Back to Cybersecurity Basics – Part 2: User Awareness Training
According to datainsider.com, 91% of cyber attacks start with some sort of Phishing attempt. By now most of us are aware of the two main types of attack.
A standard phishing attack will cast the net far and wide and be indiscriminate regarding who is targeted, whereas a spear phishing attack will be far more targeted, using in-depth reconnaissance and social engineering techniques to gather information before an attack is launched.
Whilst very different in how they target end users, both are formulated with the same goal in mind…to steal credentials or money.
With the advancements in Email & Web Security, Anti-Malware Technology and Machine Learning, very few of these Phishing emails reach their intended target, however, it only takes one to get through your defences and one careless click before the network is opened up to the hackers.
Security Awareness Testing & Training is a simple and effective way of securing the last line of your defence…your users.
By following these simple steps you can boost your defences significantly:
1) Assess your Phish-prone Score
Before you begin your journey to anti-phishing heaven it’s important to understand how big the problem is. ITB Partner, KnowBe4 offers a free tool that allows organisations to conduct a simulated phishing attack on up to 100 of their users. Many providers of this technology will have a wide range of templates you can use for baseline testing.
This will provide you with a good idea of what percentage of your organisation is susceptible to a phishing attack.
Find out your Phish-Prone score HERE
2) Regular Simulated Phishing
Once you’ve identified that you have a problem and you know you’re at risk, it’s important to manage this risk.
A single baseline test will give you an understanding of how big the risk is, however regular simulated phishing if done properly, will raise awareness of the issue which will have a positive impact on the risk.
Automating this process using pre-defined templates means that very little input is needed from IT. Many of the platforms used for User Security Awareness training are simple to use, meaning that Heads of Department could possibly run the training for their departments themselves.
It is possible for organisations to develop and run their own ethical phishing programmes, without the need for 3rd party software, however, this will be far more time-consuming.
3) Train Your Users
Running regular ethical attacks will let you know who the offenders are, however, these tests will be pointless without the right training to back it up.
Again, this is something that IT can provide themselves, however with time particularly precious for IT teams the ability to automate this process is preferable in many cases.
Many, ethical phishing platforms will provide standard training videos, games, interactive modules, posters and newsletters that can be automatically sent to those end users who fail the tests.
For repeat offenders, it may be preferable that face-to-face training is given by the person responsible for Cyber Security at the business explaining the possible consequences of their actions.
With a huge change in legislation coming into force from May 2018, one of the most important steps IT can take is ensuring they have quick and easy access to reports detailing the positive impact their Cyber Security efforts are having.
Built up over time, reporting on both the phishing and training aspects should show a reduction in the number of users falling prey to your simulated attacks, which means that when a genuine attack does take place, your users will already be well aware of what to expect.
Join us for part 3 when we look at Incident Response.