Spending heavily on cybersecurity makes sense given the risk, and can make an executive feel safe. Unfortunately, the major sources of cyber threats aren’t technological.
Phishing scams prey on human factors like curiosity, fear, ignorance and the speed at which we use our computers. Falling for a phishing scam might be as simple as missing a tiny hint that an email is fake.
One study found that about half of all organizations feel they made no progress in the past year in combatting phishing attacks and 21% felt they were actually backsliding.
The increase in phishing can make us feel helpless, but by far the most effective strategy in combatting these attacks is also one of the least expensive: security awareness training. Strangely enough, few companies have effectively implemented this step.
There is no silver bullet to prevent all cyberattacks, because even the best technology regularly fails to detect threats. That’s why the new security perimeter is you and your people. Building that human firewall is not as difficult as you may think.
Let's look at a few approaches.
One in five organizations admit to this as their strategy but the actual number is probably much higher. These companies equate minor outbreaks or no past events with security. They may think they're too small to be noticed by hackers, or overconfident about their technical security. Aberdeen Group put a hefty price tag on this strategy: there’s an 80% likelihood that infections caused by users will result in total costs of more than $2.5 million per year.
While it is important to be knowledgeable about the new threats and scams on the internet, this tactic is somewhat unmeasurable and ineffective. By the time your IT team sends an email to your employees about new ransomware variants or phishing scams, it could be too late. This tactic should be a component of your security training strategy but it can’t be the only one.
About 30% of organizations favor the break room approach. They gather as many employees they can in the break room monthly, quarterly, or annually, provide lunch and have someone from IT or a security expert lecture on topics such as phishing and ransomware. This is certainly better than doing nothing, but often attendance is low and listening can be lower, leading to little change.
Although 64% of Americans have experienced some form of data theft, they regularly neglect cybersecurity best practices. It’s time to teach your entire organization to treat corporate data as sacred, just as they would treat their own personal data. Armed with the right tools and training, you can make sure your last line of defense is a strong one.
We call the comprehensive security awareness training program the “human firewall approach,” and it has five main components, explained below.
Baseline testing. Get your phish-prone percentage by phishing your end users to understand how likely someone in your organization is to let the bad guys into your network.
Scheduled interactive training. Provide interactive training with phishing examples and quizzes to make sure all employees can recognize even the most advanced social engineering phishing scams.
Real-time training. Following a ransomware attack, one company quickly turned the event into a “lessons learned” training opportunity. Lazorpoint sent an email to all employees about the successful phishing scam and shared important tips on how to avoid getting infected. We also encourage clients to send suspicious emails to our Service Desk so we can mitigate risk and train our clients on new threats in real time, saving potentially millions in lost revenue from attacks.
Simulated phishing attacks. This keeps your people on their toes. When combined with regular training, your employees will be able to better recognize and react to threats in non-destructive ways. Falling for a simulated phishing scheme only costs embarrassment, and will motivate employees to inspect every email they receive.
Analyze results and make adjustments. Part of sending regular simulated phishing emails is to measure the effectiveness of the training. After implementing the interactive training plan, phishing victimization rates generally fall from the 10%-25% range to about 2%. Getting below that point is extremely difficult, but you can increase the difficulty of the tests to train employees on advanced phishing schemes and get them ready for anything and continue to protect your business.
Malicious software and cybercriminal tactics get more sophisticated all the time. Today, 91% of cyberattacks begin with a “spear phishing” email, which appears to come from a trusted source. While security technology is essential, you can’t rely on it alone. Malicious email that evades frontline defenses lead to what can be the weakest link in IT security: Your employees!
Significantly improving your organization’s defenses against cybercrime is quick and easy. An end-user phishing security test can show what percentage of your employees are phish-prone. In the wake of several large-scale ransomware attacks, Lazorpoint is offering a complimentary end-user security baseline test as described above. Sign up for yours today.