By Ron Benvenisti. The fact is one out of five employees fall victim to phishing attacks.
Technical solutions can protect against the threat of phishing attacks, but experience shows that no tech solution is 100% effective. Cyber-security is largely a “people problem, and not so much of a technical one. Companies must involve their employees in the fight. Employee security awareness is essential.
Security awareness training can ensure that their employees will know to respond when they find a phishing message in their inbox.
Phishing attacks simulations can be the most effective training. Training simulations precisely mimic how an employee would react in the event of an actual attack. Since employees do not know whether a suspicious email in their inbox is a simulation or a real threat.
Phishing simulations can create different emotions, responses and reactions. When organizations set up phishing simulations they should endeavor to keep company morale high while enabling a positive culture with regards to cyber threats in general.
I cannot stress enough that much of cyber-security weaknesses are a “people problem”.
Wearing out your technical staff to keep testing instead of having an ongoing education program for employees is a common mistake. They must go hand in hand.
However, a company must be careful because more harm than good is possible by running a phishing simulation simply as a test to catch and punish “repeat offenders”. Educating employees and giving them the skills and resources, they need is not a game of “gotcha”.
Any training that involves fear or stress is going to be counterproductive and possibly traumatic. As a result, employees will not go through the training. Instead, they will look for ways to get around it. Maintaining positive employee morale is critical to the organization’s well-being in general, aside from also providing a positive “just-in-time“ cyber-security training.
Just-in-time training means that once employees have clicked on a link within the simulated attack, they are directed to a short and concise training session. This will quickly educate the employee about their mistake and give them essentials for spotting malicious emails going forward.
This is also a golden opportunity for positive reinforcement, so be sure to keep the training short, concise, and positive.
It is important to change up the simulations. Sending the same simulation to all employees, especially at the same time, is not instructive and is nearly impossible to measure risk because the first employee to discover or fall for the simulation warns the others. Soon everyone is on guard for the simulation, defeating the whole purpose of what could have been a valuable training opportunity.
Sending multiple simulations to different employees at different times is much more effective. There are software phishing simulators that do this automatically on varying schedules sending a different simulations to various groups of employees. All new employees must be added and trained to reinforce the culture that security is important 24/7 and not just checking a box for compliance on an HR generated user agreement.
With over 3.4 billion phishing attacks per day, it’s safe to assume that at least a million of them differ in complexity, language, approach, and tactics, so it is important to change up the content of the phishing bait and keep up with the trends on a regular basis.