Can your employees identify a phishing attack?
Can your employees identify a phishing attack?

Phishing attacks are as popular as ever among cyber-criminals. According to a report from PhishMe, 91 percent of cyber-attacks start with a phish. And the primary reasons people fall victim to these malicious emails are due to curiosity, fear, and urgency.[1] In today's modern workplace, employees are driven by the urgency of deadlines and the fear of under-performing. This makes them the perfect victims for a phishing email.

In Q1 of 2017, the top organisations attacked by phishers were banks, payment systems, and online stores—categories that accounted for more than half of all registered attacks.[2] But, by Q2, cyber-attacks were up by a quarter, with manufacturers bearing the brunt and phishing emails the most popular threat vector.[3] All that to say is, regardless of your industry you can be a victim, which is why security awareness training is more important than ever.

So what is the value of security awareness training and what are the common risks to look out for as your company grows?  And what are the most effective methods of disseminating security awareness training to ensure employees understand and retain the information they're taught?

What are the top five phishing tells used in most campaigns targeting businesses?

B2B spam remains a serious risk for companies. Whether it's the information one has access to or the position they hold within a company, spammers sometimes prefer to target companies, or individual representatives of large businesses, rather than ordinary users. This is where proper security awareness training among employees is especially important.

Here are five questions you should ask yourself if you think an email may be illegitimate:

1)      The URL—if you hover over a link, does the URL match up with what it's claiming to direct you to?

2)      The content—are there an unusual amount of spelling and grammar mistakes?

3)      The ask—is the email asking for personal information?

4)      The offer—does it seem realistic…or is it too good to be true?

5)      Your gut—does anything seem suspicious about the email? If you feel even the slightest hesitation, you're probably right.

Knowing how to identify a phishing email is extremely important, but it is the just the beginning. Security awareness training highlights several different tactics used by cyber-criminals and describes how to defend against them. Training is important to any individual that has access to company data, so for most companies, that means everyone. Keep in mind though, those in HR and finance are particularly targeted as they have access to financial and employee information.

It's important to remember that employee education will reduce the risk of a cyber-breach; however, it won't stop criminals from trying. Providing ongoing education and training to employees is the best way to protect your business in the fight against cyber-crime.

How does virtual training compare to in-person?

While online training is the more modern approach, there is sometimes still a place for in-person training. In-person training allows for direct interaction with instructors, which can be more engaging for some people. The content can also be customised more easily depending on the needs of the employees. Unfortunately, this method is often more expensive and is usually offered as a “one time thing.”

On the other hand, online training allows for consistency of messaging while being cost-effective and easily duplicated. However, with online courses, employers may need to seek out a training programme that is more than a “one time thing”. Solitary, online training can sometimes be unmotivating, so it's important the training programme is engaging and its completion is enforced.

Ultimately, employers need to choose the training method that is best for their employees and company. Either method can be effective – the important part is providing the training.

What else can you share about training employees to be more aware and secure online?

Cyber-risks can take on a variety of forms, from phishing attacks to social engineering to ransomware  etc, and it affects businesses of all sizes. However, as your company grows and expands, there are certain risk factors to look out for:

1.      If you've grown your business beyond 20 employees, you've likely outgrown your security processes and you'll need to revaluate where your threats lie.

2.      The family atmosphere and personal trust often found in small, close-knit businesses can remain; however, that doesn't mean everyone needs access to your backend information if their job description doesn't warrant it.

3.      Insider threats are always a possibility. Employees experiencing hardships—financial, health related, or otherwise—can be susceptible to taking part in insider cyber-crimes. If they're the ones who have access to your data, you may want to consider how you're protecting your business from this risk too.

4.      Insure your assets from the ground up – just like insuring your car, home, or life, your business needs protection from its threats too. Consider risk protection and liability coverage, but recognise that insurance is not a panacea.

5.      Work with a broker well-versed in cyber-risk who can help your organisation understand its overall threat levels, address insufficiencies to mitigate the risks, and leverage insurance coverage for any risks to your business.

The truth is, it's not a matter of if cyber-attacks will happen to your business, but when. Fortunately there are prevention strategies, such as those above, that you can use to protect your business and employees from the damaging effects of a cyber-breach.

Contributed by Eldon Sprickerhoff,  founder and chief security strategist at cyber security company eSentire  

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.