With an unprecedented disruption to normal life and a rapid uptick in remote workers, we’re seeing a noticeable increase in phishing threats and attempts as bad actors play off COVID-19 fears. Over 91% of cyberattacks start with a phishing email and phishing accounts for more than 80% of reported security incidents.
Thankfully, preventing damage and dollars lost from phishing isn’t complicated, but it does require a plan. At a basic level, I recommend structuring an enterprise phishing program around 4 main activities: educate users, test users, implement controls, and create reporting mechanisms.
Within any organization, there exists a broad range of individuals representing varying levels of technological savvy – you can’t assume everyone is aware of what phishing looks like. As a first step, it’s helpful to educate employees of the risk phishing presents and share common tactics used by bad actors. Once a basic level of awareness exists, you can further inform the workforce of plans to prevent phishing and how they can help.
Just like in school, after the lesson comes the test. By creating a mock phishing attempt, security professionals can boost employee awareness in a controlled environment while building a baseline metric for what percentage of the organization was successfully phished. Real-time phishing simulations have proven to “double employee awareness retention rates versus traditional cybersecurity training tactics.”
Critics cite employee distrust as a potential con of this practice, but, when done properly, employees are informed of the plan and purpose of the simulated attempt. The goal isn’t to trick anyone, but rather to strengthen their natural intuition and build the habit of alerting attempts.
Many preventative and detective technological controls exist to help reduce the number of attempts that even make it in front of an employee. Here are a few worth considering:
Giving employees the ability to report phishing attempts empowers them to proactively participate in enterprise security programs. There are easy-to-install reporting buttons that interact natively with common email platforms like Outlook and Gmail.
Phishing is the most common form of cybercrime, but enterprises can bolster their defenses by implementing a plan that educates users and tests their awareness of fake phishing attempts, creating technological controls, and automating a mechanism to share phishing attempts.
Not sure on your next step? We'd love to hear about your business challenges. No pitch. No strings attached.