Phishing is big business and one that is always growing in scale and sophistication.
By Les Best
You and your employees (the end user) are the biggest and most vulnerable threat to your organisation if they are unsure how to stop a phishing email. Never underestimate the importance of your role in mitigating one of the most common cyber security threats.
What is a phishing email?
The National Cyber Security Centre explain “phishing is when attackers attempt to trick users into doing ‘the wrong thing’, such as clicking a bad link that will download malware, or direct them to a dodgy website.“ Phishing is mostly carried out by an email.
IT Naturally suggest a combination of training, simulation and communication to make sure your team are aware of the dangers and how to spot them. It could make all the difference.
- Train your team to spot a phishing email
How to teach an end-user to distinguish spam and marketing emails from malicious phishing attempts and malware is not an easy feat. One of the things to look out for is who the email is from, check the address which can oftern raise suspicions but using this in isolation is not enough. Legitimate messages from Office 365 address firstname.lastname@example.org have often been mistaken as suspicious, despite being real. You cannot blame the end-user; fraudulent emails are now extremely sophisticated and look authentic. It is often exceedingly difficult to tell one from the other. An engaging yet in-depth training on what to look for is crucial to educate end users to recognise the warning signs of scams and threats.
- Cyber Security: Simulate an attack
Once this training has been completed, one of the best ways to test your team is by simulating a phishing email attack and see who falls victim. This should be followed up with further training for those that fail the test. These simulations should be used periodically.
You may be thinking, I already have software to stop these types of threats, but this is no longer enough. Email gateways offer increased protection, analysing each mail with machine learning algorithms and sandboxing. Yes, this will prevent an increased number of attacks, but severe damage can be inflicted on a business with just one response to a malicious email.
Think of improving your end users security awareness is a bit like having a double secure lock. Locking your front door will stop the honest burglar but a secure double locking system will keep most people out.
- Communication: Effective cyber security is a two-way relationship
A comprehensive awareness programme will also include regular communication confirming the responsibility to protect the business along with the company policy for managing spam and reporting malicious events. It is also advisable to inform end users of the importance of email security and what could happen in the event of a breach. Some employees just will not be aware of the dangers.
You should also advise your staff of what investments the company is making in cyber security systems to protect the business. This will build an overall increased confidence that everyone is playing their part in protecting the business from the threat of phishing emails.
The end users and the security team must work together to get the best results. The end-user expects a level of security protection provided by the IT infrastructure, reducing the volume of spam and malicious mail received. The IT security team expect service desk tickets to be raised alerting the possible delivery of malicious mail to an inbox, but without the end-user knowing how to spot a phishing email, they’ll be unsure how to spot a threat and what to do and most importantly what not to do.
If you need help with an end-user awareness program or any other cyber security service IT Naturally can help.
IT Naturally is an IT Infrastructure MSP that securely manages and transforms our customers’ infrastructure with integrity, quality, expertise, and simplicity.