How organizations can avoid getting hooked by phishing scams
Take a holistic approach to fight phishing by raising awareness, training employees, reinforcing message
By Jeremy Schwartz, Special to ThirdCertainty
While the results of a successful phishing attack often are devastating to an organization, being victimized in this way may be just the tip of the iceberg, indicating larger organizational problems.
Susceptibility to phishing can represent a fundamental misunderstanding of security best practices at an organization-wide level. Technical safeguards against phishing attempts are important, but they cannot take up the slack left by a fundamental lack of security awareness in an employee base.
Complimentary webinar: How identity theft protection has become a must-have employee benefit
If an employee falls for a phishy email, chances are security best practices are not top of mind. Chances are a more holistic approach is needed.
Here’s the good news: While your employees may be part of the underlying problem, that also means they can be part of the cure. Anti-phishing awareness training can help your employees make better decisions and repel phishing threats.
Combining anti-phishing training with simulated phishing attacks lets your employees see first-hand the ingenious ways hackers have devised to get into your network. Additional courses on identifying and detecting malware, for example, allow employees to connect the dots on how damaging a phishing attack can be.
But training alone is not always enough. A recent survey of 300 American and British IT decision-makers, by messaging security vendor Cloudmark, found that 56 percent of respondents trained staff to avoid spear phishing attacks, with only 34 percent providing ongoing training.
Unfortunately, this comes as little surprise to us. Most organizations we’ve spoken with conduct security awareness training only once a year, and then only for 30 minutes or so. Employees can face cybersecurity threats like phishing attacks on a daily basis. A few hours of education on these dangers might not be enough.
Mix it up; have fun
The best awareness programs will allow deployment of carefully selected reinforcement resources to cement anti-phishing lessons with an organization’s employees on a need-to-know basis.
Additionally, reinforcement works best when it is delivered in resourceful, fun ways, and when the message varies over time. To this end, a good awareness program will maintain a library of reinforcement content that is deep and wide. Such a library ideally will include, but is not limited to animations, posters and games.
From a broad perspective, a holistic approach through security awareness training and reinforcement will pave the way for an organization-wide risk-aware culture. Such a culture can help inoculate an organization against myriad cybersecurity threats for years to come.
More on spear fishing and security:
Sophisticated spear phishing attacks becoming more common
The most-trusted brands are often phishers favorite prey
Infographic: Hackers cast phishing lures into corporate waters