great course of action is to address carelessness and lack of knowledge with what A . I . M . Mutual Insurance Companies likes to call “ Cyber Awareness Training .” This training should not only inform employees on how a data security breach could impact the company but also explain how employees could be impacted on a personal level . At A . I . M . Mutual , we like to focus on topics such as password best practices , identifying phishing emails , and recognizing suspicious behavior at the workplace . We use a more focused approach when training employees who work off-property , as there tends to be more exposure associated with carrying around a company cell phone or laptop .
One primary area of focus for A . I . M . Mutual ’ s 2016 Cyber Awareness Training was identifying and reporting phishing emails sent to company email addresses . According to Verizon ’ s 2015 Data Breach Investigations Report , up to 70 percent of cyber attacks in 2015 targeted a secondary victim after compromising a primary victim . 2 Employees should be considered a primary conduit between the company network and the increasingly dangerous World Wide Web , and it ’ s important to train them accordingly . We discovered that a combination of training and real-life testing was the most effective way to teach employees how to identify scam emails .
In order to test an employee ’ s likelihood of clicking on malicious email links and attachments , we initiated a quarterly “ phishing campaign ” with the help of an industry-known security organization . We sent quarterly emails to all employees containing phony links and attachments . The phishing software logged all emails sent , emails opened , and links clicked . In Figure 2 , compare the results of our first and second phishing campaigns , which helped us gauge how “ phish prone ” our employees were at the time .
Though the percentage of emails opened increased slightly from 62.1 percent to 64 percent , the percentage of links clicked dropped considerably from 10.7 percent to 6.7 percent . Fortunately , the initial campaign provided the information needed to focus the Cyber Awareness Training on certain areas of the company , likely resulting in improved results after the second campaign . Considering the 12 percent click rate reported by Verizon ’ s 2016 Data Breach Investigations Report , 3 the phishing campaigns were deemed to be so effective that we intend to continue them for the foreseeable future .
Overall , A . I . M . Mutual has taken a holistic approach to cyber security . Between robust network infrastructure , security software , patch schedules , and end-user
training , we believe we have considered all the angles necessary to protect ourselves from a data security breach . What ’ s most important is to identify the exposure that your business may have and build a budget based on the potential cost associated with a breach of all sensitive records . Regardless of industry , this is an area that every business owner should be willing to cut a check for . I can assure you of this : It will be less expensive to take the appropriate preemptive measures than to recover from a large-scale data security breach .
1 . Ponemon Institute , LLC , 2016 Cost of Data Breach Student : Global Analysis , sponsored by IBM , retrieved from https :// public . dhe . ibm . com / common / ssi / ecm / se / en / sel03094wwen / SEL03094WWEN . pdf
2 . Verizon , 2015 Data Breach Investigations Report , retrieved from http :// www . verizonenterprise . com / resources / reports / rp _ data-breachinvestigation-report _ 2015 _ en _ xg . pdf
3 . Verizon , 2016 Data Breach Investigations Report , retrieved from http :// www . verizonenterprise . com / Verizon-insights-lab / dbir / 2016 /
FALL 2016
29