That's why Kristiansand Municipality conducted a phishing exercise.
A few years ago, Kristiansand Municipality fell victim to a phishing attack. Information went astray via two email accounts, and in a short time the municipality had sent out 5 million spam messages to the whole of Norway. As a result of the hijacking, Microsoft closed the municipality's access to the email system, and Kristiansand Municipality was unable to communicate via email for 14 days. At this time, the municipality did not have two-factor authorization.
Ingunn Kvivik, Communications Manager at Kristiansand Municipality
"The aim of the exercise was to show employees - and the management of the municipality - how easy it is to be tricked," explains Kvivik: "We quickly realized that we lacked basic security routines and awareness. For example, if you use the same password on your private accounts as you do at work, a hacker can suddenly gain access to your entire workplace if one of your private accounts is affected."
Jarle Børven, who works as an ethical hacker and penetration tester at Netsecurity, set up and carried out the test together with Kristiansand Municipality. "I talked a lot with Ingunn to map out, then we created a scenario that was credible and in a natural context. Two key elements in getting people to "go for it" in such tests are to use means such as haste and fear. This causes people to become stressed and click on links before asking for a second opinion from others," he says.
Kristiansand Municipality contacted Netsecurity, and together we set up a fake email to be sent to 9,500 unsuspecting employees. 7,000 people opened the email, and of these, 1,336 clicked on the link and provided sensitive information. The wording and content were designed to make it appear that the email came from the municipality, but the email address was fake and the sender did not actually exist.
"We were a little surprised at how many people were fooled, considering how many years we've participated in Safety Month and how much we've talked about it. It shows that it's not enough to talk about this, people need to experience it first hand," says Ingunn Kvivik. Having a firewall and security in place is not enough, as hackers can easily get past this with the help of inattentive employees.
Kristiansand Municipality has noticed an increase in the number of employees who get in touch when they receive an email they are skeptical about. In addition, they see that awareness has generally increased among employees, which was also the goal of the exercise. The result is that IT security is better safeguarded now than before they carried out the exercise.
"After the exercise, we had an evaluation with Netsecurity, where they also provided advice on how to proceed. The whole process was professional and unproblematic, with skilled people. Everything from planning to execution and evaluation afterwards worked superbly and it felt very safe to have Netsecurity there," says Communications Manager Kvivik.
- By conducting a phishing exercise, the user is made more aware of such attacks and what to watch out for. IT security is layer upon layer of security, but phishing bypasses many of these layers and goes straight to people. That's why it's extremely useful for all employees to receive training on what an attack might look like.
Jarle Børven, ethical hacker and penetration tester at Netsecurity
What would it mean for your company if your employees' accounts were taken and unauthorized persons gained access to your systems? It's a risk assessment every company should do, according to Kvivik.
"One tip is to get involved in Security Month, which is in October every year. Here you get a lot "for free" in that good information is gathered in one place, you can participate in various seminars and the like. By putting safety high on the agenda during this month, it's easier to maintain awareness of it for the rest of the year," Kvivik concludes.
"Absolutely everyone should have two-factor authorization," advises Jarle Børven. "In addition, it's smart to have good password hygiene - don't use the same password in several places. This makes it very easy to access your other accounts," he says.
Do you want to know more about what a phishing exercise involves?