Previously, hackers used to breach organizations by trying to find and exploit vulnerabilities in their network. At that time, locking the network parameter was a good option to combat those attacks. These strategies, of course, strengthen the outside core of the organization regarding security, but not much effort has been taken to train and secure the internal networks, systems or users.

Modern attackers are focusing on easier targets. They use loopholes inthe internal system, particularly the employees who often are not well informed and trained by the organizations regarding information security. As the employees are not trained on security protocols and it is not included in their normal annual training process, they do not expect any type of cyber attack on them that may harm the organization they are working for.

Hackers evolved various methods to exploit these vulnerable employees, such as phishing and creating hacking campaigns to send fraudulent emails in disguise. This is the main technique to cash in on the employees and their systems.

However, over time organizations came to understand that their employees are the vulnerable target of the hackers and they are susceptible to different types of phishing attacks. There are fake websites, the lure of free software and click bait ads that show up when the employees open their email accounts. Vulnerable employees click on these links and type sensitive credentials into those forged website screens. Clicking on such malicious links may also surreptitiously install software that is malware or system eavesdroppers, and may even go through backdoors.

The problem escalates as often these fraudulent emails come from a known source or friends or even from a high-level executive, making the employee open the email unsuspectingly and become a puppet of the phishing attack.

These attackers cause a huge loss to organizations, ranging in billions of dollars. The huge profitability of the hacking business also encourages new hackers to indulge themselves in further crime. The money also enables them to finance sophisticated and well developed new tools for hacking. Hackers will identify the best-suited method to target on the basis of their seniority and job function.

Supporting the employees is the primary means of preventing such attacks. Organizations have to help employees develop better habits that eventually will help in safeguarding the whole organization.

Why is security awareness important for marketing staff? Why should they participate?

It is often difficult to gauge which employees are the most vulnerable or likely target for phishing attacks. On the whole, attackers will target any employee through whom they can get access to the network of the company. So, potentially it can be anyone from the organization. However, marketing staff are potential phishing attack targets as they are much easier to lure into clicking malicious links in phishing emails (because of the nature of their work). Recent researches further suggest that general staff-level employees are the preferred target for phishing attacks rather than middle or executive level employees.

As the attackers are always looking for new avenues to attack the organizations, they are now focusing on specific employees such as account executives, business development managers, and inside marketing people who interact constantly with the existing and prospective clients via email, over the telephone or in person. So, marketing people usually wait eagerly for emails from potential customers.

They also want to be as responsive as possible. These make them an easier target for the cyber attackers through phishing emails. Typically, phishers get the name, email and phone number of these marketing employees through the Internet, and are quite confident that any email sent to them will be opened.

When hackers are able to make a credential theft from these marketing people, they get access to various sensitive information including pricing sheets, customer lists, and information regarding confidential deals. Stealing a marketing employee’s accounts also allows the hackers to generate a new vector for further phishing attacks to the finance members, account teams and management people in the organization who will of course trust any message coming from the marketing people of the same organization.

Why are marketing staff targeted for attacks? What are some common security mistakes marketing staff make?

As marketing employees interact with many clients and customers from various niches, they are one of the most targeted for phishing attacks. A simple inquiry through phone calls or email is enough to convince any marketing team to become vulnerable and drop their guard. A smart social engineer will easily target specific marketing staff by acting as a potential client and proceed further by asking for the sensitive information about the company, confidential contracts, and customer lists. In many instances, all the attackers need to do is to trick the marketing staff of the organization into clicking a malicious link or opening a similar attachment to bypass the security systems of the organization.

What is the best way to train marketing staff on security awareness?

The most preferred contingency plan to combat phishing attacks is to have a regular discussion with the marketing department of the organization and provide them adequate information about possible threats. The marketing department must know and have a clear understanding of the type of information they are allowed to disclose over phone calls and email.

They have to be provided training regarding how they should send sensitive information securely online. Moreover, marketing people should receive training to be cautious of all the phone calls and emails they receive, regardless of the urgency of the matter.

