The single biggest cyber threat your organization faces is phishing emails. Most of the major breaches and >90% of total breaches over the last five years had a phishing component. To top it off, adversaries target all industry sectors and organizations of all sizes, for a wide variety of gains: financial, hacking, fun, you name it. No organization is safe from this threat. Like it or not, we’re going to have to enlist our users to help mitigate the risk to this threat. And by users, we mean all users, from the top executive to the freshest intern. Phishing stimulation training in the form sending out regular and spear phishing emails can help users recognize indicators of phishing, effectively respond to the threat, and be aware of what to do if they have been phished.
Phishing campaigns increasingly target specific high-level executives or personnel with decision making power or reins on finances, in a technique known as “spear phishing”. Consequently, all of your users need phishing awareness training. Furthermore, we all tend to get complacent and forget past lessons; users that may not have taken the bait on one campaign may do so on the next. The training needs to be repetitive–not just once a year–so user awareness doesn’t fade over time. We need to constantly bolster our vigilance and phishing “muscle memory”.
We’ll execute phishing campaigns and follow up with user cybersecurity awareness training. The phishing trainings can be automatic, taking the user to a video tutorial website immediately after they click on a phishing email, or we can hold a custom in-person training at your offices. Whatever you like. Our phishing simulation training and awareness campaigns have the following attributes:
a mix of internal and external email domains to make the phishing appear to come from both known and unknown sources
organizational-wide identical emails, to foster a “heads up” environment where employees share knowledge of the threat when they recognize it
personalized emails targeting specific users, to ensure individuals understand the spear fishing threat
follow-up awareness activities that:
explain the indicators that the email was a phish
what to do if the user suspects a phish, e.g. forward to the IT department with a special subject line
what to do if the user succumbs to the phish and clicks a link, provides credentials, or opens an attachment. e.g. immediately disconnect from the network and alert the IT department
Since cybersecurity is a risk management process, we always follow up our phishing training with a metrics-based risk assessment. Based on the results of the assessment we provide suggestions to your organization on how to further reduce risk. For instance, a particular phishing campaign distribution may show that your users are especially susceptible to credential harvesting, where they’ve been enticed to provide their username and password. In this case perhaps implementing a password manager or multifactor authentication process will help your business further reduce risk. We’ll also make sure your incident response plan is up-to-date to include responses to phishing incidents. Phishing stimulation training is included in our Compliance+ and Compliance Premium membership packages. Give us a call and let’s get started reducing your organizational risk!