56 Out of 100 Employees at This Firm Failed a Ransomware “Phishing” Test
(This post originally appeared on Inc.)
By now, you’re familiar with the giant ransomware attacks that have been hammering companies around the world and caused countless interruptions in business and services, including a shutdown of the U.K.’s national health system.
If not, a quick ransomware recap: it’s a malware program. When just one computer or device – Apple and Microsoft operating systems included – in your company is infected, the malware spreads and locks up all files across your network. To unlock the files, you need a special “key.” The key can only be obtained by paying the perpetrators a “ransom” – usually in bitcoin or some other untraceable digital currency. If you don’t pay within a few days, your files disappear. It’s become a billion-dollar industry for the hacking community, with some even setting up customer service lines to assist victims with paying the ransom and unlocking their files. I kid you not.
For your company to fall victim, all you need is one employee to either open a malicious file or inadvertently get redirected to a “phishing” website – a website that looks real but is infected and downloads the malware application automatically. Is this likely? A Portland TV news station decided to find out. The results were not good.
KGW recently reached out to the owner of a local hardware store and asked if they could test out a “phishing” email with the company’s 100 employees – just to see how many of them would take the bait. Of course, the test would be harmless. But it could be revealing. The owners agreed. And it was.
Using a cybersecurity expert, the station first sent out emails to all the company’s employees. The email advertised a new food cart in the area and invited users to click on a discount coupon – which would then divert the user to a test website that could easily just as well be a malicious phishing site. Of the 100 employees at Chown Hardware, 22 of them clicked. Remember, all you need is one for something bad to happen to your network.
The results of the second test were way more disturbing. Pretending to be a member of the company’s human resources department (hackers can steal these addresses or make up convincing ones very easily), another email was sent to the employees with a test link to “update” their contact details. A whopping 56 people clicked on the link, no questions asked.
Like this couldn’t happen in your company? This little test should convince you that it can…and it will. Ransomware is expected to be the number one security issue of 2017 and will affect millions of small businesses around the world. If just one employee clicks a bad link, your business is locked up.
So how to protect ourselves? Three ways: keep your security software updated. Sign up for an online backup service (I like Carbonite, a client of my company). Train, train, train your employees.
“People always think hacking is very technical,” the security expert said. “But we always find, especially in security, that humans are the weakest link.” Isn’t that always the case?