Phishing attacks have been around for just about as long as email, yet employees still regularly fall for them. According to the U.S. Federal Bureau of Investigation, roughly 90% of data breaches occur on account of phishing and those attacks have increased approximately 400% since the start of the COVID-19 pandemic. Assessing and reacting to risk is one of the most important things people deal with, but in reality most aren’t equipped.
Phishing emails or text messages (known as “Smishing”) are carefully designed by cybercriminals to manipulate people’s emotions, bypassing their common sense and tapping into unconscious biases. Humans are practically hardwired to fall for them. Traditional efforts to combat these attacks involve multiple layers of technology and strategies to block these emails entirely, which simply don’t work. However, what if we tried to truly understand why people fall for phishing so that we can protect them? Here are some things that every enterprise can incorporate into their security awareness program to cut down on human risk.
5 Tips for Every Security Awareness Program
#1 Train employees to thoughtfully slow down.
Phishers want users to make fast, non-thoughtful decisions. In order to make this happen, phishing emails often appeal to a person’s mental shortcuts such as making a communication appear to be from someone they know or a person in authority, or creating a sense of urgency. Tailored emails are now the norm when it comes to phishing attempts so employees need to be taught to slow down, verify sender email addresses and avoid clicking any links directly in an email until they know that the communication is legitimate.
#2 Help employees understand their vulnerability to attacks, and provide frequent training and advanced phishing simulations.
The security awareness industry has been going through a long overdue disruption, shifting away from ineffective training, to programs that include more engaging content. Still, employees remain vulnerable to attacks. In one recent study in which 3,000 employees were told how to recognize certain phishing attacks, users fell for the same tactics just a few months later. Frequent reminders and regular phishing penetration tests keep knowledge top of mind for users who are dealing with multiple other projects and distractions daily.
#3 Recognize the importance of implementing tailored training.
Just as everyone learns differently, individual users are susceptible to different types of attacks. With tailored training, users can receive attacks that address their individual vulnerabilities, and entire user groups can receive education on attacks that they are likely to see based on their roles in the enterprise. Interventions and anti-phishing solutions need to move from a one-size-fits-all to this more targeted approach.
#4 Go beyond awareness with human factor security and role-based training
Awareness of the threat is critical, but not enough. Training should focus on behavior changing activities that evoke an emotional response of the employee. For example, training that is provided immediately after the employee clicks on a simulated phishing email will be much more effective than an annual awareness workshop. In addition, role-based training is critical, as organizations must provide relevant training that goes beyond awareness, such as application security training and secure code for developers; network and cloud security training for IT professionals and more.
#5 Remove the culture of fear.
Time is of the essence during any attempted data breach. According to Verizon, the average time it takes for the first victim of a large-scale phishing campaign to click on a malicious email is 16 minutes, but it took twice as long for a user to report it to IT. Those precious minutes could spell disaster for an enterprise. Many times, employees can be hesitant to report a potential incident out of fear that they will be blamed, or they may even be unaware of the process. Communicate regularly with your users about the importance of reporting incidents, removing fear, by building a positive security culture inside your organization. Consider regularly rewarding employees who report security incidents and display proper cyber hygiene. Recognizing someone’s progress and giving them regular, positive reinforcement are consistently proven to be the most effective strategies to improve behavior.
To Err is Human
Human error is inevitable, but it can be mitigated by taking the time to understand the reason that users are making these mistakes. Understanding the why behind employee behavior is the only way to change it. Putting on annual training sessions and sending out a few email announcements here and there won’t change your teams’ behavior. Help your employees to understand the reason they are vulnerable to attacks, tailor training to those weaknesses and reward them for positive behavior and reporting suspicious behavior.
Roy Zur, a serial entrepreneur, is CEO of ThriveDX’s Enterprise Division the global education company committed to transforming lives through digital skills training and solutions. In August of 2021, ThriveDX acquired Cybint Solutions where he also served as CEO since founding the company in 2014. Roy is a 15-year veteran of the vaunted Unit 8200 of the Israeli Defense Force, where he served as a Major, which instilled in him early a passion for addressing the “human factor” of cybersecurity training – currently the #1 vulnerability across the threat landscape.
In addition to steering the vision of ThriveDX’s Enterprise Division, Roy serves as adjunct professor of risk management in cybersecurity at IDC Herzliya in Israel. He is also founder and chairman of the non-profit Israeli Institute for Policy and Legislation, and a member of the Forbes Business Council.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!