Phishing Fact #1
As a CISO, you are involved in the purchase of hardware and software that your team implements and then manages to protect your organization’s data and systems from cyber threats. Let’s be very clear here, all it would take to circumvent the current expensive defenses you have put in place, is for an employee to click on a malicious link in an innocent looking email. The problem you face is that, a) Your employees are not fully aware of the consequences of these actions, b) They are probably not educated on what to look for, and c) Criminals are becoming more creative with their phishing attempts. Just 2 weeks ago, I saw over 40 phishing attempts on a single email address that all got past spam filtering. Then, just last week, I was made aware of an email that appeared to come from someone inside our organization with a request to open a dubious file. Make no mistake, these threats will continue to increase in frequency and complexity. If this is true, then your employees are your first line of defense and you need to drastically reduce the human risk factor with Security Awareness Training and real-time Phishing Simulations.
Phishing Fact #2
So where do you start? How can you drive the end user behaviour change you require, raise security awareness effectively and meet your compliance obligations? The key is to reinforce the right behaviour while making the wrong behaviour a learning opportunity with communication and reinforcement tools. A good place to start is by creating a set of common-sense policies that your employees should strive to follow. This will serve as the foundation for your Security Awareness Policy. Next you need to build a complete Security Awareness Program including real-time Phishing Simulations and Security Awareness Training. To do so, you can rely on this proven Security Awareness 5-step Framework.
Step 1: Analyze
Step 2: Plan
Step 3: Deploy
Step 4: Measure
Step 5: Optimize
Looks real, feels real…
Your simulation campaigns should deliver emails that look and feel just like the ones your end-users receive today. They should appear to originate from inside and outside your organization from both known and unknown sources. Your end-users have phones, tablets and social media accounts, so they need phishing training to be aware of the dangers these devices pose to their personal information as well as the organization. Reporting will enable you, in real-time to see how well your end-users are catching and reporting phishing attempts and will highlight areas that need more education as well as allowing you to adjust as real Phishing attempts continue become even more sophisticated.
Everyone makes mistakes, so why not learn from errors made without causing a major breach in the process? By employing a Phishing Simulation Platform, your end users can become phishing detection specialists, reporting suspected malicious links, documents, SMS messages and social media posts before someone clicks on the wrong link and you get that dreaded phone call. The ongoing benefits will only increase as your end-users start to apply what they learn to the use of their BYOD and personal PC’s/tablets. Little things like:
- Protecting against Identity Theft by not using the same Password for every app on their smartphone, including corporate email.
- Understanding that the largest target for hackers is Valid Credentials.
- Applying the Clean Desk Principle by removing the post-it notes with logins & passwords from under the keyboard.
- Protecting your organization’s Intellectual Property, the same way they Protect their Payment Card Data.
- Recognizing Social Engineering, enforcing Access Control and Physical Security to prevent folks piggybacking their way into your organization by demanding that strangers provide their pass card and ID.
- Fully understanding your organization’s Information Classification polices and how they should manage the Information Lifecycle.
- Thinking of Privacy first and practicing Confidentiality on the web.
- Turning them into Mobile Users that Travel Securely.
Phishing Fact #3
As a CISO, one of your many roles is about influencing, stakeholder management, positioning and communication. You must walk that fine line of getting the board to think like you do. When you succeed, they release the funds and resources required for the security solutions you and your team are proposing. Next, and most importantly, you need to ensure that they see the benefit in what you are proposing.
During your quarterly executive meetings, clear and concise reporting will give you the confidence to accurately provide your board with the latest condition of your largest attack surface. You will also be able to show them continuing improvement over time, because phishing training, and continued testing is now a crucial part of your investment in securing your business growth.
Remain 2 steps ahead
No single security solution or phishing service can protect your organization 100% of the time, but if you leverage a multi-layered approach with your employees as your first line of defense and arm them with the confidence and ability to easily detect phishing attempts, you will greatly reduce your largest attack surface. Phishing attacks are only going to get more realistic and intelligent. You need to find The Human Fix to Human Risk™ and remain 2 steps ahead of the bad guys with a program that continually tests with phishing training and benefits from customized, multilingual simulations as well as reporting on end-user Security Awareness training that will help your organization avoid a breach.
Read white paper PHISHING DEFENSE AND GOVERNANCE – How to Improve User Awareness, Enhance Controls and Build Process Maturity, for additional insight.