Go Phish
When performing a phishing test, we often come across two questions: “With the special conditions placed for a phishing simulation, would this happen in a real-life scenario?” and “What measures could we include in addition to the training we currently provide?”
It’s a familiar truth,” you’re only as strong as your weakest link.” As we all have read, many cyber breaches begin with a simple, sneaky phishing attempt. Technology is not foolproof. There are new vulnerabilities appearing all the time, emails sometimes get misclassified, and, let’s face it, some users might have permissions they should not.
Any good defense is multi-level in structure, and technology is one level, but phishing training should be the very first. It teaches the basics: Is this email from someone I trust? Does the email address seem legitimate? Where does the link really go? And what’s the purpose of the email?
But what else can we do if we have already implemented some form of training? Here are some ideas to incorporate into your training program:
- How often is the training performed and does it happen at the same time of the year. Repetition and randomization of the training dates will keep users on alert.
- Fully explain what would happen if there was a successful breach due to phishing. Sometimes users don’t understand the effects of what could happen other than “I just clicked a link.”
- Relate how it would affect the user personally, chances are they received similar emails on their personal accounts and the effect could be the same regardless of if it was a company or personal email.
- Incorporate a reward for the those who perform well during training or change the format to be more like a game. Training is, well, training, so think of ways to keep users interested!
- If you have a newsletter, incorporate a phishing awareness section. A constant present will keep the message in the forefront in the minds of users.
- From time-to-time email users a phishing alert when there are usually high numbers of a certain phish or during certain dates such the holidays when phishing attempts occur more often.
In the end, it’s all about staying alert and spotting those red flags before it’s too late!