Security awareness training gives us one more tool to use against hackers.
According to the security firm EveryCloud, 90% of successful breaches are attributed to human error. From my experience as a freelance cybersecurity analyst, I can attest to the validity of that statement.
In 10 years, I’ve helped hundreds of companies beef up their defenses after a breach. They all have one thing in common — they had good basic defense systems in place. In the majority of cases, the systems were fine. The breaches could often be attributed to personnel getting careless.
That’s why I believe that a security awareness program is something that all companies should consider. In this post, I’ll go through how you can create your own effective program.
How to Train Your Employees to Avoid Phishing Attacks
- Identifying gaps in knowledge
- Training your staff in a creative way
- Setting up a training schedule
- Using data to measure the effectiveness of your program
- Ensuring compliance
- Get top management involved
1. Identify Gaps in Knowledge
Never assume that your employees understand the latest security procedures. People make assumptions based on what they think they know. Twenty years ago, a safe password consisted of letters and numbers. Today, that’s nowhere near enough variety.
Start off by assessing what your employees know about cybersecurity. Create a questionnaire to see what they understand about cybersecurity. Run phishing tests to see if they’ll fall for them. And, as a final test, leave a USB drive lying around and see what happens.
This will give you an idea of what your training should focus on.
2. Train Employees on How to Identify Phishing Emails
How well did your employees do in recognizing phishing emails? Phishing attacks are prevalent and are becoming harder to detect.
Let’s go through a phishing test of our own! Compare the next few images to see if you can spot the difference. I’ll go through the answers at the end of the section.
This is an example of a real phishing email that was sent in.
I can see at a glance that it’s a phishing email. Do you see what tipped me off? I’m going to let you think about that for a minute. In the meantime, here’s an example of a real email.
What differences can you see? The above is the real deal.
I’m not going to put you out of your misery just yet. Instead, I want to give you one more example. This time, you have to decide if it’s real.
What’s your verdict on this one? Is it real or fake? I’ll give you a second to think about it.
In the meantime, what tipped me off about the first example is the email address. If we look at the real example, the email address doesn’t have “gmail.com” appended to it.
That’s a huge red flag — established companies use branded email accounts. They won’t use Gmail accounts for professional purposes.
As to the third email, it’s also clearly fake. Why? Again, it boils down to the email address.
Did you notice that the third “E” was left out of “Berkeley”? Would you have noticed if you were busy or if you weren’t reading an article about phishing?
Phishers make their emails as close to the real thing as possible. They try to imitate established email domains to steal your information. The differences may be small and barely noticeable, but if you concentrate, you should pick them up.
There may be times when a person in your company’s email has been hacked. In those cases, be wary of strange requests for money or information as well as emails that get you to click on external links.
Contact the person in another way to confirm the request.
3. Make Training as Fun as Possible
I find cybersecurity fascinating, but not everyone does. When you’re setting up your training, consider using stories to make the content more interesting. Bring in images and possibly videos to ensure that the message hits home.
Tailor your training to your employees. What formats would work best for them? How well will they retain the information?
4. Training Is Not One and Done
With things changing so fast in the cyberworld, keeping up with threats is an ongoing process. You’ll need to schedule follow-up training sessions for your staff to update them. It’s also a good policy to periodically run phishing tests.
Also, consider briefing employees on big data breaches that have hit the headlines lately. The combination of ongoing training and testing will keep your employees on their toes. They’ll learn that an attack can happen at any time, so they must be ready.
Schedule a session for each new employee you hire and schedule quarterly sessions for everyone to attend.
5. Monitor Your Progress
It’s essential to keep a log of any security incidents that your company experiences. This helps you identify patterns from a more determined attack. It will also allow you to monitor the success of your training.
You will see if more training is required and if your security systems need an overhaul.
6. Be Compliant With Privacy Regulations
Privacy regulations are putting a lot of pressure on organizations.
Not being compliant with regulations like PCI DSS, for example, can get your business into serious trouble. Make sure that your security systems meet the standards set.
7. Get Top Management Involved
Top management must set the example. Having them involved ensures that your new training program is properly supported. Top management should ideally attend training sessions, as well.
If that’s not possible, give them regular updates about developments in this area.
An Effective Security Awareness Program Requires Work
If you want to improve your organization’s cybersecurity, you can’t rely on just one line of defense. Your anti-virus program is a good place to start, but it’s not enough on its own.
Your biggest weakness is your employees. They might inadvertently fall for a phishing email, or click through to a malicious website. That’s why you need to institute a great security awareness program.
You need to establish your staff’s current knowledge levels. From there, it’s important to train them to identify phishing emails. Training should be made fun because you’re going to have to set up a regular training schedule.
Once the program is in place, monitor the results that you’ve achieved in case you need to make tweaks. Finally, ensure that the program is compliant with privacy regulations and get top management involved, too.