Anti-Phishing: C-Level Support for Phishing Awareness Training
It is becoming harder and harder to detect phishing attempts. These attempts are becoming more and more sophisticated, meaning even an experienced user can fall prey to the phishing traps set. Despite these facts, many high ranking executives are still refusing to implement some type of phishing training. They may not see the potential benefits, have no desire to pay for training, they may not believe it is really as big of an issue, or they may believe that their IT department has strong enough filters to keep phishing emails from getting through, or they don’t want to deal with any potential embarrassment. Some companies have implemented phishing training and found the executives were the biggest culprits of falling victim.
Are anti-phishing controls difficult to implement?
There are many logical steps organizations can take to avoid phishing emails. According to Digital Guardian, here are a few steps organizations can take to avoid falling prey to phishing:
- Educate employees and conduct training sessions with mock phishing scenarios
- Deploy SPAM filters
- Keep systems up to date with latest security patches and updates
- Install an antivirus solution, schedule signature updates, and monitor antivirus status
- Develop a security policy that includes password expiration and complexity
- Deploy a web filter
- Encrypt sensitive company information.
- Convert to text or disable HTML email
- Require encryption (VPN) for telecommuting employees
If the organization has skilled IT professionals, these controls can be implemented with relative ease, but the company also needs the funds to pay skilled professionals, and to buy the needed equipment and licenses. This is where many companies take issue with implementing security: the cost.
Notice on this list training is the first item listed. For all the security features you can implement within your infrastructure, the system users will always be the weakest link. If the users of that system do not understand how to recognize nefarious email attempts, none of those controls will matter.
Implementing awareness training can be tough if you don’t have the support of the executives. They are the ones who will approve the budget, or release the funds to pay for the training and if they aren’t on board, even if they agree to it, they may not agree to pay top dollar for quality training.
Training can also be tough to implement if the employees are not willing to listen and absorb. If the top level executives feel security awareness training is a waste of time and money, this mindset could trickle down to the employees, making it more difficult to reach them. You can’t force people who don’t want to learn. The trainees need to be participants in their education. This type of organizational culture is what can make implementing training tough.
How to gain executive support for anti-phishing
Most companies are in the business of making money. In order to make money you need to have a product or service for sale, a platform to sell the product or service, a successful and continuous marketing campaign, and a good reputation within your respective market. Company executives want their business to thrive, and they carry an additional burden for the company’s success. The best way to get them on board with anti-phishing, or any type of security awareness training, is to prove to them it is in the best interest of the company, particularly from a financial standpoint.
High level executives may not spend time staying aware of current cybersecurity trends. They expect their IT staff to do this. In order to gain support, the IT staff may need to brief them on current trends and also show stats related to the company users specifically. SANS is a recognized name in cybersecurity, and they have compiled a list of the potential effects of a successful phishing attack against an organization.
Successful phishing attacks could result in:
- Loss of competitive advantage and financial stability due to theft of sensitive information such as intellectual property, trade secrets, or research data
- Reputational damage as compromised accounts can be used to target individuals or other organizations
- Disruption of business operations due to the confidentially, integrity and availability of data being compromised
- Significant financial costs relating to the investigation, response and recovery from a potential compromise or incident.
Convincing executives of the validity of this list may be as simple as providing a few real life examples of successful phishing attacks and the damage caused.
The APWG, Anti-Phishing Work Group, is an international coalition that researches cybercrime across multiple industries. They provide quarterly reports on phishing trends and activities. One interesting thing to note in their most current report is the retail and service industry has taken over as the most targeted industry sector, which was an honor maintained by the banking industry for years. This type of information should prove useful in getting executives on board with training their employees in successfully thwarting off phishing attempts.
Tips for continuous monitoring after implementation
One of the best ways to gauge the success of an anti-phishing campaign is to test employees by deploying your own phishing attack. Sending employees a suspicious email, with hyperlinks that will send them to another training tutorial if clicked, to test their awareness will help a company create metrics and statistics related to the success of the training campaign, as well as help them understand the areas where they may fall short.
I myself fell victim to a staged phishing attack at work. Yes, me, a cybersecurity professional. The way our network is setup, you can use the networked printer to scan hardcopies and have them emailed to yourself or other employees, and you can also fax from the printer as well. You will receive notification of the success or failure of the transmission via email. I had sent a fax earlier in the day, so I didn’t think anything of the “e-fax” email notification I received in my inbox. I had become busy with the demands of the day, so even though I took note of the fact this email looked different than the other notifications, I didn’t take the time to investigate further. I just needed to know that my fax went through, so I clicked the link and was immediately notified that I had fallen victim to a simulated phishing attack and could do nothing else until I completed some training. There was even a test at the end of the training module to make sure I had paid attention.
This type of training was effective on me. I’ve helped to write training modules in the past, I’ve attended cybersecurity awareness training at least yearly, but being shown how in busy moments I too could fall victim was a strong reminder to stay diligent no matter what!
Phishing is still a successful way for bad actors to gain unauthorized access to systems. As phishing attacks continue to grow in sophistication, continued training is one of the top defenses. Ensuring your staff is aware of current phishing trends will help them identify suspicious emails. Training is important, but so is the culture of the organization overall. Having top level support for cybersecurity related training helps to ensure that the boots on the ground employees appreciate the benefits of training as well as taking it seriously. You can’t just attend training; you have to absorb it in order for it to be truly effective.