Hackers are experts at their craft and always on the lookout for innovative ways to breach a network and extract private information. They cleverly mimic the company's own sites, for instance when hackers built an exact copy of a large local hospital's website. The only difference was an extra letter in the URL. When someone visits a site every day, she or he's not likely to notice a detail like that unless they are primed to spot it. In the case of this hospital and the way their security is structured, after a single employee was tricked into logging in to this faux site, the hospital's entire network was compromised.
"With the average cost of a phishing attack costing a mid-size company $1.6 million, it can be a death blow for businesses that don’t put in the necessary protections against a potential attack", reported by PhishMe.
How can attacks through phishing employees be better prevented? One of the ways the Occupational Safety and Health Administration (OSHA) protects workers from physical harm is mandatory annual training. No matter how much you roll your eyes, OSHA requires that training is updated every year because new tools are always being introduced and because it's all too easy to lapse into complacency.
OSHA training targets employees' physical safety, but what of the company's data security? If frequent training is necessary to maintain one, then it is even more important to the other. Cybersecurity training is a crucial first line of defense for attempts to penetrate a company network or steal data.
Without proper training, even the most tech-savvy employees will eventually succumb to a phishing attack. Follow these three steps when building your cybersecurity training protocol:
1. Make it easy. There’s a reason cybersecurity training tends to land low on a small business owner's priority list. You have a lot of demands on your time, and there’s a good chance that putting together a comprehensive cybersecurity training curriculum will never make the cut. Unfortunately, without the right training, your employees won’t, either.
Hiring a third party to train your staff is one of the best ways to ensure that your team's education is effective. As a bonus, an experienced training provider can track your employees' progress so that you know where their knowledge stands at all times.
2. Make it ongoing. One training session just isn’t going to cut it. Your employees remain the biggest vulnerability in your business when it comes to cybersecurity defenses, so education should never stop.
Most people won’t respond to an email from a supposed Nigerian prince wanting to give them money, but even a skeptic can be tempted by a $50 Amazon gift card won in a plausible raffle that a spouse or friend entered them in. Training employees to spot phishing attempts is an ongoing effort, but over time they’ll become experts at spotting phishing emails and hovering over suspicious URLs to see where they lead without clicking on them.
3. Make it comprehensive. Hackers are constantly coming up with new techniques to make phishing attacks more effective. In turn, your training has to keep up and cover the new attacks and tricks. The cybersecurity community has come up with a name for one of the new and highly targeted efforts: spear-phishing. These attacks rely on public user information (think LinkedIn and Facebook) so bad actors can impersonate company decision makers.
Any cybersecurity training should start by covering historic or reoccurring threats that most people can easily spot. These sessions will increase employees' confidence and their baseline cybersecurity knowledge. Over time, training can evolve to address the most sophisticated weapons in the modern hacker’s arsenal.
Without the proper training, most employees will eventually fall prey to increasingly sophisticated phishing attacks. After all, it costs hackers virtually nothing to repeatedly send out millions of phishing emails and takes just one wrong click to compromise your entire system.
To best protect your company against possible phishing attacks, take a structured approach to training and give your employees the knowledge they need to succeed. Reach out to The Purple Guys about our Cybersecurity Monitoring and Awareness Training programs. We're happy to discuss our services or provide you with insight if you're just focused on training your employees to spot phishing attempts. Regardless of your business's I.T. needs, we're here to help.