A security awareness training that makes Bringme compliant with NIS2
Since the beginning of the Phished simulations, clear progress has been made at Bringme. In recent simulations, the phishing rate was only 5% on average. But that was not the case at the beginning.
Fact sheet
Even though Bringme already had prior experience with phishing tests before they used the Phished platform, there still appeared to be a lot of room for improvement.
Firewalls are half a solution
Sil Goeman, IT Manager at scale-up Bringme has never had to experience it himself, but six years ago the company fell victim to ransomware twice. Hackers had made their way in via a simple e-mail to one employee and started to encrypt the file server from there. Fortunately, a thorough backup strategy was able to reverse most of the damage.
Since Goeman started, four years ago, phishing prevention and cybersecurity awareness have therefore received much more attention within the company. “In addition to moving away from local mail hosting, we have since put more effort into mail filtering and manual phishing simulations,” says Goeman. “Fortunately, there is a growing realisation within the company that both technical barriers and training are necessary to keep criminals out.”
Important, but there is always something more urgent waiting
Before Bringme started using Phished, phishing simulations were done with the help of open source software. Goeman: “It’s perfectly possible to set up simulations yourself with tools that you can find for free on GitHub, among others. However, it takes you three to four hours per simulation to get everything right, and then you still have to do the analysis, clean up the consequences and train the employees who fell into the trap.”
“Consequently, setting up phishing simulations was rarely one of my priorities,” says Goeman. “There were always other pressing matters that required my attention. We ended up doing a simulation once per month or every two months.”
Despite the regular simulations, Phished still managed to phish 25% of their workforce. “The simulations by Phished turned out to be of a higher level than what we were already doing ourselves,” Goeman admits. “For example, I was ensnared by one myself once. But that's a good thing: we deliberately chose to make it as difficult as possible, with phishing mails in the weekend and after hours, with sensitive content (such as dismissal notifications, red.),... After all: the bad guys don't discriminate either.”
Noticeable improvement
This saves time and work, and colleagues receive training that is truly tailored to their own level.
Since the beginning of the Phished simulations, clear progress has been made at Bringme. In recent simulations, the phishing rate was only 5% on average. “Apart from a few stubborn employees, we are indeed improving,” says Goeman. “Fortunately, there is now the Phished Academy for those who still need extra guidance: this saves time and work, and colleagues receive training that is truly tailored to their own level. Moreover, the Academy helps us to achieve our ISO certification.”
“In addition, during the first simulations - mainly in the case of sensitive content - we received some negative reactions from employees, but these went away very quickly. They quickly saw the benefit of it and have been taking their education seriously ever since.”
Conclusion
For Bringme, automation is clearly the biggest advantage of working with Phished. After some negative experiences with ransomware, the company already had some experience with phishing simulations and training employees. Nevertheless, a large part of the organisation fell prey to more difficult simulations during baseline measurement testing.
Automatic simulations, based on the individual level of the recipient, combined with thorough reporting and analysis tools, enable the company to focus on issues that require more manual labour, knowing that their employees will still receive sufficient attention and training on cybersecurity and phishing.