Security Awareness Training Plays a Critical Role in Thwarting Phishing Attacks
Cybercriminals have accumulated a vast amount of personally identifiable information over the years. Almost any information you might want is available on the Dark Web, often for a relatively small fee. But according to the nonprofit Identity Theft Resource Center, fraudsters are shifting their focus from consumers to businesses.
With the right information, cybercriminals can develop phishing campaigns that are highly targeted and extremely effective. According to Verizon’s 2021 Data Breach Investigations Report, the median click rate in simulated phishing attacks is down to just 3 percent. However, targeted phishing emails generated click rates of more than 50 percent.
That’s some pretty good odds.
Clearly, carefully crafted phishing campaigns are worth the cybercriminal’s effort. Although users are becoming better at detecting these attacks, humans remain the weakest link in the security chain. It’s much easier to trick a user into clicking on a malicious link or attachment or giving up sensitive information than it is to defeat sophisticated security tools.
Security awareness training is an organization’s best defense against phishing and other social engineering attacks. Regular, well-executed training can help users identify phishing emails and other threats, significantly reducing the odds that an attack will be successful.
A Key Component of Cybersecurity
In May 2021, The Center for Internet Security (CIS) released version 8 of its CIS Controls, the organization’s widely accepted recommendations for actions to reduce the risk of cyber threats. Security awareness training moved up from No. 17 in version 7 to No. 14 in version 8, recognizing the increasing importance of this control in a comprehensive cybersecurity strategy.
A skills component was also added. While it’s important to establish and reinforce each user’s role in protecting IT assets, awareness alone is not enough. Users need to be trained to recognize social engineering attacks and other types of security threats. The training should ideally be role-specific — for example, users in finance and accounting should be trained in procedures to thwart business email compromise (BEC) attacks.
Security awareness training is an organization’s best defense against phishing and other social engineering attacks.
Additionally, workers should be trained in security best practices, including password composition and credential management, handling of sensitive data, and the dangers of using insecure networks for business activities. They should be advised on how to report security incidents and any out-of-date or missing security updates on their devices.
How to Develop a Training Program
There are certain basics that should be included in any security awareness and skills training program. However, organizations should customize their programs to focus on threats that users are most likely to encounter and those that pose the greatest risk. If the organization is subject to industry or government regulations, such as the Payment Card Industry Data Security Standard (PCI DSS) or the Health Insurance Portability and Accountability Act (HIPAA), the training program should address those requirements.
Training should begin with employee onboarding. Users should gain a clear understanding of company policies and procedures and why those policies must be followed. This helps instill a sense of ownership and responsibility for the organization’s cybersecurity strategy.
One-time training is not enough, however. Studies show that users forget much of what they have learned within six months, so training should be repeated regularly. It can also be helpful to “test” users’ awareness through simulated phishing attacks.
GDS offers comprehensive security awareness training that covers many relevant topics. More than a dry presentation, our program uses interactive modules to engage users and help them apply what they’ve learned through real-world examples. The program can be customized to your business and delivered frequently to reinforce best practices. Give us a call to learn more.
Benefits of Managed IT Services from Global Data Systems
- Strategic Managed IT: We help you solve your technology related business problems.
- Connectivity: We get you reliable, secure connectivity anywhere in the western hemisphere in 48 hours.
- Support: When you need help simply call our 24x7x365 support number.
- Billing: Instead of managing hundreds of vendors - get one, easy to read bill from GDS.