How to protect your marketing staff and the entire organization

Organizations must find ways to protect their marketing people from these phishing attacks. Some good ways to protect them are to use endpoint protection and email filtering. These techniques will reduce the number of phishing emails coming to the inbox of the organization. However, to protect the employees working in the marketing field, organizations have to carry out security awareness training periodically. This type of training comprises of teaching materials that help employees learn the process of responding to suspicious requests over phone or email. This training will help them develop an ability to think critically and acquire safe security habits. The training will also enable them to be up to date on the latest developments and phishing tricks to exploit marketing people.

Organizations also need to talk with the purchasing section about means of transferring invoices through an additional layer of security or by any other means and not by email. The marketing employees should be reminded that they have to double-check before clicking every linked text that they are receiving through emails and they should be discouraged from opening any attachment they received from unknown sources.

It is important for every organization to strengthen its security systems. Still giving training to the concerned employees and making them security-conscious is even more necessary to avoid a few of the most compelling phishing attacks. Security training programs on a regular basis can provide the employees as well as the company heads sound advice to protect both the system and its employees.

For the security awareness training for marketing staffs to be effective, organizations need to involve everyone from the department in the training. The inclusion of everyone in the training process reduces the gaps in security across the organization. It is understandable that no training can be 100% effective, but more people in the department receiving the training means more reduction in potential security risks.

Understanding these users and the likely lures attackers use makes security awareness and education more targeted, interesting, and effective. Users will learn how to recognize and ignore malicious behaviors, eliminating a prime source of risk.

It is now a necessity to make the center of every organization less vulnerable and exposed by enabling their systems to recognize and then block any malicious or suspicious behavior. In a true sense, systems behave in a similar way, catching malicious new attacks which may slip through even the most alert users. This layered approach may save the organizations from phishing attacks and provide the organizations with the perfect protection to keep their employees off the hook, even when they face the most alluring phishing attacks.

Organizations should also consider conducting a scenario of simulation where phishing emails are intentionally sent to the employees to see how they react and whether they are able to distinguish them successfully. The employees, however, must be informed about these simulation emails and related campaigns to avoid a panic situation in the organization. Having prior knowledge will also allow the employees to express their concerns, if any, before execution of such campaigns.

Such an open and inclusive simulation program generates less acrimony at every level of the organization and campaigns can be announced during the training process. It should also be made clear that such simulation campaigns are not meant to trick or embarrass the employees in any way. This will further serve the purpose of the organizations to arrange security training programs for the marketing staff and will improve the response to external phishing attacks.

Even after knowing about the simulated attacks, marketing or sales employees often seen to overlook potentially malicious links as they fail to recognize those suspicious emails when it eventually arrives in their inboxes. This clearly indicates the importance of information security training programs for marketing staff of an organization, followed by simulation attacks to know whether they have successfully understood the essence of these training programs.

SA Tips/Resources for marketing staff

  • Do not disclose sensitive company information over the phone or email to new or possible clients
  • Use caution while talking to unknown clients over the phone, as you may disclose sensitive information unknowingly
  • Double check before opening any suspicious links or attachments that came in the inbox, even if the sender is a known person (it may come from your boss)
  • It is advisable to consult with the concerned department if you feel you received a phishing attack
  • Attend the security awareness program arranged by your organization and take it seriously. It may save your company from big losses and your career as well
  • Report any incidence of phishing immediately, even if you mistakenly clicked any such links or downloaded malicious software
  • Do not visit unsolicited websites from your work machine or using your work network.

References

http://bit.ly/2jliNa1

http://bit.ly/2jTqHbo

http://bit.ly/2jTqHbo

http://bit.ly/2jMadje

http://bit.ly/2kmI0P3

Be Safe

Section Guide

Ryan
Fahey

View more articles from Ryan

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Ryan
Fahey

View more articles from Ryan