QA | 31 August 2017
Creating awareness among employees about the damage a successful phishing attack can cause is the key to an organisation's cyber resilience.
Phishing emails remain a primary weapon of the cyber-attacker, whose techniques are constantly evolving to prey on human fallibility and circumvent technical controls in an attempt to compromise an organisation's network, or make financial gain. And, as Verizon's Data Breach Report 2015 found, 90% of all successful cyber-attacks succeed because of human error.
Training staff to spot the signs of phishing attacks
All employees need to know the tell-tale signs of a phishing attack and organizations should undertake continual awareness training to equip employees with the right knowledge, skills and understanding they need. Essentially, the once-a-year refresher training for compliance is not nearly enough to ensure cyber resilience in the long term.
The fact is that phishing attacks don't discriminate among employees. Whether an apprentice or CEO, you are susceptible to the latest attack by succumbing to an email which entices you to click on a malicious link or the disguised invitation to give away crucial information.
However, with regular cyber security awareness training, it's easier to identify the rogue emails which can have such damaging personal and organizational consequences and helps employees identify the different phishing attack techniques. These can range from a generic email, targeting mass distribution with malicious links, to the more sophisticated socially engineered email that personally targets group or individuals and persuades them to take a specific action or to divulge sensitive information.
Targeted or 'whaling' attacks
Careful targeting, known as ‘whaling’, is becoming a more prevalent phishing attack where, for example, the attacker masquerades as a senior executive asking an individual in the finance department to transfer money or pay a fictitious invoice.
This actually happened to FACC, an Austrian aircraft parts manufacturer, last year when it fell victim to an attacker posing as the CEO. The email came from what appeared to be an authentic email address and persuaded an employee to transfer almost $50m as part of a fake acquisition project. After it was discovered the board dismissed the CFO almost immediately and the CEO subsequently a couple of months after.
This illustrates just how easy it is become a victim of these attacks, particularly as cyber criminals can give such an air of legitimacy to their requests, as well as the implications for the board. This means that ensuring employees remain vigilant at all times is a vital business need and an approach that should be led by the board.
Tailoring your cyber security training to your employees
Your employees need to receive continuous help and advice and this can be more effective if the cyber security awareness training programme is relevant to their personal as well as professional life. By showing them how they can be an unwitting victim of phishing through their own Facebook or Instagram accounts, it will undoubtedly give them the confidence to transfer that knowledge, understanding and confidence to their work environment.
However, this is not the only way to engage with them and maintain interest. Other techniques, such as gamification with leader boards, competitions and "lunch and learns" also help to reinforce cyber resilient behaviours. Equally, the RESILIA™ programme provides an excellent guide to understanding how employees can be empowered in keeping networks and information safe.
The important thing is to use a combination of approaches which, over time, will maintain awareness and vigilance culture and help to thwart a potential phishing attack and protect your most critical information.