author photo
By Alex Vakulov
Tue | Oct 24, 2023 | 1:25 PM PDT

Phishing is all around us. Attackers use a variety of tricks to get their hands on personal data, payment information, and corporate secrets. They send super-lucrative offers by email, create fake websites and payment pages, and distribute malicious scripts under the guise of useful documents.

The hacker relies on the employee clicking a link in an email, which takes them to a fake site. There, the employee is tricked into entering personal account details or other confidential information or into downloading an attachment that harbors a virus.

Beyond emails, hackers employ various tactics. If they can access an office, one old method involves scattering flash drives around, hoping a curious employee will plug one into their computer. These drives can carry all sorts of malicious software.

There was a real case where leaflets appeared on the walls in one of the offices offering free leftover branded merchandise from a warehouse. To join the lucky winners, employees needed to scan a QR code, visit the linked page, and input their contact details. At the end of the day, it turned out that this was the work of the company's information security team, aimed at showing management how simply attackers could gather data for targeted phishing campaigns. However, it is a strategy that actual scammers accessing the office could easily employ.

Increasing security awareness: key tasks and approaches

Organizations face a number of pressing challenges in raising cybersecurity awareness:

  • Ensure safe remote work:
    Yes, the pandemic may be fading from our immediate concerns, but the hybrid work mode has become commonplace, and many companies do not want to let it go.
  • Ensure safe work with confidential data:
    Today, news of information breaches is increasingly common, and preventing these leaks significantly hinges on the actions of the employees themselves.
  • Establish and sustain a corporate culture centered on cyber hygiene:
    Without it, addressing the initial two challenges becomes impossible.
  • Assess employee awareness of prevailing cyber threats:
    Understanding their vulnerability level is key to implementing prompt protective measures.

Approaches to employee training and the tools used for this may vary. These could be booklets, information sheets, lectures, training, mentoring, video courses, simulated phishing campaigns, etc.

Simple teaching methods may fall short of addressing the issues adequately. Booklets and leaflets, for instance, might just be overlooked by employees. They also offer little opportunity for engagement or feedback. One-on-one mentoring is not feasible for large corporations due to a lack of sufficiently skilled individuals to train those without existing cybersecurity skills.

Electronic courses featuring gamification stand out as the most potent and modern method. They can be complemented by detailed, engaging, interactive content created by outsourced essay writing services or even by ChatGPT. However, they fall short in one crucial area: they lack hands-on experience. Direct engagement with cyber threats is essential for cultivating a robust defense against phishing. To enhance practical skills, regular simulated phishing campaigns are needed.

While most companies possess a human resources department and some form of a learning portal, these resources do not fully address the issue at hand. They are not designed for executing cyber exercises, and HR professionals typically lack the expertise in this specific domain. Furthermore, the subject of information security training demands a certain level of technical proficiency and comprehension of all processes involved.

Consequently, the task of enhancing employee security awareness often lands on the shoulders of information security or IT teams. While these teams grasp the nuances of security, they might not be well-versed in the HR aspect. Moreover, information security and IT departments require tools that enable them to execute strategies for boosting awareness effectively.

Factors to consider when boosting cybersecurity awareness autonomously

Creating an effective cybersecurity awareness program for employees is no small feat. It demands a comprehensive understanding and a diverse skill set, making it a challenging endeavor to start from the ground up on your own. Experience and a grasp of the task's nuances are crucial.

Training courses should be meaningful, accurate, and, at the same time, easy to understand. Beyond the typical expertise in information security and human resources, one must delve into psychology to comprehend human vulnerabilities. Effective communication skills are paramount both in live communication and through course materials.

Managing training for a multitude of employees adds layers of complexity. They must be categorized, prioritized, and presented with tailored content. Moreover, orchestrating simulated phishing attacks requires hands-on experience to be effective.

It is also crucial to strike a balance between caution and awareness. Employees need to be able to identify threats without developing a fear of opening emails. When an employee detects a potential phishing attempt, it is vital that they promptly notify the information security or IT departments. This aspect deserves special emphasis during training sessions. The appropriate response to phishing encounters is to report them immediately. Typically, organizations set up a dedicated email address for such reports. They might also integrate a 'Report Phishing' button into applications like Outlook through a plugin.

Again, theory alone is not enough; it needs to be paired with practice. In order to develop sustainable skills in a particular employee, it is necessary to constantly increase the level of knowledge to conduct tests and training. This is where simulated phishing attacks come into play, serving not just to lower staff susceptibility to phishing attempts but also to gauge the effectiveness of the theoretical lessons provided. Those who do not make the grade should be grouped together and given extra coursework to ensure everyone is on the same page.

Learning should be an ongoing, cyclical process. This continuous cycle is crucial for truly bolstering a company's security and minimizing the risks posed by human error. Even the best skills can diminish over time without regular, refreshed training.

Moreover, it is critical for training professionals to understand and accommodate the company's unique characteristics and consider different aspects that are not always apparent from within. Sophisticated attackers craft their phishing campaigns with alarming credibility, tailoring their deceptive emails for individual employees. These messages are meticulously designed to fly under the radar, blending in seamlessly with the professional context. So, the training must be equally sophisticated and tailored to effectively arm employees against such nuanced threats.

Who can assist?

Building processes and defining a methodology on your own is very difficult. It is often more practical to seek assistance from experts who specialize in this field, those who keep up-to-date with the latest cybercriminal tactics, and are skilled in evaluating risks as well as enhancing staff's cyber literacy levels. So, turning to specialized security awareness companies can be significantly more effective.

The process might look like this: a client realizes their employees need better cybersecurity skills. With the Security Awareness service, a good provider does not just offer off-the-shelf training. They customize courses to the client's specific tasks and profile, craft realistic phishing attack simulations, and supply a platform for sending test phishing emails, complete with an analytics and reporting system.

The first step is assessing the employees' current knowledge level. It is common to find that about 30% of employees would click on a phishing link. However, there is usually good news right after the initial training session - the number of users taking risky actions in simulated phishing attacks tends to drop significantly.

Usually, after about a year of continuous service, the improvement is substantial. The employees susceptible to falling for phishing attempts dwindle to a mere 1% to 2%. This holds true even if the company grows and new staff members are added. Clearly, this decreases the chances of a successful attack. Experience indicates that a year is about the time it takes to develop a robust skill set in this area.

What ensures a successful outcome?
  • Theory alone falls short without hands-on experience. That is why frequent cyber drills (like test phishing campaigns based on current threats) are conducted.
  • Training unfolds through traditional, easy-to-digest courses. While these foundational courses cover the necessary theoretical knowledge, they are also tailored to each client's unique needs.
  • The system flags "risky" employees - those who have not grasped the coursework or who make unsafe decisions during simulated phishing attacks. In addition, a distinct group of "high-risk" individuals is created. These employees receive close supervision and ongoing education through additional courses.
  • Phishing simulations are designed with the employees' job roles in mind - whether PR, accounting, sales, etc.
  • The training process is ongoing and repetitive.
  • Outcomes are carefully reviewed, and the training approach is recalibrated accordingly.

Phishing ranks as the top tool for attackers, both in prevalence and effectiveness. Boosting staff resilience against such threats is a critical goal for any organization. Like anything else, there are numerous ways to enhance security skills; the trick is picking the best one. Companies may find it more beneficial to hire a specialist firm. These firms are up-to-date on the latest cybercriminal tactics, capable of evaluating risks, and skilled in proposing measures to heighten employee awareness. This way, the company avoids the hassle of building its own platform and managing processes that demand a wide range of skills.