Phishing Reports Show You There's a Problem, but What's Next?

Phishing, smishing and now vishing. Social engineering attacks are the number one cybersecurity threat to any enterprise, and they’re on the rise. According to the FBI’s Internet Crimes Report, phishing and business email compromise scams caused an estimated $1.85bn in adjusted loss in 2020. There is also an estimated 200% increase in phishing attacks each year. Companies typically conduct penetration tests to discover vulnerabilities in their networks and see how well employees fare against a typical social engineering attack.

These assessments provide invaluable data and are an essential part of enterprise security, but statistics alone are insufficient. Security professionals need a plan to take that data, identify potentially vulnerable employees, and create lasting behavior change. So let’s look at some simple steps to make sure your team is protected.

First, handle your most at-risk employees. Cyber-criminals know that companies utilize software that blocks most malicious emails, so they’re getting creative. Instead of sending a phishing attempt to a large group of employees, they’ll target a handful, making it much easier to bypass email security systems and reach a potential victim. With phishing simulation testing and reporting in place, you’ll know quickly which members of your team are the most susceptible to those attacks. But what next? Quick intervention and targeted training are essential here.

We know that annual or even biannual training is not enough and is not always effective. Employees quickly forget what they’ve learned. On the other hand, if an employee fails a phishing simulation test and is immediately given constructive training, they’re much more likely to understand the problem, retain the information and change their behavior in the future. If you don’t intervene and provide them with targeted training, chances are they’ll click on a suspicious link in the future as well.

"With phishing simulation testing and reporting in place, you'll know quickly which members of your team are the most susceptible to those attacks"

Second, make sure every team member knows what to do after they receive a social engineering email. Many employees can spot suspicious communications, but what are they doing next? Are they letting the email sit in their inbox? Are they simply clicking delete without notifying you? If they do take action, how quickly are they notifying you? A recent study found that phishing emails sit in user email inboxes an average of three days. In that same study, enterprise security teams discovered the malicious emails while hunting through message logs. In other words, employees weren’t raising any red flags. Properly training employees to identify a phishing attempt and report it quickly can result in faster response times, better enterprise security, and free up your security team’s workload.

Third, implement training for your entire team that is both frequent and engaging. The cybersecurity threat landscape is changing almost daily, and training needs to keep up so that employees are aware of new types of social engineering attempts. Requiring your employees to watch the same training video that they did last year is simply not going to cut it. Not only will it not cover the most current threat actors, but the chances are that your employees will tune out. In a report from Fujitsu, 61% of respondents said they believe their current cybersecurity training is ineffective, citing boredom, generic content and lack of targeting.

We have to get smarter. Cybersecurity training has grown beyond powerpoints and videos to gamified learning that simulates a variety of real-world threats. Exposing your employees regularly to these types of attacks trains their brains to recognize suspicious messages immediately. Investing in fun and engaging training for your team will pay dividends the next time they get a phishing email.

The most effective defense against phishing attacks is educating employees who know what to do when a cyber threat lands in their inbox. Phishing simulation tests should be run, but they won’t keep your enterprise safe if you’re not combining them with proper training for your entire team.

What’s Hot on Infosecurity Magazine?