great course of action is to address carelessness and lack of knowledge with what A. I. M. Mutual Insurance Companies likes to call“ Cyber Awareness Training.” This training should not only inform employees on how a data security breach could impact the company but also explain how employees could be impacted on a personal level. At A. I. M. Mutual, we like to focus on topics such as password best practices, identifying phishing emails, and recognizing suspicious behavior at the workplace. We use a more focused approach when training employees who work off-property, as there tends to be more exposure associated with carrying around a company cell phone or laptop.
One primary area of focus for A. I. M. Mutual’ s 2016 Cyber Awareness Training was identifying and reporting phishing emails sent to company email addresses. According to Verizon’ s 2015 Data Breach Investigations Report, up to 70 percent of cyber attacks in 2015 targeted a secondary victim after compromising a primary victim. 2 Employees should be considered a primary conduit between the company network and the increasingly dangerous World Wide Web, and it’ s important to train them accordingly. We discovered that a combination of training and real-life testing was the most effective way to teach employees how to identify scam emails.
In order to test an employee’ s likelihood of clicking on malicious email links and attachments, we initiated a quarterly“ phishing campaign” with the help of an industry-known security organization. We sent quarterly emails to all employees containing phony links and attachments. The phishing software logged all emails sent, emails opened, and links clicked. In Figure 2, compare the results of our first and second phishing campaigns, which helped us gauge how“ phish prone” our employees were at the time.
Though the percentage of emails opened increased slightly from 62.1 percent to 64 percent, the percentage of links clicked dropped considerably from 10.7 percent to 6.7 percent. Fortunately, the initial campaign provided the information needed to focus the Cyber Awareness Training on certain areas of the company, likely resulting in improved results after the second campaign. Considering the 12 percent click rate reported by Verizon’ s 2016 Data Breach Investigations Report, 3 the phishing campaigns were deemed to be so effective that we intend to continue them for the foreseeable future.
Overall, A. I. M. Mutual has taken a holistic approach to cyber security. Between robust network infrastructure, security software, patch schedules, and end-user
training, we believe we have considered all the angles necessary to protect ourselves from a data security breach. What’ s most important is to identify the exposure that your business may have and build a budget based on the potential cost associated with a breach of all sensitive records. Regardless of industry, this is an area that every business owner should be willing to cut a check for. I can assure you of this: It will be less expensive to take the appropriate preemptive measures than to recover from a large-scale data security breach.
1. Ponemon Institute, LLC, 2016 Cost of Data Breach Student: Global Analysis, sponsored by IBM, retrieved from https:// public. dhe. ibm. com / common / ssi / ecm / se / en / sel03094wwen / SEL03094WWEN. pdf
2. Verizon, 2015 Data Breach Investigations Report, retrieved from http:// www. verizonenterprise. com / resources / reports / rp _ data-breachinvestigation-report _ 2015 _ en _ xg. pdf
3. Verizon, 2016 Data Breach Investigations Report, retrieved from http:// www. verizonenterprise. com / Verizon-insights-lab / dbir / 2016 /
FALL 2016
29