15 Apr Case Study: Akvelon Phishing Prevention Program
Today, most businesses have prioritized large sums of money to keep their buildings and the important files within them safe. However, some of the most dangerous security threats that they face each day are virtual: cyber security threats like phishing attempts. Every day, over 156 million phishing emails are sent to companies, and in 2017 alone, 76% of organizations around the globe stated they received phishing attempts. Despite these alarming numbers, many companies still have not set up measures to protect against phishing attempts within their workforce. Malicious adversaries now know that a company’s greatest vulnerability is their people: as of 2015, 97% of consumers could not correctly identify phishing email scams (McAfee). Phishing attempts are only rising as perpetrators realize just how profitable they can be, with that said, protecting your company against them as soon as possible is imperative.
Phishing attempts are usually financially motivated, with the intent to trick a company’s employees into clicking on malicious links and providing information that exposes their company to hacker infiltration. Predicting the damage that a phishing attempt can have on your company is nearly impossible, but in 2018 it was found that the average cost of a successful phishing attempt for mid-size companies is $1.6 billion (Dashlane). All it takes is for one of your employees to slip up and respond to a phishing email that is cleverly disguised to look like it was sent by your CEO.
One of the most effective ways to protect your company is to train your employees to detect and be aware of phishing attempts, and with Akvelon’s Phishing Prevention Program you can do just that. From the front desk staff to the CEO, everyone is a potential target, as they may be deceived into opening phishing emails and clicking on malicious links that will expose important company information. Our program is designed to train every single employee at your company to help them detect phishing attempts before perpetrators can gain access to the information they are looking for: your company’s hard earned money and important data.
- Phishing Threat Assessment: One of the most concerning things about phishing attempts is how easily they go unnoticed. In 2015, McAfee found that 97% out of 19,000 people tested from around the world could not correctly identify a phishing attempt. Regardless of their roles, years of experience with the company, or level of education, anyone can be and likely will be fooled by a phishing email. That’s where our simulations come in. Realistic phishing emails will then be sent out to the client’s entire staff in an undetectable manner, ensuring that all of their employees do not receive the same email at the same time. Our program will then monitor and record when employees open the phishing email and click on the links within (and at first, most employees will fall for it, but luckily these aren’t real phishing attempts!). At the end of the initial audit, the audit results and analytics will then be sent to client. These results will be used to assist with the training program that follows.
- Training Program: After presenting the results of our initial audit, the client will then receive a personalized training program which must be shared with every employee at their company. This training program is HackerRank Platform compliant to ensure that the best security practices are completed based off of security and data privacy provisions set forth in security legislation such as HIPAA, HITRUST, NIST, etc. By the end of the training, all employees should know what phishing is, how much they could have potentially cost their company by opening the email and the link within, and how to detect phishing attempts in the future.
- Regular Threat Assessments: Practice makes perfect, so at least one more test will be completed to see if the client’s employees are actually ready to face a real phishing scam or if they need to hit the books again. The second round of audit results and analytics reports will then be sent to the client, with a suggestion to put those who failed again through our training program once more until they can prove that they are truly prepared.
Benefits and Results
- Save time: our audit requires minimal effort on the client’s part. They must simply wait for the results of the audit, and then must make sure that all of their employees complete Akvelon’s training program.
- Prevent the loss of millions of dollars due to successful phishing attempts
- Strengthen trust throughout the company: a company is only as strong as its weakest link, and with this training it can be certain that every link is unbreakable
- Protect important confidential information of the client’s own consumers and employees.
- Prevent loss of trust from employees and clients, as well as bad PR, due to exposure of their private information as a result of a successful phishing attempt
1st Phishing Attempt Audit: Phishing attempt simulation emails were sent to 150 employees. Of these employees, 66 of them clicked on the “malicious” link that directed them to a phishing form. 14 employees filled out these forms with spam data, and 5 filled them out with real data. This means that 3.6% of the company’s employees would have compromised their security should this have been a real phishing attempt. On average, it took employees 12 minutes to detect a phishing attempt.
2nd Phishing Attempt Audit: 30 employees were targeted with phishing simulations in this next round, including some from the first attempt as well as new employees. 2 of them clicked on the link, and nobody filled out a form, meaning that no one compromised the company’s security. On average, it took employees 8 minutes to detect a phishing attempt.
The results of both audits were compared to create a mitigation plan to remove risks to security exposure. Between these audits, it was found that the time it took for employees to detect a phishing attempt improved by 34%. The amount of employees who clicked the link decreased by 97%. These results paired with the fact that no employees compromised their company’s security by filling out the form with real data in the second audit confirms the effectiveness of Akvelon’s Phishing Prevention Program.