Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network.
Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says.
According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.
Here are some recommendations Benishti has for enterprises:
1. Launch phishing simulations
Running phishing simulations followed by ad hoc, gamified training is a proven tool to increase awareness and reduce risk.
Repeat the process at least once every two months - changing behavior is a process. Training is important, but continuous assessment is even better to set the right mindset.
2. Use gamification as training methodology
Let’s admit it, people hate training. They are sick and tired of videos and training wizards with boring slides and bullets. Meanwhile, for the security managers, it’s not really measurable.
This is why interactive training or ‘gamification’ is much more engaging. Plus, people love to get high scores to collect awards, so why not?
Create fun and interactive games to deliver your messages!
3. Definitely include your senior management
They are main targets, especially for spear and whale phishing. Make no exceptions. Publicly promote their participation. It’s a good example for the rest of the company.
4. Use real-life examples
It’s best to hit your employees with emails they might actually receive. Change difficulty levels and start from the ground up. Don’t expect people to understand advanced phishing examples from day one. Teach them step by step on both phishing scenarios and training modules.
5. Enforce training, and follow employee progress
To make it effective, employees must understand this is serious. They need to be reminded if they ditched the training. It’s your job to make sure they like it. It’s all about the messaging. They need to understand that they have a critical role in protecting the company and its assets.
6. Encourage ongoing phishing reports
Make sure each and every employee knows how to report back to the security team about suspicious emails. Many people tend to believe that the technology on premise will automatically stop all malicious emails and attachments for them. Make sure they understand that they are an active line of defense.
Phishing is the No.1 vehicle used by cyber criminals to deliver malicious software to your organization. The level of sophistication is increasing dramatically so traditional defenses are lagging behind. Make sure people are aware of the risk and well trained to spot and report it as it happens.