In my last post on cybersecurity, I described how education and training were critical in stopping system breaches. This week, I discuss how CIOs can train their organizations’ workforce to be the first line of defense.
The primary way hackers gain access to business systems is through phishing techniques. Phishing—which refers to “fishing” for private information like social security numbers, contact information, or passwords—usually comes as an email enticing a user to urgently click on a link. When clicked, the link either attempts to download and install malicious software or takes the user to a website, tricking them into divulging information that will help the hacker to breach their system.
This can also take other forms, such as “vishing,” which uses voicemail or a voice call to get private information, but phishing is the most widely used and easiest to distribute on a wide scale, so I will focus on the tools that can help train users not to be fooled into helping the bad guys get in.
A Baseline Test
We begin with a baseline test to evaluate how likely our employees are to fall for the phishing tricks. This entails sending out a fake phishing email to each user. The email could be anything from “Your password is about to expire, please click here to update your account,” to “Free pizza! Click here to claim your prize,” to “Your UPS order could not be delivered, click here to login and update your status.”
When the user clicks on the link, it takes them to a website that has been established for this purpose. It usually displays some sort of message like: “This was a phishing test from your IT department. Had this been a real phishing email, you might have inadvertently allowed hackers to breach your system.” Then it logs the click into a database so the IT and security team can see a report of which and how many users fell for the trick. It is not uncommon for this baseline number to be very high. If users have not been trained to spot suspicious emails, this number could be as high as 25% or more.
Next, we roll out training to all users so that they won’t fall prey to this kind of attack. This can be done through in-person or virtual classes, or with online training that includes videos and short quizzes. The important thing is to make sure every employee understands what to look for in an email, the importance of being vigilant, and how they can help protect the company by thinking before clicking.
Finally, we repeat the phishing simulation by sending out new emails to all users. These should be different every time, as we don’t want the user to spot them too easily. Now that they have been trained and are aware of how to spot the suspicious emails, the report of how many and which users clicked should be considerably lower. Any users who click on the simulated links should have some consequences like additional training.
These phishing simulations should continue indefinitely, with a cadence that you determine is appropriate for your company—weekly, every other week, or monthly. Over time, the percentage of users who click on simulated phishing links should continue to decline. Aim for 0% but know you may occasionally see one or two clicks.
Tools to Help Train Users
The CIO and IT team could potentially create custom training and simulated phishing emails, but this can be time-consuming. There are many vendors with solutions that automate this process, including baseline testing, awareness training, reporting methods, and response protocols.
Here are some popular choices:
KnowBe4 – https://www.knowbe4.com/
KnowBe4 was named a leader in the 2020 Forrester Wave for Security Awareness and Training Solutions, with the highest scores possible in 17 of the 23 evaluation criteria, including learner content and go-to-market approach. KnowBe4 applies “new school” security awareness training with its simulated phishing platform to help businesses manage the problem of social engineering.
PhishLabs – https://www.phishlabs.com/
PhishLabs Security Training modules are 5-minute “consumable” learning segments focused on a single cybersecurity topic. That makes it easy for employees to rotate through a library of micro-learning segments. PhishLabs offers training plans for sustainable learning and measured against KPIs. Modules are designed to intermix with simulated attack emails to drive awareness and positive behavioral changes.
Sophos – https://www.sophos.com/
Sophos’ security awareness program is part of a defense-in-depth strategy. Sophos Phish Threat educates and tests end users through automated attack simulations, security awareness training, and reporting metrics.
Infosec IQ – https://securityiq.infosecinstitute.com/
Infosec IQ treats employees as part of the solution, not the security problem. Infosec IQ offers a content library, security awareness resource center, and training plans to help organizations stay compliant, reduce phish incidents, and “inspire” employees to adopt better security practices.