It should not be a surprise, but 95 percent of breaches come through phishing attacks. Nothing more than a simple lure email lands in one of your users inboxes, they click it, and everything unravels from there.
You know the feeling.
You’re excited about something. It’s new, it’s interesting, and you’re ready to go.
But then something happens and all of a sudden that excitement just drains away, to be replaced with a resounding “Meh.”
Training and education models of the past are antiquated and ineffective, and when it comes to the risk of your company and clients that simply isn’t good enough.
Our webinar for March will focus on a new and improved education model that can be built out as part of an organization’s security awareness training.
Topics: security awareness training
You wake up, wipe the sleep away from your eyes, among the first things you do is to reach over and grab your phone. Your work day hasn’t officially begun, but you’re already looking through your emails. The night before? A similar process, but in reverse. According to a Good Technology survey, 68 percent of professionals check their work email before 8 am and another 50 percent check it while in bed. It doesn’t end there though, as 38 percent commonly break from the dinner table to look through their work emails, too.
In most organizations, a user who can identify and delete phishing emails is considered a huge asset.
And, let’s be honest, they’re certainly a big step in the right direction. Users who can't spot a simple phishing email can easily jeopardize the security of an entire organization, even with a comprehensive set of technical security controls in place.
But in our eyes, there’s still a long way for these users to go. Deleted phish are better than clicked phish, but they shouldn’t be the end goal.
Training users to identify and report phishing emails is far from an overnight fix.
It takes time, persistence, and engagement to make a meaningful impact on user email behaviors.
But you already knew that, didn’t you? In fact, you probably already have a program in place to help users identify potentially malicious emails.
You receive an email, you are unfamiliar with the sender’s name or email address, and they are offering you a new service or deal on something. Is it malicious? Not necessarily. Perhaps you forgot about signing up for a newsletter a while back.
In anticipation of our previous threat monitoring and forensics webinar we asked the Twitterverse what happens after they report a suspicious email. Does it fall into a black hole? Does IT check it out to mitigate potential impact? The results are in, and interestingly a majority of polled respondents simply don’t know what happens to their emails after they report it.
If you’ve been following our blog for a while, you’ll already be aware of our stance on anti-phishing training.
Experience has taught us that the only way to reliably improve a user’s ability to spot and report phishing emails is to test them in the real world. To put it another way, they need to see realistic phishing emails in their inbox on a regular basis… and you need to put them there.
It’s tempting (oh so tempting…) to treat this as a gotcha exercise.
It’s not exactly a secret that most security awareness training programs are… less than effective.
Something about the 12-month gap between sessions, decade-old content, and total lack of user engagement seems to limit the potential for behavioral change.
We can’t imagine why.
But if you’re reading this, it’s a reasonable bet that you take security awareness more seriously than many of your peers.