DLT Went Phishing

As a leader in the technology industry and a company that works closely with sensitive government and vendor data, DLT Solutions strives to ensure that we educate our employees on today’s cyber threats. According to a recent Ponemon Institute study, the rate of cybercrime rose 26% per organization. This means that from a business perspective, organizations need to take greater care to protect their data.

To us, that meant we need to actively train our employees on cybersecurity. We decided to start with phishing, an easy and effective place to reduce the chances of cyber crime incidents.

It Starts with Awareness & Training

What’s the difference between spam and phishing? Spam is unsolicited advertisements that try to sell you a product or service. Phishing emails usually include a call to action, such as clicking a link or downloading a file, in an attempt to access your personal information.

To stay ahead of the curve and quickly address any security concerns from vendor partners or customers, our top engineers, IT department, and technology/ security officers formed the DLT Community of Interest.

About six months ago, one of our primary members of the group, Van Ristau, DLT’s Chief Technology Officer, noticed that he was getting hit with a phishing scam at least once a week. These attempts were different from the usual spam emails Van received, which raised concerns that more than spam was getting through our internal malware filter.

Oddly enough, one of the spam emails he received actually advertised phishing training, sparking the idea to train employees internally. We did this by creating a webinar every employee had to listen to and a quiz they had to take afterward. The goal was to raise awareness at DLT, protect our infrastructure, and train employees on best practices and how to identify/neutralize threats.

A couple weeks after we initiated the training, we sent out our own internal phishing emails to find out if it worked. After three internal phishing traps, we crunched the numbers and found out that our training was a success! We have seen a significant decline in click-thru’s on suspicious emails and an increase in incidents reported by employees to our head of internal security.

“We have to stay one step ahead of the evolving threat” - Van Ristau, DLT Chief Technology Officer

Phishing

What Did We Learn & What Next?

Phishing threats are real. But raising awareness through training is effective and easy. We didn’t need to use an outside resource nor were we forced to use expensive technology. We relied on our internal expertise and the webinar resources marketing had in place.

DLT’s VP of IT, Ron Tucker, has taken the lead on our phishing program. By continuing to educate our team and employing the most up-to-date endpoint protection, we continue to be responsive and proactive regarding the potential threats to our database.

DLT’s IT department has also made the decision to upgrade to Microsoft Office 365, which according to Ron, “includes a more rigorous spam filtering and virus management schema than our previous service.” We will also migrate to a new firewall, supplying greater efficiency and increasing the effectiveness of our malware and virus filters, as well as, direct attacks from external sources.

What to Do if You’ve Been Phished?

But what if you’ve already fell for a phishing scam or what measurements should your agency have in place in case of a breech? We’ve listed a few key courses of action to take:

    • Report it to your Facility Security Officer, IT Department, or whoever you have assigned as your cybersecurity expert
    • Change your password immediately or ask your IT department to prompt for an update
    • Watch for unusual activity such as:
      • Emails sent to people in your contact list that look as if they came from you
      • Increase in number of phishy-looking emails that you receive