Gone phishing: introducing small changes to create a cyber security awareness culture that combats the perennial problem
May 2019 by Melanie Oldham, founder and CEO, Bob’s Business
Phishing attacks that prey on human error continue to be one of the most common and successful tactics in a cyber criminal’s arsenal. With the role of such attacks delivering highly dangerous threats, organisations need their people to be extra vigilant and become a security barrier, rather than a vulnerability for unscrupulous cyber criminals to attack an organisation. However, the reality is that staff within the average organisation often lack cyber security awareness, which means that phishing attacks are successfully reaching the soft underbelly of data that resides in a modern business.
Phishing presents such a high-risk because it continues to morph on a daily basis and reach users through a variety of social engineering techniques. The most effective way to combat phishing is to deploy strategies to arm staff with the confidence and knowledge to take the right action. By introducing small changes into how they work and approach cyber security, staff can keep both themselves and their organisation secure. Core to this is a multi-pronged approach to your organisation’s information security training, raising awareness of the impact that successful attacks can have – in a controlled environment.
Making training relatable, relevant and engaging
Every company is different and has specific needs and areas of vulnerability. Whilst there are certain cyber security basics that we all need to adhere to, when it comes to arming staff with the right knowledge for your business, ‘off the shelf’ courses are not always going to be the best fit or get the required results.
To ensure that every base is covered, it is better to take a bespoke approach to ensure that every aspect of training and engagement is pertinent to your staff, network topology and wider business objectives. Undertaking a training course that is tailored leads to greater candidate engagement and a more rapid improvement of your overall security posture.
Another advantage of making training relevant, engaging and relatable is that it will help to break down the traditional communication barriers which often exist between staff and your IT team – ensuring everyone is working towards the common goal of keeping business operations secure.
Fighting phishing through simulation
Opening a seemingly innocent and legitimate email and clicking on a link can be an easy mistake to make, but if it turns out to be a phishing email it can have disastrous consequences. With cyber criminals using every trick in the book to fool their potential victims into giving away personal and confidential information, educating your staff to recognise the tactics is vital. Even small changes in staff behaviour will make a big difference. This is where exposing your staff to the dangers via a controlled simulated phishing exercise can pay dividends.
All staff are a target – from office managers to sales directors. When undertaking a phishing simulation exercise, it is advisable to produce email templates of varying complexity and create specific versions for certain high-risk user groups such as members of the finance, HR and IT departments.
Any user that clicks on a link in the spoof email is sent to an annotated educational landing page, so they can learn how to better spot such threats in the future.
The results in reality
One organisation we work with wanted to educate its staff so that they could better identify suspicious emails when they receive them. To make this happen, it commenced with the silent deployment of medium-difficulty phishing templates to 10% of staff. This acted as a benchmark of how many would fall foul of the scam. It then developed and deployed a series of internal communications to ensure staff were aware of the exercise and understood what underlining support was in place. This was accompanied by a ten-minute interactive animation that educated them on the basics of phishing.
The programme proved to be a triumph. Since its inception, over a quarter of a million simulated phishing emails have been sent. Between them, they have covered a range of scenarios with various hooks that asked staff to click on links, open attachments or disclose login details. Over the course of the programme, the organisation has seen a huge reduction in staff falling foul of the spoof phishing emails.
From top to bottom
Simulated phishing campaigns are a highly effective way of playing out very real scenarios in a controlled environment. By monitoring the reactions of staff and providing appropriate advice based on their actions, they can very quickly and effectively understand the dangers of phishing attacks. By becoming advocates of small changes in their own behaviour, and sharing their new-found expertise with new colleagues, they will become vital in the fight against this common and damaging threat. This approach will create a heightened cyber security awareness culture from top to bottom, throughout your entire organisation.