Yes. We know. A lot has been written on how to spot phishing attacks over the last few years. And yet, not a week goes by wherein we hear of several companies that suffer cyber-attacks because a staff member falls victim to a classic phishing email that should have been easily spotted. Why is that?
It’s clear that phishing poses a significant risk to the security integrity of our business systems and has done for quite some time. Phishing was responsible for 36% of the breaches identified last year according to the Verizon Data Breach 2021 report. Writing a phishing email that gets a really good click-through rate (CTTR) is simple. You would think that this would grab attention and all companies would invest in training staff as much as they do in purchasing technical security tools to address the threat. But it doesn’t and they don’t.
Start by reducing the initial risk
Reducing the risk of social engineering attacks like phishing requires a holistic approach that blends the technical security tools we buy with simple and effective cyber security awareness training for our staff.
The first line of defence against phishing is training. However, many rely far too much on products to get the job done. The fact is if everyone in our businesses knew how to quickly spot the most common social engineering tactics used in phishing emails and understood the psychological triggers that threat actors use to exploit their victims, we wouldn’t need to buy products.
When it comes to reducing the threat of phishing, invest in your people — no product will ever bring the most ROI than training your staff will. So, here’s a checklist of six learning objectives to include in your cyber security awareness training content to ensure you’re getting results:
How to make your staff aware:
- To be suspicious of unsolicited emails from someone they don’t know
- To never download attachments or click links in emails from someone they don’t know
- To hover over the sender’s name to make sure it matches the email address
- To check the email address for spelling errors and other common giveaways
- To hover over the links in emails they may doubt to make sure the website URL is valid
- To always verify a sender’s identity through an alternate contact method (i.e. in person or by call) prior to providing any sensitive information
Including these six simple actions into your security awareness training can significantly reduce the threat of phishing. You should also consider following up your security awareness training by conducting simulated phishing attacks against your staff to ensure that they have understood and internalized the training. Do it regularly – at least quarterly and keep and compare the metrics to benchmark your progress and identify those that may require retraining.
Creating and maintaining a positive security culture within your business is critical for both identifying and containing a phishing attack, that’s already happened. Staff need to feel comfortable reporting an attack which they won’t do if they’re worried about facing blame or punishment. The sooner it is spotted and reported – the sooner the threat can be mitigated.
Is your security awareness training content fit to face the threat of phishing? If not, the Crew is here for guidance. Learn more about our staff awareness programme, eRiskology™ or give us a call to discuss your specific needs.