Create a Culture of Cybersecurity: Teach Employees to “Catch a Phish”
In 2020, 74 percent of U.S. organizations said they succumbed to a phishing attack. As today’s news cycle fills with ransomware headlines and remote connectivity continues, it’s increasingly essential for companies to implement action plans for cybersecurity awareness. Phishing can get both people and businesses into all sorts of deep water.
The word “phishing” is commonly used as an umbrella term for a variety of attacks, though the overarching category that phishing falls into is called social engineering. Social engineers prey on human nature with the intent to manipulate a person to take a specific action. Phishing refers to the most common type of social engineering: fraudulent emails sent to many people.
The idea is to cast a wide net with simple bait—fake communication that often impersonates an individual or brand. Phishing works because it taps some of the most basic human traits (curiosity, carelessness, fear of missing out), and scammers know how to use those traits to their advantage. They hook you with an email, text message, phone call, or social media message. Then, they lure you in with a malicious link or attachment and then make the catch–: stolen login credentials or a compromised system.
Many companies attempt to create a culture of cybersecurity and phishing awareness by using scare tactics. These can make employees annoyed at your IT team—or worse, resentful. They may even feel so anxious about phishing that they won’t click on any link or attachment—even important ones. At the end of the day, negative emotions won’t help you build an effective culture of cybersecurity awareness. HR departments should make it their goal to nurture a blame-free, empowering security culture where all employees feel they are contributing to a shared goal.
Create a culture of cybersecurity
In a well-functioning culture of cybersecurity, employees understand their roles in protecting your company’s data and IT resources. They are active participants in ongoing security conversations. Also, they have the tools they need to maintain good security habits without impeding their work. A blame-free culture doesn’t mean a lack of accountability. Instead of using a punitive model, however, find other ways that motivate employees to follow policies and strong security habits. For example:
- Don’t instill fear in employees with threats of termination for repeatedly falling for simulated phishing.
- Do implement a buddy system that appoints a peer to be a team or department’s cybersecurity expert.
- Don’t require employees to reuse or write down their passwords.
- Do provide appropriate resources and tools, such as password managers, so employees can use and manage strong passwords.
A recent Dashlane and Harris Poll survey found that 79% of employees take at least some personal responsibility for their company’s overall security. Employees want to be part of the solution, and companies need to show them how they can do that.
Implement a cybersecurity education, training & awareness program
Phishing trends sound unsettling—but by educating and training your employees, you will empower them with the knowledge to avoid taking the bait. A successful cybersecurity education, training, and awareness program should answer why security matters to your company. It should communicate to employees why they should care about security. Additionally, it should explain how cybercriminals target and attack businesses and what actions employees can take in the course of their day to enhance security.
Conduct simulated phishing campaigns
To help employees recognize phishing and risky actions through first-hand experiences, use a “show, don’t tell” approach with simulated phishing tests. Phishers may not always have perfect spelling, but they shine at psychology and human behavior. And they’re meticulous researchers. By conducting regular mock phishing campaigns, you can turn employees from a weak link in company security to points of strength.
In addition to serving as practice for employees, the phishing tests measure how many people open the emails, click on the links and attachments, and complete the final action (such as entering their login credentials). You can use these metrics to track the effectiveness of your program over time and identify areas that need additional education and awareness.
Boost phishing defenses with additional tools and processes
Education and awareness are empowering, but you still need to provide tools and implement strategies that support and promote secure practices. Train employees on how to identify and report suspected security incidents and threats, including phishing attacks. Consider creating a special email or channel for employees to reach out to.
Specifically, businesses must also train employees to recognize phishing attempts and social engineering. In addition, they need to adopt a password manager and multi-factor authentication to improve digital hygiene and security. Cybersecurity is as much about people as it is about technology. Businesses need to educate their entire workforce and provide them with tools they will actually use. Doing so makes their lives easier, both at work and at home. Some quick tips for catching a phish include:
- Check the subject line of an email for a sense of urgency, scare tactics, or an enticing offer.
- Ensure the email address matches the sender’s name and/or company.
- Before clicking, look out for poor spelling and grammar, or unusual/awkward use of language.
- Don’t be fooled by personalization because scammers can also learn your personal details.
- Adopt technologies like endpoint security, password managers, and email security.
Many businesses are improving their security technologies and processes to make it harder for phishers to hook their employees. But phishers will continue to find novel, unexpected ways to lure people with social engineering. Your best defense is planning for the unexpected and empowering employees with current knowledge, appropriate tools, and ongoing awareness. Companies can only achieve a culture of cybersecurity if everyone is engaged. Cybersecurity is not something only IT and tech-savvy employees can care about. HR departments need to remember that promoting positive cybersecurity awareness will lead to a culture of security––not scare tactics.
A version of this post first appeared on TalentCulture.