Keeping cybersecurity initiatives on track
In light of the recent West Midlands Train Service phishing test to its employees, Andrea Babbs, UK General Manager, VIPRE SafeSend, explores whether this was a good test of resilience or not.
The West Midlands Train service has come under fire after workers discovered that an email promising them a bonus payment after running trains during the pandemic was actually a phishing simulation test.
Around 2,500 employees received a message which appeared to come from Julian Edwards, Managing Director of West Midlands Trains, thanking them for their hard work over the past year under COVID-19 and that they would get a one-off payment as a thank you.
However, those who clicked through on the link were then emailed back with a message telling them it was a company-designed ‘phishing simulation test’ and there was no bonus. The email warned: “This was a test designed by our IT team to entice you to click the link and used both the promise of thanks and financial reward.”
Since the test has been revealed, the train service has received media backlash for promising a fake financial reward to well-deserved teams. However, the modern threat landscape is constantly evolving, and businesses must prepare their workforces against any threat. So was this a good test of resilience?
Fight Fire with Fire
In order to be successful in the fight against cybercrime and protect the network, businesses should not be afraid to fight fire with fire and sometimes stoop as low as the phishers themselves – who have no morals. By using a powerful message and incentive such as the suggestion of a bonus provided by West Midlands Train Service, businesses can gain valuable insight into how their employees could be tricked into clicking on a phishing link, and why they need to ensure their staff are trained for any type of attack.
However, the test has clearly upset West Midlands’ employees and could have been done in a less dramatic way so that it wasn’t either ethically or morally questionable. Particularly during a pandemic where our frontline workers, like those in the transport industry, have continued to put themselves at risk over the last year. The idea of a bonus in the current challenging environment seems deserving as an act of recognition for their above and beyond service – but for this to be a test, rather than the promised reward, is particularly hard-hitting for those involved.
Finding the Balance
It is vital that organisations take the time to train and educate their staff so that they become an additional line of defence in an organisation’s cybersecurity strategy. However, IT teams also need to rely on users’ goodwill to encourage them along the cybersecurity journey. This test by West Midlands Train service may have damaged that goodwill and could disillusion some members of staff.
Rather than mentioning a bonus, the train service could have mentioned a change to pay, or date of payroll. Both of these statements would have had the same instinctual reaction in employees, without having heightened emotions surrounding the letdown of a non-existent bonus.
Importance of Education
Regardless of the incentive behind the West Midlands phishing test, the fact that employees clicked on the link highlights the need for businesses to perform these types of tests in the first place.
Cybercriminals will stop at nothing to get users to click on a phishing link, download a malicious attachment or fill in their details on a forged website. They will use personal or professional information to lure them into doing this.
Therefore, employees need continuous training to identify and avoid these attacks. From now on, businesses looking to deploy such phishing tests should try using less exciting topics to trick their users into avoiding any bad will or backlash from their employees and the media.
READ MORE:
- Curve’s eagerly anticipated crowdfund goes live
- ServiceNow delivers new security integrations with Microsoft
- Why customer conversations are vital for brand survival in a post-COVID-19 world
- What can corporates learn from digital transformation in the COVID era?
One way to achieve this is to implement Security Awareness Training programmes that incorporate real-life situations, including phishing simulations – that are less emotive. This educational material will help organisations to fortify crucial cyber threat prevention messaging and educates workforces on how to protect both the business and themselves.
For more news from Top Business Tech, don’t forget to subscribe to our daily bulletin!