Blog Measure Your Phishing Risk for Free — and Know Exactly Where to Start
NGCC Blog

Measure Your Phishing Risk for Free — and Know Exactly Where to Start

IowaSecurity AwarenessPhishingFree ToolsSLTT
Jose Francisco Caro · April 2, 2026 · 5 min min read
EN ES
← PreviousThe Diamond Model: Moving from Static Alerts to Campaign Intelligence Next →Is Your Work Email in a Data Breach? Here’s How to Check

I believe in using every tool available to put your best foot forward. The thoughts and experiences on this page are my own; I use AI to help ensure grammar is accurate.

This is Week 3 of the Community Tools series — free and low-cost resources built for Iowa’s small municipalities, school districts, and local governments. Last week we covered CIS Controls IG1 and its 56 free safeguards.

BLUF (Bottom Line Up Front)

Most data breaches don’t start with a high-tech exploit. They start with an email. Over 90% of cyberattacks begin with phishing—a figure backed by FBI reporting and a decade of industry research. The good news is that you can measure how vulnerable your organization is to this right now, for free, using the KnowBe4 Phishing Security Test (PST).

Why Your Staff is the Largest Attack Surface

Security isn’t just about firewalls and antivirus software. The people using your systems are the front line. According to the 2025 Verizon Data Breach Investigations Report, the “human element” is involved in roughly 60% of all breaches. Even the most expensive security systems can be bypassed by a single accidental click on a convincing phishing email. For Iowa’s municipalities, managing this “human risk” is often the most difficult part of a cybersecurity program.

For a school district or city office, this is a daily reality. Your staff handles sensitive data, including student records, resident information, and financial accounts. If an attacker gains access to an email account through phishing, they are one step away from that data. Phishing awareness is teachable, but before you can teach anything, you need to know your weaknesses.

What the Free Phishing Security Test Does

KnowBe4 offers a simple, high-impact utility for Iowa SLTTs (Small-town, Local, Tribal, and Territorial governments) to baseline their risk:

  1. The Setup: You provide up to 100 email addresses from your organization.
  2. The Simulation: KnowBe4 sends a safe, simulated phishing email that looks like a real attack (e.g., a password reset or an IT policy update).
  3. The Result: The system tracks who clicked the link over a three-day window.
  4. The Report: You receive a PDF showing your “Phish-Prone Percentage”—the exact percentage of your staff who fell for the lure—compared to others in your industry.

What you can do: You can sign up for the baseline test directly on KnowBe4’s website. It takes about 15 minutes to set up and requires no software installation or “deep-dive” technical configuration.

Practical Templates for Iowa Organizations

You don’t have to be a writer to run these tests. The tool provides templates based on what attackers are actually using today:

  • Standard Office Lures: Password change requests or IT security policy updates tailored for Microsoft 365 or Google Workspace.
  • Social Media Lures: Fake LinkedIn or Facebook login attempts, which are common since many people use the same passwords for work and personal accounts.
  • QR Code Phishing: A rising threat where attackers send a “document” that requires a QR code scan. Testing your staff on this now ensures they aren’t caught off guard by a real one later.

Using Data to Secure Your Budget

A phishing test by itself doesn’t stop an attack, but it gives you the data you need to make better decisions:

  • Get a Baseline: Run the test once to see where you stand today.
  • Justify Action: If 40% of your staff clicks the link, you have a solid number to show a city manager or school board. “Our vulnerability is 10% higher than the industry average. We need to prioritize training.”
  • Measure Progress: After you run a training session, run the test again three months later. If the number drops, you know your efforts are working.

Why This Matters for Iowa

A big consulting firm might try to sell you an expensive security program. For many Iowa communities, that isn’t realistic. Free tools like this remove the “we don’t have the budget” excuse. You can measure your risk for free, see exactly who is vulnerable, and start building a culture of security without spending a dime.

The NGCC Perspective

While NGCC is not a reseller of KnowBe4, we strongly recommend this tool as a foundational “first step” in any security roadmap. In conjunction with resources from CISA Region 7 Nueva Guardia Cyber Consulting (NGCC) can act as your Liaison

Disclaimer: Nueva Guardia Cyber Consulting, LLC provides these recommendations as a liaison service. Access to and use of third-party platforms like KnowBe4 and MS-ISAC are subject to their respective terms of service and privacy policies. NGCC does not control or guarantee the performance of these third-party tools.

Sources

Is your team tracking alerts or campaigns?

Jose Francisco Caro
Written by
Jose Francisco Caro

Jose Francisco Caro is a cybersecurity professional, currently serving in the Iowa Army National Guard, and the founder of Nueva Guardia Cyber Consulting. Building NGCC to open doors for the next generation of professionals who need someone to point the way — and to bring security to the small businesses, schools, and local governments that are the backbone of our communities.

Connect on LinkedIn →
← PreviousThe Diamond Model: Moving from Static Alerts to Campaign Intelligence Next →Is Your Work Email in a Data Breach? Here’s How to Check
Related Posts
Iowa
Integrating the Kill Chain and Diamond Models: Lessons from the APT29 SolarWinds Campaign
Apr 9, 2026 · 12 min read
Iowa
Is Your Work Email in a Data Breach? Here’s How to Check
Apr 9, 2026 · 3 min read
Iowa
The Diamond Model: Moving from Static Alerts to Campaign Intelligence
Apr 2, 2026 · 8 min min read