Phishing can be an automated process via spam emails, but businesses of all sizes are also at risk of ‘spear phishing’, where emails are hand crafted to be convincing to chosen targets.
Phishing in either form has been a popular attack strategy for threat actors ever since the popularisation of commerce on the Internet. Now phishing is the most frequently encountered category of threat to businesses, with 95% of all attacks on enterprise networks being the result of successful spear phishing according to the SANS Institute.
The most effective mitigation to preventing phishing scams from hitting their intended target is to utilise a combination of technical safeguards (like web gateways, mail filtering and outbound firewall rules) and continuous end-user security awareness training. Those who downplay the potential benefits of employee security training are forgetting that successful social engineering attacks rely on one common factor: the human element.
Organisations providing cybersecurity awareness training to their staff greatly improve end-user confidence and ability to recognise (or at least suspect) phishing attempts. If a company can get their computer users to slow down and really evaluate the emails they receive before acting on them, they’ve won half the battle and will greatly reduce their cyber risk.
Strong baseline education, reinforcement through continuous awareness training, and regular assessments are needed to begin changing employee online behaviour. An interesting, engaging and memorable awareness training programme delivered throughout the year keeps the security message on point and allows security teams to spot trends, track progress over time, and identify / help high risk users who may need additional education.
Phishing simulations are an excellent addition to any security awareness training programme – an innovative approach and effective way to continuously assess an organisation’s security awareness and susceptibility to social engineering tactics. A fully customisable social engineering assessment programme, employees receive scheduled simulated phishing emails and teachable moments, which display ‘just-in-time teaching’ messages to individuals who fall for a phishing test. Managers receive comprehensive campaign metrics identifying trends, improvements, and problem areas.
It increases specific awareness of the social engineering threat via phishing. When workers fall for a simulated attack, the become more aware of the real threat and more receptive to the message from IT security.
It improves the general awareness of security. Simulated attack programs help to open the lines of communication between workers and security staff, which in turn helps to improve the efficiency of general security awareness training.
It provides security training metrics. Simulated attacks allow organisations to track the effectiveness of their security training over time and to target the areas or people that most need additional training.
Find out more about simulated phishing and how it can help your employees get one step ahead of the cyber criminals.
Follow these 4 essentials for building effective training programmes to begin changing behaviour:
The more realistic you make training, the more memorable the experience will be – this will greatly contribute to knowledge retention and behaviour change.
Once off annual box-ticking compliance training will not change bad security behaviour in organisations. Employees need a strong baseline education in all aspects of cyber security awareness to reduce the risk of data breaches. This training must be engaging, interactive, and continue throughout the year.
Introduce gamification into awareness programmes where there are prizes for the highest scoring departments and individuals. Reward individuals who report breaches of security or who regularly identify suspicious emails and activity to the IT Team. Develop ‘Security Champion’ programmes to help drive culture in the organisation – get employee buy-in and participation.
Get internal buy-in on the approach from executives across all departments. Building any culture starts by example from the top management, if they lead by example, people will copy that behaviour and know that it gets rewarded.