Conn. dealership group teaches cyber security
With so many high-profile security breaches at major businesses and organizations in the past year, Christine Pakutka figured the 550 or so employees at Hoffman Auto Group in East Hartford, Conn., would be pretty savvy about phishing emails that try to steal information.
As it turns out, Pakutka, the dealership groups director of business advancement and technology, was about 84 percent correct.
That was revealed in May when Hoffman management sent an email to nearly all employees at its nine dealerships selling Audi, BMW, Ford, Honda, Lexus, Lincoln, Nissan, Porsche and Toyota vehicles. The email, which had Pakutkas usual signature and the Hoffman Group logo at the bottom, asked them to click a link to change their dealership management system passwords in the wake of a possible security breach.
After the email was distributed, Pakutka waited to see what would transpire. "It was both interesting and nerve-wracking — I was a little anxious," she said.
Driven by trust
The results were unexpected: About 90 employees — or 16 percent — clicked on the link.
"All they got was a blue screen on their monitor," Pakutka said. "Then I got a lot of phone calls."
She was surprised at the number who clicked the link.
"A lot of people who dont even use our DMS clicked on it," Pakutka said. "I was hoping for better results. But its better to find out and know for sure."
The phishing simulation gave Hoffman, owned by brothers Jeffrey and Bradley Hoffman, the chance to educate those employees on what to do — and not to do. The exercise was recommended by Kelser Corp., a cybersecurity and information technology consultant hired by the dealership group. Though a security breach had never occurred at Hoffman, which has annual sales of 5,500 new vehicles and 3,000 used vehicles, Pakutka wanted to assess what employees knew.
"Weve been in business since 1921, and everything is stored on our networks — sensitive data that needs to be protected," she said. " Driven by trust is our slogan, so its very important for us to be true to that and keep everyones information safe, for both our customers and our employees."
Kelser is one of several companies that can help dealership groups stage such tests. More dealers are putting phishing simulations in place as concerns about Internet fraud mount. Some even distribute phishing emails monthly that use a different purported sender and link to click on each time.
If a business hasnt done a test before, as many as 80 percent of employees will click on a bad link and up to 50 percent of those will give up sensitive information, said Matt Kozloski, vice president of professional services at Kelser.
"Its mind-boggling," Kozloski said. "But then again, you have to keep in mind that its these [cyber] criminals job to trick employees into doing things they shouldnt do. We actually have someone on our staff that can craft emails that are virtually indistinguishable from a companys real emails."
Its a sobering experience for employees. At Hoffman, they were more embarrassed than mad, Pakutka said.
On the lookout
"Many employees came to me and said, But the email came from you! " Pakutka said. "But it definitely raised awareness. Now when they receive something suspicious, they first ask about it. … Theyre on the lookout and questioning things more, so its been a positive experience for us."
Online training on Internet fraud prevention is part of such phishing simulations. Talking with employees about how important their role is in cybersecurity is critical to a maintaining security, Kozloski said. But its also important to keep the tone lighthearted in the aftermath of a test.
"You want it to feel important, but you should also try to have a little fun with it as opposed to being punitive about it because some employees made a mistake," he said.
"But if there are consecutive failures by certain employees and you observe that theyre also not doing the monthly online training, thats an employee-performance problem that should be discussed with a manager or someone from human resources."
Phishing exercises also should be staggered so employees dont develop an "its-the-second-Tuesday-of-the-month-so-this-must-be-a-test" mentality, Kozloski said. And its fine to do them in fairly quick succession.
On that note, could another test be in the works at Hoffman? Pakutka would neither confirm or deny the possibility, saying, "We want to keep people on their toes."