How organizations can avoid getting hooked by phishing scams

Take a holistic approach to fight phishing by raising awareness, training employees, reinforcing message

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

While the results of a suc­cess­ful phish­ing attack often are dev­as­tat­ing to an orga­ni­za­tion, being vic­tim­ized in this way may be just the tip of the ice­berg, indi­cat­ing larg­er orga­ni­za­tion­al problems.

Ed note_MediaPro_Jeremy SchwartzSus­cep­ti­bil­i­ty to phish­ing can rep­re­sent a fun­da­men­tal mis­un­der­stand­ing of secu­ri­ty best prac­tices at an orga­ni­za­tion-wide lev­el. Tech­ni­cal safe­guards against phish­ing attempts are impor­tant, but they can­not take up the slack left by a fun­da­men­tal lack of secu­ri­ty aware­ness in an employ­ee base.

Com­pli­men­ta­ry webi­nar: How iden­ti­ty theft pro­tec­tion has become a must-have employ­ee benefit

If an employ­ee falls for a phishy email, chances are secu­ri­ty best prac­tices are not top of mind. Chances are a more holis­tic approach is needed.

Engage employ­ees

Here’s the good news: While your employ­ees may be part of the under­ly­ing prob­lem, that also means they can be part of the cure. Anti-phish­ing aware­ness train­ing can help your employ­ees make bet­ter deci­sions and repel phish­ing threats.

Com­bin­ing anti-phish­ing train­ing with sim­u­lat­ed phish­ing attacks lets your employ­ees see first-hand the inge­nious ways hack­ers have devised to get into your net­work. Addi­tion­al cours­es on iden­ti­fy­ing and detect­ing mal­ware, for exam­ple, allow employ­ees to con­nect the dots on how dam­ag­ing a phish­ing attack can be.

But train­ing alone is not always enough. A recent sur­vey of 300 Amer­i­can and British IT deci­sion-mak­ers, by mes­sag­ing secu­ri­ty ven­dor Cloud­mark, found that 56 per­cent of respon­dents trained staff to avoid spear phish­ing attacks, with only 34 per­cent pro­vid­ing ongo­ing training.

Unfor­tu­nate­ly, this comes as lit­tle sur­prise to us. Most orga­ni­za­tions we’ve spo­ken with con­duct secu­ri­ty aware­ness train­ing only once a year, and then only for 30 min­utes or so. Employ­ees can face cyber­se­cu­ri­ty threats like phish­ing attacks on a dai­ly basis. A few hours of edu­ca­tion on these dan­gers might not be enough.

Mix it up; have fun

The best aware­ness pro­grams will allow deploy­ment of care­ful­ly select­ed rein­force­ment resources to cement anti-phish­ing lessons with an organization’s employ­ees on a need-to-know basis.

Addi­tion­al­ly, rein­force­ment works best when it is deliv­ered in resource­ful, fun ways, and when the mes­sage varies over time. To this end, a good aware­ness pro­gram will main­tain a library of rein­force­ment con­tent that is deep and wide. Such a library ide­al­ly will include, but is not lim­it­ed to ani­ma­tions, posters and games.

From a broad per­spec­tive, a holis­tic approach through secu­ri­ty aware­ness train­ing and rein­force­ment will pave the way for an orga­ni­za­tion-wide risk-aware cul­ture. Such a cul­ture can help inoc­u­late an orga­ni­za­tion against myr­i­ad cyber­se­cu­ri­ty threats for years to come.

More on spear fish­ing and security:
Sophis­ti­cat­ed spear phish­ing attacks becom­ing more common
The most-trust­ed brands are often phish­ers favorite prey
Info­graph­ic: Hack­ers cast phish­ing lures into cor­po­rate waters