Employee Awareness Alone Won’t Solve your Cybersecurity Problems
Employee Awareness Alone Won’t Solve your Cybersecurity Problems
IT and cybersecurity teams at many organizations are often frustrated because, despite repeated awareness training, employees still click on phishing emails. According to Verizon's latest 2021 Security Breach Report, the average click-through rate during phishing campaigns is 3%. Extreme cases are around 30%. For a company with 100 employees, this means that at least three people are clicking on each phishing test. And it’s key to remember that hackers only need one person to click on their malicious email or file to access your network.
Why user awareness works so poorly
While a great security measure on paper, awareness programs have mixed results in organizations. The main reasons are:
- Cyberattacks and phishing scenarios evolve too quickly. In addition, phishing is no longer just about email. They also involve text messages, phone calls, social networks, etc. If you don't cover all the possible phishing methods hackers use, you are at risk. And frankly, phishing scenarios are always changing, so it's impossible to cover them all.
- Failure to adjust awareness periods. The universally accepted best practice is to educate users at least once a year. This was a good idea in 2010 but not in 2021! But that isn’t sufficient today. This “best practice” persist and puts companies at risk. Today you need to educate your users once a month. Otherwise, you need to take for granted that one of your employees will end up clicking on a malicious link or file. The best thing for you to do is to be prepared to respond to a security incident.
- Humans rarely learn from the mistakes of others. Despite high-profile phishing incidents and warnings such as the one from the Canadian Centre for Cyber Security, many users and individuals continue to fall victim to phishing scenarios that have been known for years. The main reason is that when a third party we don't know is a victim, we don't necessarily feel concerned, and our level of vigilance doesn't increase.
The solution
In addition to raising awareness through appropriate levels of training, take the implement the following measures if you don’t want to become another phishing victim:
Reinforce awareness
- Train users in risk awareness at least once a month.
- For each phishing scenario, make sure to cover all possible means hackers use to launch them (email, social networks, phone, etc.). Never assume that users will be able to identify the same scenario across different channels. This is a mistake.
- Use examples of cases where colleagues or employees working in the same field as you have been victims. The closer the victim is to us, the more vigilant we are
- Emphasize the impact of phishing in your awareness campaigns. An employee clicked on a malicious link that almost cost the company $100,000? They will think twice before clicking on a link.
Measure the effectiveness of your awareness campaigns
You should regularly measure the effectiveness of your awareness campaigns by doing phishing tests. These tests are often neglected even though they are key to a successful awareness campaign.
More importantly, during each test, identify the people who click often enough and take the following steps:
- Provide them with targeted or personalized outreach and retest them to ensure that their level of awareness is continually increasing. Chances are, an attack is coming through them, so you might as well focus on improving their awareness.
- Consider offering gift cards if an employee's click-through rate consistently drops during phishing campaigns. This option works well.
Shock treatment for heavy clickers
If, despite your repeated attempts at personalized awareness, some users continue to click regularly, take more aggressive measures, including:
- 1-Put their workstations in a separate network zone from other users (e.g., VLAN of clickers). Make sure their computers are hardened, uninstall all unnecessary services on their computer, and limit access to features like Powershell on their computer. This way, you will protect them and limit the possibility of spreading an attack if they happen to fall victim to a phishing attack.
- Increase monitoring of this network zone for malicious or suspicious activities. E.g., handling suspicious connection attempts in this zone should be prioritized over other zones in your network. This is where hackers are likely to go first.
Need Help with Cybersecurity? StreamScan is Here.
Whether you need help conducting a security diagnostic, developing a security plan, or want to implement an MDR (Managed Detection and Response solution, StreamScan has experts with years of experience in cybersecurity who can help. Get in touch with us at smbsecurity@streamscan.ai or call us at 1 877-208-9040.