Local Firm Evaluates Their Risk with Real Data

Local software firm1 in Boulder, CO uses email attack simulations to pull real data from their environment and accurately examine the security risk of their 40-person user base.

Want the Same Success?Want the Same Success?

The Challenge: Identifying Security Priorities

Your users are your greatest asset, but they can also be easy targets for introducing vulnerabilities to your environment through the fastest-growing attack vector: email.

Phishing email attacks increased 250% in 2018 according to volume 24 of the Microsoft Security and Intelligence Report. These types of attacks continue to grow in both number and sophistication,  taking advantage of newly accessible technologies like artificial intelligence and machine learning to make phishing emails even more convincing for users.

When deciding where to allocate security funds, this software firm felt their status as a tech company meant users were educated and ready to spurn potential phishing attacks. This assumption made company leadership hesitant to dedicate time or energy to addressing one of the most important pieces of a complete security strategy. But, were they right?

Our Strategy: Finding Data-Backed Insights

This local firm wanted to get the most out of their limited security budget, so PEI ran a security assessment and phishing simulation to identify the most pressing vulnerabilities in their environment.

Planning the Test

PEI sent out a simulated phishing email including key suspicious details—like misleading links and a mismatched domain.

Collecting Data

We tracked users and collected data on how many clicked on the suspicious link and entered their work credentials when prompted.

Analyzing Results

This provided the firm with real data that could be analyzed to provide insights for building a security road map and prioritizing specific initiatives.

The Results: Making a Limited Security Budget Count

With real data that determined how likely their user base was to fall for a phishing attack, the firm identified user awareness and training as a primary security need and achieved leadership buy-in for the initiative. PEI then helped implement a custom plan for routinely educating and testing users.


Seventy Percent of Users

of users clicked on the suspicious link. Clicking on a link can take users to malicious sites or launch malware. Do your users know to verify the destination of a link before clicking?


Thirty Percent of Users

of users entered their work credentials, even though the link specified it led to am unaffiliated, third-party site. Users should be trained to identify common red flags before entering their password.


Eight Users

who entered their credentials had admin access to the firm’s IT environment. Just one slip up gives malicious actors complete access. Admin accounts should be protected by more than passwords.

Want to Identify Your Biggest Security Vulnerabilities and Make Your Budget Count?

Schedule a discussion with one of our security experts to get started on running a security assessment that can identify key security initiatives and strengthen your security strategy.

1. Customer has asked not to be named due to the nature of the findings.