At Kumo, safeguarding our customer data is a top priority. Our employees and contractors are vital in protecting our company from cyber threats. IBM Security reports that in 2024 the global average cost of a data breach is $4.88 million. For instance, Equifax, a credit and identity monitoring service, suffered a data breach in 2017 that cost them $1.4 billion. This breach also exposed personal information of 147 million individuals.

Today, data breaches are a major concern, but let’s not assume they only affect large companies. Although Kumo doesn’t handle data on such a massive scale, we remain committed to cybersecurity.

Phishing

Phishing has become one of the most prevalent forms of cyber-attack in recent years. Phishing is a form of social engineering where an attacker tries to trick individuals into providing sensitive information. Attackers typically accomplish this by masquerading as a legitimate or trusted entity.

To train our employees and contractors to identify phishing attempts, we partnered with KnowBe4. KnowBe4 is the world’s leading platform for security-awareness training and simulated phishing attacks. While keeping this initiative confidential, we enrolled all employees, contractors, and partners in the platform.

Kumo Partners Approach

We carefully planned the first phishing simulation. As a Microsoft consulting company, we often use the MSFT Authenticator. Therefore, we picked a simulated phishing email template that requested users to scan a QR code to access their accounts.

The phishing emails were distributed over three days at varying times. We tracked the results for five days. Surprisingly, not a single user received the email. Despite following whitelisting instructions, our email server blocked these emails. We then delved into our Microsoft security policies and re-sent the email. This time, over three days, 38.5% of users opened the email, but none scanned the QR code. However, we analyzed the phishing simulator and noticed that our email server wasn’t downloading the QR code and other images. We were unable to determine if our team was well-versed in phishing attacks or if the results were inaccurate due to our server security policies.

Original Phishing Simulation

Email Delivered

We made a third attempt, this time using a link in the email to highlight an issue with an AI account. The email was sent and monitored once more. This time, 23% of users opened the email, but again, none clicked on the link. Once again, the system flagged the email as “unverified” and did not display the images on the phishing simulator.

Our Path Forward

While our business coordinator felt some frustration at not achieving a successful phishing simulation, the results revealed the effectiveness of our security measures. Our internal controls were so robust that even our own simulated phishing attempts were unsuccessful. However, there is room for improvement: none of the users who opened the emails reported them. To address this, we are enhancing our training with KnowBe4 to better educate our team. Our journey towards fortifying our cybersecurity is ongoing, and we remain committed to continuously improving.


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *