In­surer tests staff with email click­bait

Weekend Herald - - NEWS - Tam­syn Parker

The coun­try’s largest in­surer is send­ing fake phish­ing emails to its own staff to test them on their abil­ity to iden­tify scams.

Mark Knowles, di­rec­tor of cy­ber se­cu­rity and risk at IAG New Zealand, said the firm be­gan send­ing fake emails sev­eral months ago as part of a com­pany- wide ap­proach to cy­ber se­cu­rity.

Its 3500 staff are sent a phish­ing email once a month and those who click on links are sent an in­stant re­minder to un­der­take cy­ber se­cu­rity train­ing.

Knowles said it be­gan the pro­gramme with an easy scam — an email about a turkey recipe for the Amer­i­can hol­i­day Thanks­giv­ing.

Not many peo­ple fell for the first one but a more elab­o­rate sec­ond scam got more clicks.

Knowles would not say how many staff were tricked into click­ing the sec­ond time around, cit­ing se­cu­rity rea­sons.

“The more im­por­tant part was that it raised aware­ness across all staff not just about phish­ing emails but se­cu­rity.”

It also prompted more peo­ple to click on its in­ter­nal cy­ber se­cu­rity warn­ing but­ton which au­to­mat­i­cally sends a no­tice to its cy­ber de­fence cen­tre.

Knowles said the sys­tem helped the com­pany to iden­tify which scams peo­ple were most likely to fall for.

It also cre­ated a whole team of peo­ple look­ing out for scams across the com­pany rather than just hav­ing a small team fo­cused on it.

Staff are not pun­ished for click­ing on the fake scam emails but those who iden­tify emails which they think are scams are re­warded.

He would not say how many scams the com­pany had caught but said there were a lot go­ing on all the time.

This week’s global Wan­naCry scam was just the lat­est cy­ber at­tack, he said, and it served as a re­minder for com­pa­nies and in­di­vid­u­als to be aware of the risks.

Knowles said an­other rea­son the com­pany was train­ing its staff to recog­nise scams was to help make peo­ple safer at home which also pro­tected the com­pany be­cause of the num­ber of peo­ple who brought de­vices in and out of the of­fice.

He said some of the banks also sent fake email scams to staff. Cor­po­rates were also shar­ing scam warn­ings with each other, putting aside their com­pet­i­tive dif­fer­ences.

“We do talk to each other. It is the good guys ver­sus the bad.”

Knowles said for in­di­vid­u­als, the most im­por­tant way to pro­tect against cy­ber at­tacks was pass­word con­trol. “I think the thing with cy­ber se­cu­rity is get­ting your ba­sics right.”

Knowles said peo­ple should have a se­cure pass­word and change it reg­u­larly.

The other big no- no was putting too much trust in peo­ple met on­line.

Knowles said read­ing the email care­fully was also very im­por­tant. Usu­ally the gram­mar was poor, although more so­phis­ti­cated email scams were get­ting bet­ter at this.

Scrolling over the link with­out click­ing on it of­ten gave clues to arouse sus­pi­cion.

Knowles said those who were tar­geted by phish­ing scams should re­port it ei­ther to CertNZ or Net­safe.

Newspapers in English

Newspapers from New Zealand

© PressReader. All rights reserved.