Recently we wrote about the threat to your cybersecurity posed by email – that pervasive, convenient, reliable tool for business and personal communication used by almost every organisation in the world. But email is not innocent. It is one of the most common attack vectors used by threat actors. Why? Precisely because of its ubiquity, interoperability, and availability of users’ addresses.
Email itself does not present a risk to recipients. Any email can be safely opened without putting your network in peril. It is the attachment (particularly PDF) within it that is the danger. Attachments can contain malware code that installs itself on the user’s computer and/or network. Links can lead to impersonated websites, encouraging the user to part with sensitive information or even make payments.
Email is so risky to businesses because they employ tens, hundreds or even thousands of entry points – their staff. Each individual poses a risk simply because humans are fallible creatures. And cybercriminals are clever, finding ever more sophisticated ways to convince their victims that they are bona fide.
Cybersecurity awareness training of employees should be a regular part of your IT strategy. Many organisations include cybersecurity as well as IT procedures and email protocols as part of induction training. While this is a laudable and necessary step, it is not sufficient. Occasional reminders (e.g. bi-annually or even quarterly) are important but do not go far enough. Experts believe that awareness training needs to be monthly to be beneficial. Hackers develop new techniques all the time. While we may not be able to stay one step ahead of them, we can certainly keep up, and ensure our defences are sharp. Phishing scams, like all trends, come and go. But it’s essential to raise awareness of the phishes that are topical at any given time, so users know what to look out for.
Effective security training should show your employees the different types of attacks they may encounter. They need to learn to recognise the red flags that identify a spoof email and know what to do if they receive one…and, more importantly, what not to do! Awareness training should include “vishing” – voice phishing, and “smishing” – SMS phishing. Don’t rely on your organisation’s caller ID. Cybercriminals are able to impersonate legitimate callers and convince victims to disclose critical information.
A good awareness programme should not only include information dissemination; it should allow employees to test their knowledge and practise their skills. If you opt for an online learning programme, make sure it includes real-life scenarios and plenty of sample emails as practice.
Beyond the training course itself, whether conducted online or in a classroom situation, it’s important to follow up with test emails sent to users at random, unannounced times, when they are engrossed in work at their desks. This is called phishing simulation. Simulation is critical because it can be easy to detect a bogus email in a training environment. One’s senses are alert to the clues. It’s a different story in the daily chaos of office (or even home office) life. Faced with a full inbox every morning and wanting to clear it in order to get on with the day’s work, it is much harder for an employee to spot the spoof email lurking amongst the legitimate ones. This is particularly so with spear-phishing when the attack on your organisation is carefully targeted, and the email appears authentic.
There are many tools available online that will allow you to carry out your own phishing simulations. But their usefulness is limited. Open-source phishing platforms abound, but most are Linux-based and require a level of skill to install and run. There are simple tools that will let you create an email for test purposes and send it to a few recipients using a set mail server. But they lack features like reporting that gives you the value you need from such a tool.
From an organisational perspective, you need information about trends, not just individuals. If a particular department, such as procurement or HR, has a poorer success rate at detecting phishes, it may highlight the fact that they are more susceptible. You can then focus your resources on upskilling that team. Capturing individuals’ phish rates is not about penalising anyone; it is about identifying potential vulnerabilities and providing any additional support necessary. Without quality data, you can’t protect your organisation from breaches.
NEWORDER can carry out simulated attacks on your employees that will test and reinforce good behaviour. We will work with you to understand your organisational and industry context and determine the nature of spoof emails you may fall prey to, designing a targeted phishing simulation campaign. We will tailor a cybersecurity awareness training plan to the needs of your business. Only through continuous simulation and training will your employees being able to fight phishing attacks and keep your network safe from harm.
