Phishing awareness training can thwart cyber-attacks
Blog posted by: Daryl Flack, CIO, BlockPhish, 15 March 2017.
Creating awareness among employees about the damage a successful phishing attack can cause is the key to an organization’s cyber resilience.
Phishing emails remain a primary weapon of the cyber-attacker, whose techniques are constantly evolving to prey on human fallibility and circumvent technical controls in an attempt to compromise an organization’s network, or make financial gain. And, as Verizon’s Data Breach Report 2015 found, 90% of all successful cyber-attacks succeed because of human error.
Training staff to spot the signs of phishing attacks
All employees need to know the tell-tale signs of a phishing attack and organizations should undertake continual awareness training to equip employees with the right knowledge, skills and understanding they need. Essentially, the once-a-year refresher training for compliance is not nearly enough to ensure cyber resilience in the long term.
The fact is that phishing attacks don’t discriminate among employees. Whether an apprentice or CEO, you are susceptible to the latest attack by succumbing to an email which entices you to click on a malicious link or the disguised invitation to give away crucial information.
However, with regular cyber security awareness training, it’s easier to identify the rogue emails which can have such damaging personal and organizational consequences and helps employees identify the different phishing attack techniques. These can range from a generic email, targeting mass distribution with malicious links, to the more sophisticated socially engineered email that personally targets group or individuals and persuades them to take a specific action or to divulge sensitive information.
Targeted or 'whaling' attacks
Careful targeting, known as ‘whaling’, is becoming a more prevalent phishing attack where, for example, the attacker masquerades as a senior executive asking an individual in the finance department to transfer money or pay a fictitious invoice.
This actually happened to FACC, an Austrian aircraft parts manufacturer, last year when it fell victim to an attacker posing as the CEO. The email came from what appeared to be an authentic email address and persuaded an employee to transfer almost $50m as part of a fake acquisition project. After it was discovered the board dismissed the CFO almost immediately and the CEO subsequently a couple of months after.
This illustrates just how easy it is become a victim of these attacks, particularly as cyber criminals can give such an air of legitimacy to their requests, as well as the implications for the board. This means that ensuring employees remain vigilant at all times is a vital business need and an approach that should be led by the board.
Tailoring your cybersecurity training to your employees
Your employees need to receive continuous help and advice and this can be more effective if the cyber security awareness training programme is relevant to their personal as well as professional life. By showing them how they can be an unwitting victim of phishing through their own Facebook or Instagram accounts, it will undoubtedly give them the confidence to transfer that knowledge, understanding and confidence to their work environment.
However, this is not the only way to engage with them and maintain interest. Other techniques, such as gamification with leader boards, competitions and “lunch and learns” also help to reinforce cyber resilient behaviours. Equally, the RESILIA™ programme provides an excellent guide to understanding how employees can be empowered in keeping networks and information safe.
The important thing is to use a combination of approaches which, over time, will maintain awareness and vigilance culture and help to thwart a potential phishing attack and protect your most critical information.
For a free ethical phish and report identifying your organization’s susceptibly to phishing contact BLOCKPHISH.
See our RESILIA section for more information about cyber resilience.
Latest News from
PRINCE2 Agile for agile delivery practitioners15/11/2018 10:21:00
Blog posted by: Julia Gosse – project management trainer and consultant, 14 November 2018.
ITIL Perceptions13/11/2018 10:20:00
Blog posted by: Barry Corless – global product director (service management), Global Knowledge, 12 November 2018.
PRINCE2 Agile Foundation: a practical approach to project success12/11/2018 10:20:00
Blog posted by: Clare Gibbs – project manager, 09 November 2018.
A transformative training style for a transformative product: Welcome AgileSHIFT09/11/2018 14:15:00
Blog posted by: Mark Hudson, Academia Manager at AXELOS, 07 November 2018.
Built on ITIL: quality and consistency in service delivery05/11/2018 10:20:00
Blog posted by: Patrick Von Schlag – President, Deep Creek Center and ITIL Expert, 02 November 2018.
Universities staff need to understand their role in keeping hackers at bay02/11/2018 15:48:00
Blog posted by: Kuldip Sandhu, Higher and Further Education Consultant, Innovative Quality Solutions (IQS), 31 October 2018.
How can I be agile without going Agile?30/10/2018 10:20:00
Blog posted by: John Edmonds, 29 October 2018.
PRINCE2 Agile for PRINCE2 practitioners29/10/2018 16:20:00
Blog posted by: Julia Gosse – project management trainer and consultant, 26 October 2018.