With all the talk about walls, we forget the most important one for every business: The Human Firewall. What is this Human Firewall? It’s comprised of each and every employee or contractor who works within your network and who is being targeted by dedicated nefarious hackers to get access to your bank account or intellectual property.
Are you suggesting more cybersecurity training??
Not necessarily more, but better. “Better” means training accompanied by real-time phishing testing, utilizing simulations of phishing emails, giving the employees an opportunity to practice what they learned in the training modules.
Better Security Awareness Training & Testing
- Plan – Prepare by selecting a phishing test tool. To maximize effectiveness, plan a series of campaigns that will test all employees in progressive complex scenarios. Phishing techniques evolve constantly, so employees need to think about ‘why’ they should reply or not to an email, based on the training they have received. As part of this phase,create an email address to which employees should forward suspicious emails for review, such as email@example.com
- Train and Notify – Conduct CBT or in-person – we prefer in-person for Senior Management and Board Members – educating participants on phishing, and what to look for. Let them know that you will be conducting ‘fire drill’ testing by sending email using different techniques to attempt to ‘phish’ them.
- Engage – This is where HR becomes a central player, engaging Managers and/or employees in key positions to increase participation and engagement by all. Additionally, these key employees can help you elaborate campaigns that relate to scenarios relevant to your company, business, and people. For example, if you get an email someone you’ve never heard of asking for your credentials, chances are, you won’t reply, but what if you get the same email from your boss’ email address? What about if you get an email about specific project? Hackers use any information in the public domain to try to trick people to replying to phishing emails.
- Testing – As mentioned above, campaigns,or simulations, should be delivered periodically over time, in increased complexity levels and using different angles of approach to request information from employees. For example, user requests related to bank information or transfers for accounting employees or passwords to specific system – keep to credible scenarios that would endanger specific assets of your company.
- Reporting – As with all interventions, feedback is essential. Make sure the tool you are using provides you robust reporting on specific employees, departments, or groups so that you can deploy your campaigns to address any specific issues related to individuals who will require more practice. Tracking the right metrics will help you identify the areas to focus on: click rates, number of employees who leak sensitive data,and number of employees who correctly reported the email are the most important ones.
- Providing Feedback to employees –Reward the high performers and provide additional training for low-performers. Make this part of your culture, taking care of company assets, rather than another box to check in your daily to-dos. Also remind employees that this will help protect their personal assets, making them less likely to be victims of identity theft by phishing.
- Now what? Continue running campaigns as part of your now “Better” Program. Keep scenarios changing slightly to make sure they continue to be relevant. Manage your phishing mailbox well, providing timely feedback to employees who correctly identify phishing emails. Review reporting results and consult your phishing test tool provider for latest trends to stay current on your campaign design.
Phishing attacks have become far too common and more difficult to detect, but with a strong cybersecurity program including phishing testing, you can improve your chances, so you don’t become a victim.