Could your employees pass a phishing test? Your cybersecurity could depend on it

This paid piece is sponsored by Direct Companies.

We’ve all been there: The email pops up, you think something might be off, and you have to decide whether to click.

Do you open the attachment? Follow the link? That decision could determine whether bad cyber actors are allowed to access your information and by extension your business’ data.

“There’s no shame in making a mistake, but there is a lot we can do to help prevent them,” said Scott Lehman, security services technician at Direct Companies.

Sioux Falls-based Direct Companies, which acquired the team at Workplace IT Management in 2023, is ready to respond when businesses encounter cybersecurity issues but is committed equally to helping avoid them through effective training.

“We’re able to do a lot of things on the training side that can simulate cyber threats while coaching employees on ways to catch them,” said Joseph Gerhardt, network and security system engineer. “Employees tend to be the No. 1 way bad actors access a business’ systems, so the more we can ensure they’re alert the more secure the business is likely to be.”

We sat down with experts Gerhardt and Lehman to learn more about how security awareness training works.

When you begin working with a client in IT management, how do you first approach training?

Scott Lehman: We begin with a baseline campaign that’s sent to a list of all employee inboxes. That typically runs for 30 to 45 days, and we’ll test the user twice. They’ll receive an email that mimics one from a bad cyber actor, and if they click on a link in the email message, it will take them to a website with an error code, so it doesn’t clue them in with what has happened. Once that comes up, we’ll schedule a call or send a report to leadership talking about if there were employees who clicked on the campaign, how that compares to industry averages and what our next steps will be.

What might those next steps look like?

 Scott Lehman: At least for the first year that we work with a company, the video training we provide is more classroom-style where we talk about cybersecurity, red flags to watch for and how phishing could be conducted. For year two and beyond, the videos are more sitcom-style, showing real-world situations, and we notice with that engagement goes up significantly. We’ve heard stories about teams talking about the videos around the office. And then whenever we create a new user for the company, they get the previous training and then get caught up with everyone else.

Joseph Gerhardt: We also begin a new kind of email phishing training, and it’s pretty cool. We still send potentially fraudulent emails for them to catch, but now, when a user follows a link in one of the emails and falls victim to the attack, they’re taken to a page that shows the email they clicked on and helps identify opportunities to recognize it as a phishing attack. So they’re immediately given a training opportunity while it’s current in their mind.

Does security awareness training evolve with the cyber threat landscape?

Scott Lehman: It does. Obviously, the hot topic now is AI, and AI actually can be used to write a really good phishing email. So we anticipate it won’t be long before that’s being used to test users. We use a leading national training provider that’s continually updating the kinds of phishing emails it sends, so users will continually be alerted to emerging tactics and threats. 

Joseph Gerhardt: A newer one being rolled out to clients mimics a fake credential page that prompts you to enter various data. I’ve seen genuine malicious links that lead to really convincing log-in pages, ones that might pretend to be from Microsoft, for example, and it easily could look legitimate to users. So the training is going to help us raise awareness among employees that this is out there.

Do you see improvements in employees catching cyber threats because of this training?

Joseph Gerhardt: We believe so and consider it an extremely important part of overall cybersecurity for businesses. It’s the easiest way for an attacker to get in, and phishing doesn’t show signs of abating. It’s actually becoming easier for malicious people to create a false premise within your email, so we think this is key in helping people learn to verify authenticity, and the bonus is that it really can be a lot of fun. We find employees really enjoy being able to catch the simulated phishing and definitely see value when they’re able to report the real thing to us.

Scott Lehman: It’s about changing the culture behind cybersecurity. We’re here to help, but getting people to do the right thing quicker is what can really make the difference. We want to educate them on the red flags, and then if they do click on a real phishing email, the sooner they call us the easier it is for us to clean it up.

To learn more about how Workplace I.T. Management can support your organization’s IT and cybersecurity needs, click here.