There is no more effective initial attack vector than phishing. With an ability to reach well-within your organization’s logical perimeter all the way down to an individual user’s Inbox with some form of malicious content, phishing has proven to be a challenge to organizations working to maintain a proper security stance.
On top of this, phishing attacks have some pretty impressive accolades:
The exponential growth seen this year with phishing attacks and their success is extremely dangerous when combined with operational shifts to users working from home, using personal devices and lowering their sense of corporate vigilance as part of trying to find a work/life balance. The use of social engineering techniques such as domain, brand, or user impersonation augment the credibility of phishing scams at a time when the user’s sense of defenses is at an all-time low.
The current state of both cyberattacks and lack of cyber-readiness dictates that your organization look to elevate its security stance by making its users more aware of phishing attacks, the methods used, and the repercussions of attack success.
First off, it’s important to differentiate phishing awareness from security awareness. Security awareness programs and training seek to create a security culture within an organization – of which, being aware of phishing attacks plays a role. Phishing awareness is more laser-focused in on the what, why, and when of phishing attacks and how to avoid becoming a victim.
Phishing attacks utilize a number of mediums, leveraging common tactics to get potential victims to respond in the desired fashion. Some of the mediums include:
It may seem logical that larger organizations or those companies subject to data regulation laws will have more security solutions in place, helping to minimize the possibility for phishing attacks to reach their intended victim. And on the other end of the spectrum, smaller organizations are assumed to have less budget and expertise to implement as strong a defense as their larger counterparts.
But in actuality, organizations of every size and vertical are targets of phishing attacks daily. Like any legitimate product or service, there are many businesses that focus on specific geographies, org sizes, industry verticals, etc. It’s the same for cybercriminal organizations engaged in phishing attacks; they each have a target demographic they’re really good at attacking.
And every organization has the same problem when it comes to stopping phishing attacks: their users. Users that aren’t aware of phishing attacks are doomed to fall for them. In a recent poll of 1,000 users in the U.K., 95% of them failed to identify 10 pretty-obvious (in my opinion) email-based phishing scams. In essence, your users need to be trained.
There are two really important parts to phishing awareness training – awareness education and phishing testing. Solutions designed to help improve a user’s phishing awareness begin by educating them on what is phishing, what communications mediums are used, what phishing attacks look like, what social engineering tactics are used and how to spot a scam a mile away. This is generally most effective when done online, but there are some organizations do classroom-based training, and even breakroom-based training.
Once users are trained, it’s time to see if they were paying attention. Creating simulated phishing campaigns – ones that are benign in their impact but use the same techniques and tactics as their malicious counterparts – are an impactful way to see where the user-layer, as it were, of your security is weakest. Solutions providing phishing awareness training usually have some form of phishing testing functionality as well. The phishing testing creates a feedback loop to determine the effectiveness of the training.
It’s important to note that phishing isn’t going anywhere; the bad actors know it’s an extremely effective way to attack your organization. And recent data shows they’re getting better at their craft with more sophistication and frequency in their attacks. So, it’s critical that you improve your security posture as well. Phishing awareness and training is a key component to that end.
About the Author: Nick Cavalancia
Nick Cavalancia is a Microsoft Cloud and Datacenter MVP, has over 25 years of enterprise IT experience, is an accomplished consultant, speaker, trainer, writer, and columnist, and has achieved industry certifications including MCSE, MCT, Master CNE, Master CNI. Nick regularly speaks, writes and blogs for some of the most recognized tech companies today on topics including cybersecurity, cloud adoption, business continuity, and compliance.