How Effective Employee Education and Training Combats Phishing Attack Risk
Companies can expect to continue to encounter a similar, steady—if not increasing—steam of phishing attacks specifically targeting business entities for the foreseeable future. As such, now is the time for companies to ramp up their employee phishing education and training regimens.
May 13, 2019 at 07:00 AM
7 minute read
Despite being one of the oldest types of cyber attacks—dating back to the 1980s—phishing continues to plague businesses of all types as one of the most significant cyber threats today. The recent global ransomware attack WannaCry, which infected over 200,000 computers in at least 100 countries, originated with a successful email phishing attack. WannaCry is just one of countless examples of the widespread, severe damage that cyber criminals can inflict upon businesses by using disguised email as a weapon. Phishing attacks are on the rise, and are becoming more sophisticated as time progresses.
As such, now is the time for companies of all shapes and sizes to review the issue of phishing and what steps can be taken to minimize the risk of this lethal cyber threat. In particular, employee education and training is a vital tactic that can be employed to combat the threat of phishing so that companies do not fall victim to this time-tested attack vector.
|Phishing Explained
As a general matter, phishing involves the sending of fraudulent email communications that deceivingly appear to originate from a reputable source. The objective of phishing attacks is either to steal sensitive personal data, such as credit card information or login credentials, or to install malware on the target's machine or systems. Many phishing emails include ransomware—a vicious form of malware that can lock a device by encrypting its files, which then become inaccessible to the victim until a ransom is paid.
While the objective of phishing has remained constant over time, the nature of phishing attacks is constantly evolving. For starters, cyber criminals have branched out beyond emails, and now are perpetrating phishing attacks through both text messages and social media platforms. In addition, today's targeted phishing attacks are also combined with social engineering methods, where phishers research their intended target and incorporate detailed personal information pertaining to the intended victim in their fraudulent communications, significantly raising the likelihood of success of the attack. As such, it is significantly more challenging for companies to defend against phishing scams today than in years past.
Furthermore, the financial impact that a successful phishing attack has on a company is significant. According to the FBI's Internet Crime Report, in 2017 alone, business email compromise (BEC)—a form of targeted phishing geared to defraud companies—cost targets an average of $43,000. In May of last year, the FBI announced updated numbers, providing that phishing has cost businesses more than $12 billion over the last five years alone.
|Employee Education and Training
Employee education and training is an essential tool that companies must utilize in order to effectively defend against sophisticated phishing scams. With proper education and training, a company's workforce can serve as a robust first and last line of defense against phishing attacks.
Companies should include targeted phishing awareness education and training as an integral part of every employee's onboarding process. In addition, companies should also complete phishing training on a regular basis for all members of their organization. Importantly, however, companies cannot rely on mere annual training to carry the day when it comes to effectively combating the threat of phishing attacks. Rather, in order to fully minimize the threat, training needs to be multi-faceted, ongoing, and consistent.
The first step in educating and training employees is to persuasively convey how significant of a threat phishing poses to the long-term success of the organization. Educating employees about the dangers and consequences of phishing attacks is one of the best defenses companies can deploy to guard against the risk of phishing scams. In addition, employees should be educated on current phishing methods and techniques that are being deployed by hackers to deceive employees into giving up access to their organization's network and systems. This ensures that employees stay up-to-date on new and emerging threats, and keeps important data security practices and habits fresh in workers' memories. Furthermore, companies must also provide employees with best practices to implement to ensure they avoid the pitfalls of potential phishing scenarios, such as:
- Never trusting an email based simply on the message's purported source;
- Never relying exclusively on images or logos as a measure of a email's authenticity;
- Being suspicious of emails with generic greetings and improper grammar style;
- Being cognizant of the fact that enticing or aggressive email subject lines are commonly utilized to entice people into clicking on a link or taking other high-risk actions;
- Recognizing that emails that threaten or urge “immediate action” are often used to scare and intimidate targets into acting hastily, before they take the time to exercise proper caution;
- Never clicking on a link without first verifying the destination of the link by hovering the user's cursor over the URL to determine the link destination; and
- Never transmitting sensitive personal or company information via email.
Finally, companies must also teach and train all employees how to spot and recognize attempted phishing attacks. Active training—as opposed to passive training, such as video tutorials—in individual settings is ideal to maximize the impact of phishing training regimens. A very effective technique that companies can implement is to demonstrate what an actual phishing attack might look like in real-time, and how that attempted attack is properly dealt with and neutralized.
In addition, training employees in real-life, non-classroom settings with simulated phishing campaigns is also an extremely effective training and educational tool that aids employees in recognizing their own understanding of the threat, while at the same time reinforcing the company's anti-phishing education and training efforts. For example, a company can test employees by sending them simulated phishing emails to see if they are able to detect the malicious nature of the message. If an employee responds to the email, the company can then use this as an opportunity to educate the employee and further reinforce the importance of proper security measures and practices.
Beyond that, the results of simulated phishing exercises—such as the attack techniques that workers were most susceptible to—can be used to focus and strengthen the organization's phishing education and training efforts, helping to shore up any weak spots that employees may demonstrate in identifying and avoiding phishing scams.
|The Final Word
According to Symantec's 2018 Internet Security Threat Report, approximately 71.4% of targeted cyber attacks involved the use of phishing email messages. In addition, according to a recent Verizon Data Breach Investigations Report, almost two in three instances of malware were installed by way of malicious email attachments contained in phishing emails. Companies can expect to continue to encounter a similar, steady—if not increasing—steam of phishing attacks specifically targeting business entities for the foreseeable future. As such, now is the time for companies to ramp up their employee phishing education and training regimens to effectively defend against the high volume of sophisticated phishing scams which show no signs of slowing down in the coming years.
By effectively educating and training workers to employ effective anti-phishing data security practices, companies can put their workforce in the best position to identify, respond to, and defeat attempted phishing schemes when—inevitably—they arrive in a worker's inbox.
Jennifer J. Daniels is a partner at Blank Rome LLP and serves as co-chair of the Firm's Cybersecurity & Data Privacy group. David J. Oberly is an associate at Blank Rome LLP and is also a member of the Firm's Cybersecurity & Data Privacy group.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Judicial Ethics Opinion 24-58
- 2Sweet James Clinches $17.4M Personal Injury Jury Verdict in California's Kings County
- 3In Lame-Duck Session, US Senate Confirms Illinois Federal Judge on Bipartisan Vote
- 4Gordon Rees Opens 80th Office, ‘Collaboration Hub’ in Palo Alto
- 5The White Stripes Drop Copyright Claim Against Trump Campaign
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250