Email phishing attacks are sent to us at work, home and anywhere else we have email. Most of us use email filters to check these emails and cut down the number of bad messages we receive, but sometimes these filters can be bypassed. Avanan’s Global Phish Report analyzed more than 55 million emails and found that 1 out of every 100 contained a phishing attack. The study also found that 25% of those phishing emails were making it past the filters and arriving in the user’s inbox.
What are most insidious are “spear phishing” emails, these messages target a specific person, and often bypass the filters because they are hand-crafted and lack the “tells” of most mass-produced phishing emails. Ask any security professional what the greatest security weakness in their organization is and the answer will be people. People make mistakes, get distracted, intimidated or enticed. Individuals click on something, downloading an attachment, or reply to an attacker unknowingly.
The people in your organization can be made into “human firewalls” instead of the weakest link – but it requires making security training and vigilance part of the culture. It means sending out reminders to keep security in mind and encouraging security reports. Encouraging users to report possible phishing emails, clicks that may have been on something malicious or having noticed something abnormal about their computer or application gives an early warning to the IT and security teams. This early warning allows time to send out warnings, take preventative action and help recover those that were impacted. User reports can easily be the difference between handling a small security event and making headlines due to a breach or ransomware that took down the entire environment.
The best results are seen when a combination of monthly reminders and ongoing phishing test emails is used. Mixing up the monthly reminders with short videos, events, games, email reminders and phishing testing significantly increases awareness and vigilance. Using multiple delivery methods will appeal to different groups of users, thus use multiple methods to make an impact with as many people in your environment as possible. Consider making the phishing email tests into a game – start a raffle with an enticing prize, users can receive one entry every time they do not click on an email or two entries can be awarded if the email message is reported to IT. Keep it interesting, add humor and have fun. Possibly get the marketing team involved to help with selling the idea or brainstorming possible campaigns.
The bottom line: Do something every month, use an annual plan with content, reminders and actions to keep it on track - make your people part of your cyber security defense program.
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.
All Business Advisory News Cyber Security Overview