Phishing has been estimated to be the biggest current cyber security threat to organisations. This blogpost will help you understand what phishing is and how you can train your employees, so that they will not fall victim to a phishing attempt.
Phishing is sending out false emails, with the intent to lure you into giving away personal information. This can also happen through text messaging, which is instead called “smishing”. There is also the term “spear phishing”, where the phishing attempt is target oriented and focuses on specific individuals or organisations. The Phisher try to “spear” someone specific.
False emails and text messages are shaped in many different ways and have evolved drastically through the years.
In the past 10 years, phishing has gone from being a trap that only the few inattentive fell victim to, to becoming a challenge that every company has to take seriously. In the beginning, phishing was mass produced emails filled spelling mistakes. Most of us remember receiving emails from “Nigerian princes” who offered us large sums of money, in exchange for our helping them move their gold. They were easy to recognise.
Today, phishing emails have been tailored to fool your specific employees. As an example, some of these tailored emails surfaced during the COVID-19 pandemic, where criminals were posing as the government and police.
In order to protect your organisation, it is of course important to know the technical aspects of cyber security. The technology filters the majority of damaging emails, so that these are directed into the spam folder. It is, however, equally important that your employees have the know-how on how to handle the few phishing mails that make it through the filter and into their inbox.
A mistake from one employee can cause consequences that can be felt in the entire organisation. Employees can therefore be the biggest risk of security breaches. On the opposite, aware employees can become one of the strongest elements in your cyber security defence.
The General Data Protection Regulation (GDPR) focuses on breaches of cyber security, especially when a breach involves a leak of personal data.
This means that a phishing attack is not just a question of cyber security but is also a question of GDPR. In that case, an attack results in a loss of data, from e.g. customers or collaborators.
To turn employees into a strong cyber security defence [team], it is important to train them/provide them with training. The training has to be continuous as threats are constantly evolving.
Training of employees can be done in multiple ways. You can do awareness training, where you teach your employees in how to spot and handle phishing emails. Either through digital e-learning, through physical teaching or a mixture of both forms.
Another option is to do phishing simulations, where you purposefully send out false emails to your employees. This way, the employees can practice their skills in spotting false emails. This also makes it possible for you to create strategies on how your organisation should react, when a phishing attempt is noticed. Who to contact and how to warn other employees? It is important that the employee does not simply delete the email without warning their colleagues. A defence is built by creating strategies. You can view phishing simulations as small fire drills.
Awareness training and simulations can of course be combined, which in many ways is ideal. It is an opportunity to mix theory with practice – like when you take a driver’s license. It does not make a difference to know what a phishing email looks like, if you are not being aware in your everyday practice.
Everyone, of course, need to start somewhere and it is difficult to create a strong human defence in one sweep motion. An easy place to start is distributing the three below-mentioned rules of thumb among your employees. if they always keep these in the back of their head when they receive an email, you enhance the chance of avoiding someone from clicking on malicious links in phishing emails.
Rules of thumb are good to have, but a threat as great as phishing requires continuous training, either through teaching, simulations, or something third. It is important that you do not ignore the threat.
The knowledge and awareness of the employee is crucial to your cyber security.
This can, as mentioned in this post, be build through awareness training, which teaches your employees in specific subjects. It can also be done through practical training, where you test the employees’ through simulated/staged phishing attacks.