Cybercriminals use social engineering to penetrate an organization’s infrastructure since the human factor is still the weakest point in any defence system. 54% of data breaches are caused by the negligence of workers or contractors clicking on suspicious emails and websites, this figure is up from 48% last year according to the Ponemon Institute’s 2017 State of Cybersecurity in Small & Medium-sized Businesses.
Phishing Simulation & Social Engineering testing is a simulated attack from the perspective of a cybercriminal, such as a black hat hacker. This process is about testing people, processes, and procedures via email, phone and on-site attempts to breach your information security. The objective of social engineering penetration testing is to simulate a cyber-attack and find security vulnerabilities that might be discovered by black hat hackers in real life. Hackers using social engineering and phishing are constantly coming up with new techniques and new means of attack, so such simulated phishing can significantly help you understand whether or not malicious attacks can be effectively handled by your security team and whether or not your people can knowingly protect themselves against such attacks. The objective of phishing simulation testing is to detect, monitor, and disarm phishing sites, malware payloads and compromised servers in the near real-time mode to help you prevent losses in your business and minimize damage to the reputation of your company.
If you doubt that humans are the weakest link in the information security chain, look at these numbers to see the evidence:
- 90% of incidents and breaches included a phishing element
- 70% of cyber-attacks use a combination of phishing and hacking
- 50% of recipients open emails and click on the links within the first hour of being sent
- 11.4 Each organization faced an average of 11.4 successful phishing attacks in 2018
- 25K Social engineering attacks cost victims on average $25,000- $100,000 per security incident, sometimes reaching millions of dollars per incident.
- 300m In 2017 Maersk didn’t count on $300 million.
- 11.9M MacEwan University (Canada) didn’t know it would be $11.9 million when they were breached
Key benefits of phishing simulation and social engineering testing
understand how susceptible your employees are to social engineering & phishing attacks.
Understand your digital footprint
gain visibility of information about your business that can be obtained by hackers from the public domain
are your people, systems and processes good enough to beat malicious attacks?
Improve security awareness
use the results of a simulated attack to develop and implement regular security awareness programs): such programs focus on how your employees should react to phishing – recognize a bait and refrain from clicking on suspicious links
Conduct cyber security trainings
train your people by using a simulated social engineering and phishing attacks): training programs help your organization to reduce risk of your employees getting phished
How We Do It
Our security engineers conduct a series of test attacks that simulate the real activity of intruders and monitor the reaction of employees.. The experts send the so-called phishing emails that contain a link that directs them to a specially created resource containing a form for entering their credentials. These emails may include fake notifications from banks, e-payment systems, email providers, social networks, online games etc and often contain attached files (normally in the form of an office document with an executable attachment or some type of archive). We conduct all of the above actions only after prior legal agreement has been signed by our customer.
How Long Does The Test Take?
Most email phishing attack simulations and social engineering tests take 4 weeks from start to finish.
How Much Does It Cost?
We are often asked this question and normally provide a formal quote to our customers after we have done some primary investigations to estimate the cost of the phishing test. This process takes one working day, after which, we are able to provide you with a quote.
A report with the assessed data and statistics. This would include: how many potentially dangerous actions have been performed by users who followed the link, entered their credentials, downloaded and launched the file or entered into correspondence. In this way, we can demonstrate and evaluate what data a potential intruder might receive and how an attacker could spread malicious software in the infrastructure or penetrate the company’s internal network.