By Jason Stirland, CTO at DeltaNet International
According to research by Proofpoint, 75% of organizations around the world experienced a phishing attack in 2020, and 74% of attacks targeting US businesses were successful. Furthermore, a study by ENISA, found that 85% of the SMEs questioned agree that cybersecurity issues would have a detrimental impact on their businesses, with 57% saying they would go out of business if hit. The study also reveals that phishing attacks are the most common cyber incidents SMEs are likely to be exposed to, in addition to ransomware attacks, stolen laptops and CEO frauds.
With many employees continuing to work remotely (or at least commence hybrid work), organizations must support their employees and educate them on the cybersecurity threats they will undoubtedly face. These include phishing and social engineering attacks. As employees are the front line of an organization, it should be their utmost priority to ensure employees and the organization don’t fall victim to potential phishing attacks.
So how can organizations improve cybersecurity awareness training to protect against phishing attacks?
1 – Educate employees using bitesize online training
It’s no surprise that employees loathe long training sessions that take time out of their day, leading to low engagement. So, using bitesize learning to teach employees about phishing threats and general cybersecurity awareness will be better received. Shorter training interventions means employees s can fit learning around their day and work schedule, which will reduce reluctance to do mandatory training. Additionally, with attention spans decreased by constant notifications of emails and messages from collaboration platforms like Teams and Slack, it’s crucial to use interactive content to capture employees’ interest. This way, they are more likely to understand phishing and cybersecurity threats the business faces daily.
2 – Assess employees on knowledge retention
While it’s easy to think of some compliance training as a mere tick-box exercise, organizations must check their employees have actually learnt something from the training. If not, then the training needs to improve – quickly! Phishing and cybersecurity attacks are becoming increasingly sophisticated, so organizations want to ensure that their employees can spot a phishing scam successfully when faced. A great way of assessing employee understanding of scams is by using a phishing simulation tool to send imitation phishing emails to employees to test their awareness levels. It’s imperative to test employees against spear-phishing attacks too. This is a method where a cybercriminal targets individuals within the organization, posing as a trusted source (e.g., the CEO or a supplier) to gain confidential data.
3 – Auto-enroll employees on correctional training
Understanding which employees failed the simulated phishing scams is a significant way to analyze the cybersecurity risk employees pose. To reduce risk, organizations should auto-enroll employees who fail the phishing scam (e.g. by clicking on a suspicious URL or sharing confidential data) onto further cybersecurity awareness training. Follow up this correctional training with company compliance documents, internal discussions on the importance of recognizing threats, and how employees must play their part in keeping the organization safe. This will help to fortify the importance of cybersecurity awareness.
4 – Track the value of training
Organizations can track and analyze the results of their cybersecurity awareness training by using a learning experience platform, such as Astute LXP. Intelligent platforms like this can help organizations gather data all in one place to track the open rates and click rates on suspicious URLs and the completion of sharing any confidential data. Repeating this exercise once employees have been refreshed on cybersecurity awareness training, and analyzing their pass rate on the simulated phishing email, will reveal which employees have understood their training and put it into practice. This helps organizations to recognize how their security position has improved as a result of the training, making a clear case for continuous investment and refresher training in cybersecurity awareness going forward.
5 – Update employees on current phishing trends
An organization’s cybersecurity risk is only as strong as its weakest link. According to Tessian, nearly a quarter (22%) of UK citizens have received phishing emails asking them to download ‘proof of vaccination’ in the past six months – and in the US, this figure rose to 35%! Statistics like these go to show how keeping all employees trained, tested, and updated with the latest cybersecurity techniques and phishing scams is critical to protecting your company’s infrastructure.
6 – Embedding a cybersecurity compliance culture
Putting in place a cybersecurity culture within the organization is easier said than done. But what it means is that employees understand the importance of following cybersecurity guidelines, completing mandatory training, and using best practices, e.g., strong passwords and triple-checking emails for any malicious URLs before clicking on them. If employees are in a company environment where they are reminded of common phishing and ransomware attacks and what to look out for, it will become second nature to them and reduce susceptibility significantly.
About the Author
Jason Stirland, CTO at DeltaNet International. Having completed his degree in Networking & Communications Technologies, Jason Stirland has spent nine years working in eLearning. From starting his career as first-line technical support, Jason has expanded his role to incorporate programming and sales and often hosts consultative software meetings for key clients. Jason has been responsible for developing DeltaNet’s Astute Learning Management System, as well as the organization’s IT/security infrastructure and software strategy.