Last Updated: Feb 4th, 2019
Every small business cybersecurity plan should call for a training program to help employees spot and avoid phishing emails. Why, you may ask?
Phishing emails are, by a huge margin, the most popular form of cyber attack and ransomware delivery. In 2018, the average successful phishing attack cost the victimized business roughly $3.5 million to recover from. This is not terribly surprising. Not once you add up the cost of the data loss itself, systems replaced, compensatory damages paid, emergency IT support fees, and any revenue lost from a delay in operations. The chilling truth is that a single employee could accidentally cripple a business instantly by clicking a ransomware link in an email.
The most effective means to combat this problem are education and ongoing training. As a managed IT services provider, we offer managed phishing training to our client companies to protect their end-users. These are some of the best practices we advise following to avoid falling victim to a phishing email.
Further Reading: Build a Custom Email Security Training Dashboard
Best Practice #1: Develop a Coordinated Campaign that Combines Training and Phishing Simulation
The most effective means of keeping your employees prepared is to use a combination of formalized training and monthly test emails. One or the other on its own is insufficient.
As far as training is concerned, we recommend businesses hold a company-wide phishing training session once per year. Use these sessions to inform your employees about the threat that phishing represents, and lay out some best practices for identifying malicious emails.
Follow that up by sending out out phishing test emails to your employees once per month. These emails are designed to mimic a genuine phishing attack email and then track who clicks the link. The information collected informs you which employees require additional training. Like we mentioned in the last point, enlist the support of a local tech support company or managed cybersecurity firm to help get this done.
Best Practice #2: Baseline Phishing Susceptibility
This is a key step in measuring the progress of any training campaign. Begin the process by establishing a baseline phishing risk score. This corresponds to the percentage of employees who are likely to click on a link in a malicious email. Once you run this initial test, you'll be able to measure the impact of your training efforts.
This is easily accomplished. Send out a simulated phishing email to a random sample of personnel to find out the number that are tricked into opening an attachment, click on a link or enter sensitive information. This is your baseline phish-prone percentage.
Best Practice #3: Gain Executive and IT Buy In
Phishing awareness campaigns are most effective when leadership from each department is informed and supportive of the plan. This should include the heads of finance, operations, HR, legal, and union representatives (where applicable). Perhaps your company works with a local virtual CIO. Each of these parties has a different stake in the outcome of the awareness training project. It is important to hear any and all concerns from these teams before launching a company-wide training initiative.
It is also important to inform executives about baseline phishing numbers so they are more aware of the extent of the problem, and by extension the uphill task facing the organization. Return to this baseline again and again as a means of monitoring results.
Best Practice #4: Conduct Random-Random Phishing Attacks
Avoid phishing your employees with the same type of emails over and over. Genuine hackers like to vary their approach, so your training methods should reflect that strategy. We recommend a "random-random" approach to testing. Send out test phishing emails to random groups at random schedules, using random phishing templates and formats.
Instead of sending out the same phishing emails every Monday morning to accounting and every Tuesday afternoon to sales, switch the tactics and schedules around by varying the groups and schedules. This approach familiarizes more people with a wider variety of attacks.
Best Practice #5: Personalize Emails
Hackers understand that a potential phishing victim is more likely to engage with a personalized email. In some cases, this can be as simple as adding a person's first name. Some hackers may go so far as to research your Linkedin or Facebook profiles before crafting their phishing emails. Another tactic is to split phishing email into groups such as by departments, or to tie phishing emails into topical or popular events.
As we mentioned earlier, partnering with the right training provider can make all the difference at this stage. They can leverage lessons learned from previous engagements, which in turns means more targeted and consistent training for employees.
Best Practice #6: Don't Expect Miracles
The results from Security Awareness Training are excellent, but do not expect miracles. Generally speaking, many organizations begin training with a baseline phishing percentage of 15 -20%. This means that this percentage of employees are likely to click on a phishing email. Consistent training drops that rate to about 2%.
In our experience getting the percentage lower is extremely difficult and ultimately impractical. But continuation of the campaign can keep results at or below that level, which will have a significant impact on the organization. When malware infections caused by phishing are minimized, critical data is inherently safer, and the organization is able to re-focus on productive projects rather than putting out fires.
Further Reading: Phishing is Easy: The Economics of The Malware Industry
Best Practice #7: Avoid Witch Hunts
Don’t ever use results in this way or bring them up in annual reviews. It is best to keep results general and use them to correct and train the organization as a whole as opposed to singling out specific individuals.
In the first few weeks of sending out test emails, use the aggregated individual results to shape your company-wide training approach. Once the majority of users have demonstrably lowered their phishing percentages, then it's time to focus on the repeat offenders. It may be necessary to involve HR at this point.
Small business owners, please make security awareness training a priority for your organization. The threat from phishing and ransomware is very real, and evolving every day. Unless you want to start testing the limits of your backup and disaster recovery plan, make preventative measures like training a top priority.
For more information on managed IT support, managed IT services, cloud solutions, data protection, managed backup services and how to access your files while away from the office, please contact us at firstname.lastname@example.org.