Imagine getting an email from your company’s human resources department –customized with the company’s logo – touting a new benefits program. It even offers a link to check out the details.

You’d click that link without hesitation.

Cyber attackers are counting on it, because HR didn’t send that link, which has malware at the end of it. So  how can you tell what’s legitimate and what’s not?

Despite increasing numbers of security breaches involving confidential data, security training in Canada is still woefully lacking. IDC says in its December 2012 Forecast of Data Breaches of Personal Information in Canada that there were an estimated 3.3 million incidents of lost or stolen confidential personal data in 2011, and that’s expected to increase to over 4 million by 2015. Yet only just over half of organizations have actively used employee security awareness plans in place, and, even more disturbing, about one quarter do not even have plans, despite all sizes of organisation listing employee knowledge as one of the top three critical roadblocks to improving security.

Worse yet, IDC’s research finds that IT security investments are lower here than those in the U.S., while Canadians have a higher degree of confidence in IT security. Says IDC, “this continued high level of confidence is not only unwarranted, but dangerous.”

Phishing attacks in which attackers attempt to extract credentials from their victims with communications masquerading as legitimate messages have become increasingly sophisticated. It’s often difficult for even alert, trained employees to spot them. Targeted phishing, known as spear phishing, aims at a small group of victims, often incorporating customized information to persuade recipients that the emails are from trusted sources.

And that’s where PhishMe comes in.

Chantilly, VA-based PhishMe Inc. is a four year old company that specializes in teaching employees how to detect and avoid phishing, malware, and drive-by attacks.  Its product is a software-as-a-service  spear phishing simulator that immerses employees in a realistic scenario without the negative effects of a real attack.

According to CEO Rohyt Belani, (pictured) the idea came when he realized humans were becoming the attack vector of choice. The core of his company’s offerings is managing employees’ security behaviour. “I shy away from saying we do awareness; there’s a passive undertone to it,” he says. “Actively managing employee behaviour is what we do.”

Companies use the service to set up and execute a simulated phishing campaign, and typically touch everyone in their organization every two or three months. If an employee clicks on something he or she shouldn’t, there’s instant feedback (but not, says Belani, a slap on the wrist – more “we’re here to help you”) and a training snippet of 90 seconds to three minutes. It focuses on one concept at a time. And just so alert employees don’t miss out on the nuances of the training, those who don’t fall for a phish get a congratulatory message and a link to the training material they hadn’t seen.

The built-in metrics have shown that overall 58 per cent of users fall for the phishes during early PhishMe campaigns. At the 18 month mark, Belani says the number has fallen to single digits. “It’s risk mitigation,” he says. “And it’s a fraction of the cost of a breach response.”

PhishMe has now launched a benchmarking feature that lets companies compare their results with those of other customers. Over the next few months, it will be expanded to allow filtering so customers can compare themselves to their peers.