CEO was fake.
2. Ransom: A municipal police department had ALL there records, i.e., arrest, warrants, HR… everything encrypted and held for a multi-million dollar ransom. Which they had to pay.
3. Child Porn: It was a complete surprise when the FBI showed up to confiscate all the servers for another company that had no idea their servers were being used to store and distribute child pornography.
4. Ill Will: A very large multi location non-profit animal shelter had their web site redirected to a porn site. That investigation is on-going. But the new threat is that the bad guys now know they can infiltrate the web site that was hosted by another service firm. Now all of the sites that that web designer created are subject to exploit.
These and many many more instances of cyber crime do not get reported. The companies feel they have to shield themselves from public disgrace, civil lawsuit, plus the lost of customers and revenue. Small to mid-sized companies, non-profits, or municipalities cannot sustain these types of losses.
There are no network perimeter protections that are full proof. The only way to begin to protect one’s organization is to educate the staff. Cyber Security Professionals don’t come cheap anymore. They are sought out and paid huge sums to do executive, and staff level training, they even show up in black SUV limousines.
But there are other less expensive solutions. One cyber security firm has created a short 30 minute training video that staff can view online. After the staff completes the training and are ‘white-hat’ phished on a regular basis, an organizations ‘phish-prone’ percentage can drop to zero.
Find out what your ‘phish-prone‘ percentage is for free at KnowBe4.com