The purpose of technological phishing defenses is to reduce the volume of threats that are delivered to inboxes, but they will not be 100% effective and malicious emails will be delivered. Spam filtering solutions can identify most phishing emails and block them, firewalls can keep networks protected and block communication between malware and C2 servers, and web filters can prevent users from visiting malicious websites. However, it is important not to forget about the employees themselves.
Anti-phishing solutions will be effective at blocking standard phishing attacks, but they are much less successful at blocking spear phishing attacks – targeted phishing campaigns. The best way to protect against phishing and improve spear phishing defenses is security awareness training. Phishing attacks target individuals so it is essential that the workforce is trained and prepared for email attacks. Employees should be taught how to identify phishing emails, told how to respond when a suspicious email is received, and taught security best practices.
All employees are likely to receive phishing emails in their inboxes, so training should be provided to the entire workforce. Do not forget the CEO and the board. Executives also need to improve their phishing detection skills and be taught security best practices. In fact, it is those individuals who are most likely to be targeted with spear phishing emails.
When developing security awareness training programs, make sure you cover the basics first. Do not assume everyone has a certain amount of common sense and knows not to open .exe files sent in emails from unknown individuals.
Explain about the risks of opening attachments or clicking links in emails from unknown individuals. Instruct employees never to disclose sensitive information via email, and train employees to report suspicious emails – not just ignore them or delete them. Consider implementing a one-click reporting tool as an email client add-on. When a suspicious email is received, it can be quickly flagged and investigated by the security team.
Provide examples of real-world phishing attempts to show employees the different tactics used by cybercriminals to gain access to data, email accounts, and how they install malware. Providing training to employees is only the first step. Knowledge must then be tested in a safe and secure environment. Consider sending security questionnaires to staff to find out just how much they known about cybersecurity and how prone individuals are to phishing attacks.
Phishing email simulations are particularly beneficial. They provide organizations with information about the level of susceptibility to certain types of phishing attacks. They can help identify knowledge gaps which can then be tackled through further training sessions.
Security awareness training is about conditioning employees. That cannot happen with a once-a-year training session. To condition employees and turn them into security titans it is necessary to conduct continuous training sessions and issue regular reminders to keep training fresh in the mind.
As the security awareness training program matures, employees will become proficient at identifying even the most sophisticated phishing attacks.