Despite mature technologies, humans remain the focal point of any protection approach against increasingly sophisticated cyber attacks. For this reason, and to compensate for the failure of training, many companies have already chosen to deploy Phishing Coach, the new Mailinblack tool to raise awareness and ultimately succeed in involving their employees in the security of their business.
“Today, far too many people think that an e-mail is safe. This is unfortunately no longer true at all! Reports Jean-Pol Dolata, IT director at Quality Assistance SA, leader in analytical sciences, We We realized, with experience, that no matter how much we put in place protections, some emails managed to get through anyway. Faced with the sophistication of certain attacks, it has become critical to ensure that our employees are aware to this problem and become aware of the risk they pose to the company by opening a simple email.”
If we add to this the fact that employees are connecting more and more from their homes by teleworking, the level of risk could be higher. According to Jérôme Notin, director general of the cybermalveillance.gouv.fr platform, phishing attempts recorded an increase of 400% during containment last spring. Without forgetting, of course, the question of the image returned to the market. “We are a player in new technologies, therefore a player of trust,” says Nicolas Coudert, Managing Director of Codit France. Having a security flaw is unacceptable. All the more so by people who go to clients to carry out architectural operations. So it’s a matter of not bringing home an additional risk!”
An efficient and quick tool to deploy
We must therefore succeed in raising user awareness. But how ? In a context where training has shown its limits, reducing the number of companies preparing their employees for cyber attacks to 37%, organizations have found themselves left to fend for themselves. “We had to do something. We had to succeed in auditing our environment, our workstations and interactions on the platforms. Knowing if we are applying good practices to know our attack surface and our reflexes, says Nicolas Coudert. Caught in a hurry, we may not be careful. At first I wanted us to do it ourselves, but we probably would have done it wrong. We are not security experts. The release of Phishing Coach really came at the right time!”
Released at the beginning of September, the Mailinblack solution makes it possible to set up hyper effective fake phishing campaigns. In addition to sending an educational note to trapped users, the solution allows the organization to manage its level of maturity through a benchmark carried out with the results of other market players. “We have scientifically looked for ways to teach the user about this danger and to find out how to make them understand what decision-making biases hackers play on,” explains Thomas Kerjean, CIO of Mailinblack. To understand this cognitive and emotional process, the French Mailinblack teams have joined forces with experts in neurosciences and educational sciences from the Laboratory of Computer Science for Mechanics and Engineering Sciences (LIMSI-CNRS). “Beyond its effectiveness, Phishing Coach also frees us from a substantial workload,” says a CISO working for a healthcare provider. We had done something like this internally, but it took us almost 4 days to set up, where Phishing Coach only consumed us half a day.”
“Users now really feel concerned”
And the results are there: “After a month of campaigning, we have already had a good overview. I know that even one of our experts got tricked, like what we are all concerned! ”, Says a leader. While some employees report the feeling of having been tricked, which is definitely the case, “this time they are really aware of the problem. It is certain, affirms Jean-Pol Dolata. They are now more vigilant in the face of this type of practice. It is constructive because they feel concerned by the problem now. It remains to sensitize those who were not fooled the first time! ” It is important to ensure that users do not fall through the cracks because the subject of the phishing campaign did not affect them. “The subject of the email was online access to payslips. So inevitably, people who have been in the company for a while know that we do not operate like that and have suspected a problem. On the other hand, those who have just been engaged were more easily taken in, specifies Jean-Pol Dolata. It will therefore be necessary to reorient the subject of the next campaigns in order to reach other people. Because it depends a lot on the context in which people find themselves. ” For everyone, the next step is to set up more personalized campaigns with messages that are more difficult to identify. The use of artificial intelligence is also eagerly awaited in order to automatically define campaigns according to their relevance and their penetration rate in the company. “This brick will be available very soon,” confirms Thomas Kerjean. We are really happy to see that with Phishing Coach companies finally have 360 ° protection for their professional messaging!”