This article concludes K2 Integrity’s mini-series promoting the importance of Cybersecurity Awareness Month. Throughout October, we have been providing tips and solutions to organizations to commemorate the 20-year anniversary of the initiative. This year’s focus is on creating strong passwords and using a password manager, enabling multi-factor authentication, updating software, and recognizing and reporting phishing attempts—best practices for cyber security that can be emphasized all year.
This fourth article highlights the importance of training and providing guidance to employees in the methods that cyber criminals use to manipulate people into responding to phishing emails and the dangers that these attempts pose to organizations.
Securing Digital Assets by Identifying, Avoiding, and Reporting Phishing Attempts
“Think before you click” is a mantra that many organizations repeat to their employees. Phishing emails remain one of an organization’s main risks because a certain percentage of malicious emails will elude an organization’s mail filters—leaving employees as the last barrier between a company and cyber criminals. How can organizations educate employees to recognize and report phishing attempts?
- Provide a security awareness program for all staff. Organizations’ most effective anti-phishing filters are employees who have been trained to identify, avoid, and report phishing emails. Organizations should educate all employees—including executives and contractors—on phishing awareness and other digital security best practices. Rather than offering once-a-year training that repeats the same material as previous years, leading organizations implement a Security Awareness Program that uses continuous communication to appeal to employees’ different interests and learning styles. A mix of live classes, online modules, newsletters, and simulations can help employees apply cyber best practices to both their personal and professional lives.
- Emphasize the dangers of phishing. Phishing emails remain a top cyber risk for organizations. As phishing emails become more sophisticated, spotting red flags is getting harder. Train employees to respond methodically to suspicious emails by checking sender names and email addresses, link URLs, and types of requests, and by calling or texting the purported sender before responding.
- Educate employees on the variety of methods employed by cyber criminals. Cyber criminals use manipulation and other social engineering techniques to try to trick employees to take action (e.g., click a link) or share information (e.g., a password). Phishing emails with malicious links are still a common form of social engineering, but cyber criminals are increasingly using pretexting or business email compromise (BEC) emails, as well as text messages, QR codes, phone calls, and direct messages in social media and online games. Organizations should train employees to identify, avoid, and report all types of attempts.
- Conduct internal phishing campaigns. Organizations can reinforce information security policies and training with simulated phishing campaigns. Challenge employees with exercises that mimic real-life techniques used by hackers to try to penetrate a network, such as emails with links that open a network sign-in page, BEC emails that appear to be from an executive, phone calls that simulate IT Support, and other realistic exercises. All users should be included in these campaigns—if they can access the network, even just through an email account, then they pose a risk to the organization, making them a target of cyber criminals.
- Encourage good cyber-hygiene habits on social media. An employee who overshares on social media can negatively impact an organization. Cyber criminals collect information from social media and other public online sites to target an organization’s employees. Anyone with access to the organization’s network can be targeted—not just executives—so everyone should be wary of how their online information can be used against them and the organization. Help employees understand that the more they post about themselves, the easier it is for hackers to target them.
- Establish guidelines for the use of personal email accounts. Using a personal email for work correspondence (or even cc-ing a personal email address) can make it difficult for colleagues to determine if an email from a purported personal account is valid or if it’s a phishing email. If a cyber criminal were to send a spoofed (or fake look-alike) email posing as an employee, prior use of a personal account may mean that recipients let down their guard and respond with confidential information. If the use of personal email is required for business purposes, consider establishing and advertising business rules around its use. For example, if an employee must send a work-related email from a personal account, they should advise colleagues by phone call or text to expect it.
- Ensure employees are familiar with reporting channels. Knowing what should be reported—and whom it should be reported to—ensures that, if a security incident needs to be reported, employees will contact the correct channel. Advise them to report suspicious emails, phone calls, and other security incidents. Emphasize that if an employee has responded in any way—clicked on a link, opened an attachment, typed a password, or even replied—to an unexpected or suspicious email, they should report it immediately.
Throughout the year, organizations can follow cybersecurity best practices by establishing strong barriers to entry—creating long, unique passwords, enabling multi-factor authentication, regularly installing updates, and training employees on the dangers of phishing—to help keep their confidential information and their employees safer and more secure online.