Phishing is the technique of using deceit to trick users into voluntarily providing credentials or accessing malicious files or websites, often via email.
Phishing can be an automated process via spam emails, but businesses of all sizes are also at risk of ‘spear phishing’, where emails are hand crafted to be convincing to chosen targets.
Phishing in either form has been a popular attack strategy for threat actors ever since the popularisation of commerce on the Internet. Now phishing is the most frequently encountered category of threat to businesses, with 95% of all attacks on enterprise networks being the result of successful spear phishing according to the SANS Institute.
The most effective mitigation to preventing phishing scams from hitting their intended target is to utilise a combination of technical safeguards (like web gateways, mail filtering and outbound firewall rules) and continuous end-user security awareness training. Those who downplay the potential benefits of employee security training are forgetting that successful social engineering attacks rely on one common factor: the human element.
“97% of people around the world are unable to identify a sophisticated phishing email.” – Intel.
Organisations providing cybersecurity awareness training to their staff greatly improve end-user confidence and ability to recognise (or at least suspect) phishing attempts. If a company can get their computer users to slow down and really evaluate the emails they receive before acting on them, they’ve won half the battle and will greatly reduce their cyber risk. Strong baseline education, reinforcement through continuous awareness training, and regular assessments are needed to begin changing employee online behaviour. An interesting, engaging and memorable awareness training programme delivered throughout the year keeps the security message on point and allows security teams to spot trends, track progress over time, and identify / help high risk users who may need additional education.
Phishing simulations are an excellent addition to any security awareness training programme – an innovative approach and effective way to continuously assess an organisation’s security awareness and susceptibility to social engineering tactics. GoldPhish’s CybACADEMY delivers simulated phishing attacks to test employees’ security awareness. A fully managed social engineering assessment programme, employees receive monthly simulated phishing emails and teachable moments, which display ‘just-in-time teaching’ messages to individuals who fall for a phishing test. Managers receive comprehensive campaign metrics identifying trends, improvements, and problem areas.
Phish T@nk, our simulated phishing training, has several benefits for your organisation:
- It increases specific awareness of the social engineering threat via phishing. When workers fall for a simulated attack, they become more aware of the real threat and more receptive to the message from IT security.
- It improves the general awareness of security. Simulated attack programs help to open the lines of communication between workers and security staff, which in turn helps to improve the efficiency of general security awareness training.
- It provides security training metrics. Simulated attacks allow organisations to track the effectiveness of their security training over time and to target the areas or people that most need additional training.
- Find out more about Phish T@nk and how it can help your employees get one step ahead of the cyber criminals
Follow these 4 essentials for building effective training programmes to begin changing behaviour:
- Use Real-life Phishing Attacks. The more realistic you make training, the more memorable the experience will be – this will greatly contribute to knowledge retention and behaviour change.
- Create Continuous Security Training Programmes. Once off annual box-ticking compliance training will not change bad security behaviour in organisations. Employees need a strong baseline education in all aspects of cyber security awareness to reduce the risk of data breaches. This training must be engaging, interactive, and continue throughout the year.
- Make Training Fun and Rewarding. Introduce gamification into awareness programmes where there are prizes for the highest scoring departments and individuals. Reward individuals who report breaches of security or who regularly identify suspicious emails and activity to the IT Team. Develop ‘Security Champion’ programmes to help drive culture in the organisation – get employee buy-in and participation.
- Enlist Top-Down Support. Get internal buy-in on the approach from executives across all departments. Building any culture starts by example from the top management, if they lead by example, people will copy that behaviour and know that gets rewarded.
GET TO UNDERSTAND THE BASICS OF PHISHING HIGHLIGHTED IN OUR AWARENESS VIDEO BELOW
Training employees to be able to confidently identify and report suspicious emails in the workplace is fundamental to strengthening the ‘Human Firewall’ and greatly reducing cyber risk. Get in touch with GoldPhish today to get a CybACADEMY demo and discuss affordable pricing plans.
email GoldPhish email@example.com