Phishing awareness training can thwart cyber-attacks
Blog posted by: Daryl Flack, CIO, BlockPhish, 15 March 2017.
Creating awareness among employees about the damage a successful phishing attack can cause is the key to an organization’s cyber resilience.
Phishing emails remain a primary weapon of the cyber-attacker, whose techniques are constantly evolving to prey on human fallibility and circumvent technical controls in an attempt to compromise an organization’s network, or make financial gain. And, as Verizon’s Data Breach Report 2015 found, 90% of all successful cyber-attacks succeed because of human error.
Training staff to spot the signs of phishing attacks
All employees need to know the tell-tale signs of a phishing attack and organizations should undertake continual awareness training to equip employees with the right knowledge, skills and understanding they need. Essentially, the once-a-year refresher training for compliance is not nearly enough to ensure cyber resilience in the long term.
The fact is that phishing attacks don’t discriminate among employees. Whether an apprentice or CEO, you are susceptible to the latest attack by succumbing to an email which entices you to click on a malicious link or the disguised invitation to give away crucial information.
However, with regular cyber security awareness training, it’s easier to identify the rogue emails which can have such damaging personal and organizational consequences and helps employees identify the different phishing attack techniques. These can range from a generic email, targeting mass distribution with malicious links, to the more sophisticated socially engineered email that personally targets group or individuals and persuades them to take a specific action or to divulge sensitive information.
Targeted or 'whaling' attacks
Careful targeting, known as ‘whaling’, is becoming a more prevalent phishing attack where, for example, the attacker masquerades as a senior executive asking an individual in the finance department to transfer money or pay a fictitious invoice.
This actually happened to FACC, an Austrian aircraft parts manufacturer, last year when it fell victim to an attacker posing as the CEO. The email came from what appeared to be an authentic email address and persuaded an employee to transfer almost $50m as part of a fake acquisition project. After it was discovered the board dismissed the CFO almost immediately and the CEO subsequently a couple of months after.
This illustrates just how easy it is become a victim of these attacks, particularly as cyber criminals can give such an air of legitimacy to their requests, as well as the implications for the board. This means that ensuring employees remain vigilant at all times is a vital business need and an approach that should be led by the board.
Tailoring your cybersecurity training to your employees
Your employees need to receive continuous help and advice and this can be more effective if the cyber security awareness training programme is relevant to their personal as well as professional life. By showing them how they can be an unwitting victim of phishing through their own Facebook or Instagram accounts, it will undoubtedly give them the confidence to transfer that knowledge, understanding and confidence to their work environment.
However, this is not the only way to engage with them and maintain interest. Other techniques, such as gamification with leader boards, competitions and “lunch and learns” also help to reinforce cyber resilient behaviours. Equally, the RESILIA™ programme provides an excellent guide to understanding how employees can be empowered in keeping networks and information safe.
The important thing is to use a combination of approaches which, over time, will maintain awareness and vigilance culture and help to thwart a potential phishing attack and protect your most critical information.
For a free ethical phish and report identifying your organization’s susceptibly to phishing contact BLOCKPHISH.
See our RESILIA section for more information about cyber resilience.
Latest News from
The Four Dimensions of Axle Car Hire18/06/2021 13:20:00
Blog posted by: Tom young – Commissioning Editor, ITIL Core, AXELOS, 16 June 2021.
Demonstrating programme value through benefits17/06/2021 13:20:00
Blog posted by: Martin Stretton – Transformation Programme Director, NFER, 15 June 2021.
Project management skills in IT and cyber security14/06/2021 13:20:00
Blog posted by: Jason Dion – Dion Training, 11 June 2021.
Service Robotics and ITIL 4: enabling customer experience11/06/2021 13:20:00
Blog posted by: Mauricio Corona – Chairman, BP Gurus, 10 June 2021.
These aren’t just any outcomes…these are MSP outcomes of benefit10/06/2021 13:20:00
Blog posted by: John Edmonds – PPM Portfolio Development Manager, AXELOS, 08 June 2021.
How to move from project to programme management08/06/2021 13:20:00
Blog posted by: Andreea Iuras – Biopharma programme/project manager, 04 June 2021.
How focusing on user experience in ITIL 4 leads to value07/06/2021 13:20:00
Blog posted by: David Billouz – CEO, Ociris, 03 June 2021.
ITIL 4 Strategic Leader: for IT strategy planning today01/06/2021 13:20:00
Blog posted by: Chandramohan Sridhara – ICT Architect, 28 May 2021.