Phishing attacks continue to be a serious threat for organizations of all types and sizes. These attacks have been behind some of the most well-known breaches in recent years (Anthem). As these threats evolve and become more sophisticated, we must work to adapt the behavior of our employees to combat these risks. IT professionals recommend implementing security awareness training in your organization to teach employees about phishing attacks and how to detect a scam before a few clicks can cost an organization millions of dollars in damage.
The main goal of security awareness training is to educate employees about phishing so that they think before clicking any suspicious links. When onboarding new employees, it is critical that there is an IT training meeting. This training should go beyond basic computer and IT procedures by including a session on the organization’s security policies. This should include recognizing phishing attempts.
However, one-and-done training sessions are not enough to protect organizations from these ongoing cyber threats. These threats are continually changing and evolving, becoming more and more sophisticated over time. As such, continuous security awareness training is necessary so employees are evaluating their emails and actively avoiding new potential scams. Best practice would be having training sessions every 6 weeks to remind employees that everyone is a target and continue to be aware.
Sample training programs should include:
- Security videos mandated at the beginning of employment
- Periodic educational content sent from IT/Security sharing the latest news and forms of hacking the organization may be experiencing.
- The ability for employees to easily mark suspicious emails as “Spam.”
Another great mechanism to ensure your organization and employees are prepared for a phishing attack is to conduct a mock phishing campaign. In a mock campaign, fake phishing emails would be sent out to employees. The IT/Security team could then track who is intercepting these emails and reporting them as spam and who is falling for these scams. If an individual were to click on the link in the phishing email, you can set up a redirect to an educational website that could provide tips on avoiding phishing emails in the future. Phishing campaigns have proven successful in teaching employees what to look out for while reducing the likelihood of a malware attack that may cause significant financial and reputational damages.
While phishing simulation programs are effective, it is critical that they are paired with a robust training program and positive reinforcements. Every failed phishing simulation should result in an opportunity to improve for both the organization and the employee. A recent article by Brian Krebs explores how some organizations have instituted negative consequences for employees who repeatedly fail such simulations. Those consequences may include termination and other punitive actions. Brian reviews this remediation approach with several industry experts who feel that punitive remediation is counterproductive. It’s certain that phishing attacks will continue to evolve. As such, organizations must adapt and awareness training needs to be a part of their adaptation. Negative reinforcements will foster resentment between the employees and the IT/security department that will hinder the ability of the organization to work collaboratively to prevent future threats.
Remediation will be a very interesting aspect of that adaptation. There are valid points around the negative impacts termination could pose; however, the overall impact that a successful phishing attack could have on an organization is significant. There is a delicate balance organizations must consider.
Since phishing attacks are becoming more common and sophisticated, it is time to implement the proper training and education classes for your organization. Ask an advisor at RCM&D the best practices for employees to learn how to identify, mitigate and report phishing incidences at your organization.