The age of technology brought with it the age of cybercriminals. If a hacker were to gain access to the sensitive data about your business, customers or employees, the damage to your reputation and profitability could be severe.
A common way this happens is called “phishing”.
You’re probably aware of the specific danger of phishing. This is when a fraudster sends a phony communication (usually an email, but sometimes a text or instant message) that appears to be from a reputable source. The criminal’s objective is either to get recipients to reveal sensitive personal or company information or to click on a link exposing their computers to malicious software.
It’s a terrible thing to do, of course. Maybe you should give it a try.
An upfront investment
That’s right, many businesses are intentionally sending fake emails to their employees to determine how many recipients will fall for the scams and how much risk the companies face. These “phishing simulations” can be revealing and helpful, but they’re also fraught with hazards both financial and ethical.
On the financial side, a phishing simulation generally calls for an investment in software designed to create and distribute “realistic” phishing emails and then gather risk-assessment data. There are free, open-source platforms you might try. But their functionality is limited, and you’ll have to install and use them yourself without external tech support.
Commercially available phishing simulators are rich in features. Many come with educational tools so you can not only determine whether employees will fall for phishing scams, but also teach them how to avoid doing so. Developers typically offer installation assistance and ongoing support as well.
However, you’ll need to establish a budget and shop carefully. You must then regularly use the software as part of your company’s wider IT security measures to get an adequate return on investment.
Ethical quandaries
As mentioned, phishing simulations present ethical risks. Some might say that the very act of sending a deceptive email to employees is a betrayal of trust. What’s worse, if the simulated phishing message exploits particularly sensitive fears, you could incur a backlash from both employees and the public at large.
A major media company recently learned this the hard way when it tried to lure employees to respond to a phishing simulation email with promises of cash bonuses to those who remained on staff following layoffs related to the COVID-19 pandemic. Users who “clicked through” were met with a shaming message that they’d just failed a cybersecurity test. Angry employees took to social media, the story spread and the company’s reputation as an employer took a major hit.
Plan carefully
Adding phishing simulations to your cybersecurity arsenal may be a good idea. Just bear in mind that these aren’t a “one and done” type of activity. Simulations must be part of a well-planned, long-term and broadly executed effort that seeks to empathetically educate users, not alienate them.
These long term security projects, of course, would come with a cost that must be planned and accounted for appropriately. We can help you every step of the way, from budgeting an increase in security spending to how to handle IT costs. Please contact your Rudler, PSC advisor for more information at 859-331-1717.
RUDLER'S TAX MANAGEMENT & PLANNING TEAM
This week's Rudler Review is presented by Becca Thorman, Staff Accountant and John Wood, CPA, CVA.
If you would like to discuss your particular tax situation, contact Becca or John at 859-331-1717.
Rudler PSC has established a Tax Management and Planning Team, a group of professionals who specialize in tax services. These highly qualified and experienced tax specialists meet on a regular basis to discuss upcoming client engagements, current issues relating to our clients and regulatory changes. Be sure to receive future Rudler Reviews for advice from our tax experts, sign up today !