Navigating phishing attempts has become a normal part of today’s workforce. I am sure most everyone has received a suspicious email or text message while at work and had to report it to their internal IT team. Cyber-attackers have only increased their efforts of gaining access to private business information and the best place they try to do this is by tricking people with fake emails and text messages.
The common thread in phishing ploys is that the cyber-attacker doesn’t have anything to do with the organization they are pretending to be from, and the messages look like they are legitimate at first glance. So how do we combat this? There’s no doubt that establishing and maintaining a layered security defense system can protect an organization, its employees and its clients’ information. But phishing scams have continued to grow more sophisticated and can get past even the best email filters nowadays. When they do, the scams are elaborate and effective because they rely on your employees to carry out the brunt of the work to cause the breach in security.
So, what’s the best way to prevent cyber-attackers from tricking employees? My recommendation is through comprehensive, routine security awareness training. At BerganKDV, the vendor that we use to train our employees and the product we recommend to our clients is called KnowBe4. They help us build a human firewall as a line of defense against cyber-attackers.
Here are five principles KnowBe4 recommends for building a robust and effective anti-phishing behavior management program:
Frame the program with a positive tone: How employees react to simulated phishing events is directly related to the way that you message your training program. If employees feel that your main goal is to trick them and make them fail, then they will view you as an adversary. It is much more effective to position your program as something positive that you are doing for the good of the organization and the employees within it. In short, your message and purpose around your training should be similar to the same way you treat events like fire drills. For people’s ultimate safety and preservation.
Be intentional about your ‘post click’ landing pages: The time immediately following a phishing test failure is a crucial learning opportunity that requires delicate messaging to make an impact. Employees will naturally feel the most vulnerable and sensitive when they’ve fallen for a simulated attack. If you are directing them to a landing page that lets them know they’ve failed, it is important that you account for their heightened emotional state. Be extra careful not to heap shame on the employee. Instead, be friendly and to the point. Additionally, your message for any follow-up training should not be framed in shame or condemnation; it should remind them of the program, why tests like these are important, and how we all struggle to re-train human nature.
Empower employees with new behaviors: Give your employees the power to build new behavioral patterns by offering them replacement behaviors. Humans struggle with simply removing a behavioral pattern. It can actually be easier to replace one behavior with another. For phishing simulation tests with our clients, we consider it best practice to have employees report the simulated phish by clicking on our free Phish Alert Button (PAB). This not only gives them a replacement behavior but can also give them a positive reinforcement by displaying a congratulatory message for reporting the simulated phish. For organizations that have not deployed the PAB, train them to think, “when in doubt, throw it out,” so that their replacement behavior is simply deleting emails that are worrisome or suspicious.
Measure and train at their individual competency – and train for improvement: In all organizations, there are different levels of employee sophistication in detecting simulated phish. You will have some employees who almost never fall victim to phishing tests and some who fall victim much more often. Because your employees have different levels of maturity in detecting phishing attempts, it can be extremely useful to train employee groups at their current level of competence, so they can improve. For the same reason that we don’t expect grade school students to do college-level math, we shouldn’t expect employees to immediately become expert phish detectors. Consider a tiered system of phishing training for your users to train them according to their current level of competence and allow them to grow over time.
Phish frequently: A pattern of frequent simulated phishing tests lets employees know simulated phishing is a part of your security culture and that it’s standard practice at your organization. that this Frequent training provides the best chance at developing proper reflexive behaviors. Organizations that only conduct yearly or quarterly simulated phishing are actually only performing baselining measurements – not training secure reflexes. Monthly – or better yet – bi-weekly simulated phishing training will let employees know that they should always be on the lookout for the next phish to land in their inbox and that they can always show improvement because the next test is not far away.
Creating your anti-phishing behavior management program according to these five principles will ensure that your program is seen as something that builds-up employees rather than tearing them down. These principles are aimed at recognizing that humans can become an effective last line of defense for your organization when given proper training, motivation, and support.
If you want to learn more about ways to strengthen your organization’s security training and strategy, BerganKDV can help. Take our free, mini security assessment here to get a baseline of how your security procedures stack up. From there, our team would be happy to help you fill in any gaps so that you can best protect your organization against cyber-attacks. Want to learn more about common signs of phishing? Check out one of my previous blogs here.