Can your employees identify a phishing attack?

This article first appeared on SC Magazine UK.

Phishing attacks are as popular as ever. According to report from PhishMe, 91% of cyberattacks start with a phish. And the primary reasons people fall victim to these malicious emails are due to curiosity, fear and urgency.[1] In today’s modern workplace, employees are driven by the urgency of deadlines and the fear of underperforming. This makes them the perfect victims for a phishing email.

In Q1 of 2017, the top organizations attacked by phishers were banks, payment systems, and online stores—categories that accounted for more than half of all registered attacks.[2] But by Q2, cyber-attacks were up by a quarter, with manufacturers bearing the brunt and phishing emails the most popular threat vector.[3] All that to say is, regardless of your industry you can be a victim, which is why security awareness training is more important than ever.

In this Q&A with Eldon Sprickerhoff – Founder and Chief Security Strategist at eSentire – we discuss the value of Security Awareness Training and common risks to look out for as your company grows. We also look at some of the most effective methods of disseminating Security Awareness Training to ensure employees understand and retain the information they’re taught.

What are the top 5 phishing tells used in most campaigns targeting businesses?

B2B spam remains a serious risk for companies. Whether it’s the information one has access to or the position they hold within a company, spammers sometimes prefer to target companies or individual representatives of large businesses rather than ordinary users. This is where proper security awareness training among employees is especially important. Here are 5 questions you should ask yourself if you think an email may be illegitimate:

1. The URL—if you hover over a link, does the URL match up with what it’s claiming to direct you to?
2. The content—are there an unusual amount of spelling and grammar mistakes?
3. The ask—is the email asking for personal information?
4. The offer—does it seem realistic…or is it too good to be true?
5. Your gut—does anything seem suspicious about the email? If you feel even the slightest hesitation, you’re probably right.

Knowing how to identify a phishing email is extremely important, but it is the just the beginning. Security Awareness Trianing highlights a number of different tactics used by cybercriminals and how to defend against them. Training is important to any individual that has access to a company data, so for most companies, that means everyone. Keep in mind though, those in HR and finance are particularly susceptible as they have access to financial and employee information.

It’s important to remember that employee education will reduce the risk of a cyber breach; however, it won’t stop criminals from trying. Providing ongoing education and training to employees is the best way to protect your business in the fight against cybercrime.

How does virtual training compare to in-person?

While online training is the more modern approach, there is sometimes still a place for in-person training. In-person training allows for direct interaction with instructors, which can be more engaging for some people. The content can also be customized more easily depending on the needs of the employees. Unfortunately, this method is often more expensive and is usually offered as a “one time thing.”

On the other hand, online training allows for consistency of messaging while being cost-effective and easily duplicable. However, with online courses, employers may need to seek out a training program that is more than a “one time thing”. Solitary, online training can sometimes be unmotivating, so it’s important the training program is engaging and its completion is enforced.

Ultimately, employers need to choose the training method that is best for their employees and company. Either method can be effective – the important part is providing the training.

What else can you share about training employees to be more aware and secure online?

Cyber risks can take on a variety of forms from phishing attacks to social engineering to ransomware, etc., and it affects businesses of all sizes. However, as your company grows and expands, there are certain risk factors to look out for.

1. If you’ve grown your business beyond 20 employees, you’ve likely outgrown your security processes and you’ll need to revaluate where your threats lie.
2. The family atmosphere and personal trust often found in small, close-knit businesses can remain; however, that doesn’t mean everyone needs access to your backend information if their job description doesn’t warrant it.
3. Insider threats are always a possibility. Employees experiencing hardships—financial, health related or otherwise—can be susceptible to taking part in insider cybercrimes. If they’re the ones who have access to your data, you may want to consider how you’re protecting your business from this risk too.
4. Insure your assets from the ground up – just like insuring your car, home or life, your business needs protection from its threats too. Consider risk protection and liability coverage but recognize that insurance is not a panacea.
5. Work with a broker well-versed in cyber risk who can help your organization understand its overall threat levels, address insufficiencies to mitigate the risks and leverage insurance coverage for any risks to your business.

The truth is, it’s not a matter of if cyber-attacks will happen to your business, but when. Fortunately, as we’ve outlined, there are a number of prevention strategies you can use to protect your business and employees from the damaging effects of a cyber breach.

Learn more

eSentire Advisory Services provides comprehensive security expertise, delivering valuable insights and strategic direction to all levels of your business, from the IT department to the boardroom. Learn more about eSentire’s Advisory Services here.