#CyberMonth: How to Promote a ‘Think Before U Click’ Culture
Phishing remains one of the most common and effective forms of cyberattacks. This vector has exploded since the start of the COVID-19 pandemic, fueled by increasing reliance on digital communications and numerous emotional events that served as effective bait. In February 2022, Proofpoint research found that more than nine in ten (91%) UK businesses were successfully compromised by an email phishing attack in 2021, underscoring the continued potency.
Such compromises can present companies with major problems. “When phishing is used to steal credentials, it opens up a world of opportunity for cybercriminals and a world of harm for the individual or organization targeted,” said David Richardson, VP of Product Management at Lookout. “With one set of credentials, attackers can then attempt to log into a number of popular cloud-based services such as Microsoft365, Google Workspace, AWS, Salesforce, etc. Once they successfully log into one of these accounts, they can move laterally within an organization and find highly sensitive and valuable information that they either encrypt for ransom or exfiltrate to sell on the dark web.”
Although there are a growing number of security tools designed to prevent phishing messages from reaching recipients, the core of this problem remains a human problem. Therefore, a focus on awareness training is key to combating this ongoing scourge. Too often, however, organizations only pay lip service to training in this area, such as: B. Setting up annual phishing simulations and other tickable exercises.
For this reason, one of the main focuses of this year’s European Cybersecurity Month, under the motto “Think Before U Click!”, is phishing, which emphasizes the need for users to be equipped with the necessary knowledge to avoid falling into the trap of attackers.
Here are five steps companies can take to improve their phishing training for greater employee engagement and effectiveness.
Explain why
In addition to highlighting how employees can identify and respond to potential phishing emails, it’s also important for organizations to explain why these actions are necessary. In an October 2022 interview for the IntoSecurity Podcast, Jessica Barker emphasized the importance of ensuring awareness messages are relevant to people’s lives, making them much more likely to adhere to recommendations. “Rather than telling people what to do or not to do, it’s much more helpful to frame why we’re making these recommendations in context,” she noted.
This principle can also be applied to specific training activities. Javvad Malik, Lead Security Awareness Advocate at KnowBe4, commented, “The security team should be open and let their colleagues across the organization know why they are performing mock phishing and how it benefits everyone overall. Getting people to understand the reasoning behind an activity can significantly reduce resistance.”
Short but often
Organizations should carefully consider the effectiveness of the delivery and frequency of training. For example, research has shown that “microlearning,” short sessions of five to 10 minute modules, significantly improves retention compared to single long sessions of up to an hour. These bite-sized sessions are also much easier to fit into employees’ busy workdays.
As such, experts believe brief but frequent phishing training courses are most effective in ensuring messaging sticks and behavioral changes are made. Malik said: “Organizations don’t have to try to boil the ocean all at once by giving long do’s and don’ts training sessions. Instead, they can focus on a few high-risk behaviors and use small, engaging content that reinforces the message more often. Ultimately, it’s about behavior change, not about turning people into security experts. So if the desired behavior can be reinforced through messaging, it can lead to better outcomes.”
teach cynicism
Cynicism isn’t always the best trait in life, but in cybersecurity it’s often crucial. A basic attitude that should be instilled in employees is to be suspicious of certain types of email and not to be hasty in replying to them. This is recognized in this year’s Cybersecurity Month theme, Think Before U Click. Lookout’s Richardson said, “Phishing attacks have evolved in technique and sophistication, but the basic approach of creating a sense of urgency or impersonating a trusted figure or authority has remained fairly constant. If you are contacted in this way, it is important to step back, assess the situation and find alternative ways to validate the request.”
Phishing messages are generally intended to create a sense of urgency or panic by focusing on tense or worrying issues such as COVID-19 and calling for immediate action. Tal Memran, Cybersecurity Expert at CYE, explains: “The content of the email is often worded in a way that puts pressure on the recipient, meaning that if you don’t reply within a certain time limit, you will be denied access.”
Other suspicious signs highlighted by Memran are when the email contains an attachment with intentional instructions on how to open it, and the body of the message contains a link, “usually an abbreviated one that you can click, and in most cases you would.” asking for a set of testimonials.”
There are a number of measures that can be taken to assess the validity of this type of message. One is to verify the domain the email is coming from, which often tries to impersonate well-known brands. “Check the domain carefully for intentional typos,” advised Memran.
Other simple techniques include hovering over any links contained in the email to see if it is a legitimate website. This can also be cross-referenced using a reputable search engine.
Straightforward reporting processes
Reporting potential phishing messages should be as easy as possible and require no more than a click of a button. “If people need to fix a problem or call someone or otherwise do something that causes them inconvenience, they don’t get caught,” noted KnowBe4’s Malik.
The security team should then provide confirmation after reporting a suspicious message, whether it is a phishing attack or not. This will help encourage vigilance going forward and understanding that their contributions are helping the organization. Malik added: “The security team should provide feedback when a person reports an issue. Even if it’s a false positive, thanking the person encourages greater engagement in the future.”
Record phishing attacks
To increase employee awareness and understanding of phishing, security teams should publicize attempts discovered within the organization following employee reports. Memran said: “Regularly inform your employees about well-known and used phishing campaigns to increase their alert level for suspicious emails.”
This includes sending the email itself as an alert to employees once they are sure to ensure they are on the lookout for the same type of message. “Phishing schemes often target multiple people in an organization. So if you let colleagues know what to look out for, it can be easier to spot and stop phishing,” commented Paul Bischoff, Comparitech’s consumer protection officer.
This approach also makes it possible to keep records of phishing techniques, potentially allowing for deeper analysis of trends in this area to continuously update and improve awareness training.