Why are phishing attacks so popular amongst cybercriminals? According to the phishingbox and the phishlabs blog website phishing attacks accounts for 90% of all data breaches. Email delivery is responsible for 94% of all malware attacks. About 30% of fraudulent emails are opened. The cost to the company for an employee making the mistake of opening a phishing email averages $3.8 million.
There are things you can implement to protect your company. They all have to do with educating your employees about best email practices, especially now when so many are working from home.
While off-the-shelf training certainly has value, it’s important to augment that with exercises designed to practice mindfulness. In the Journal of Management Information Systems, 2017, Matthew L. Jensen’s paper “Training to Mitigate Phishing Attacks Using Mindfulness Techniques,” illustrated the importance of fostering increased awareness of context, and forestalling judgment of suspicious messages.
When employees see an email labeled as external, they should immediately
STOP, THINK, and ACT.
Consider the following responses to an email asking you to perform an action:
1. Pause
2. Consider the Nature
a. Timing
b. Purpose
c. Appropriateness
3. Consult a third party about the request
Employees need to have a sense of ownership when it comes to protecting the company’s data. Far too often, workers can rely too readily on the help desk to rectify the problem should they accidentally take the bait of an email phishing attack. Instead of fixing a problem, the help desk should be seen as someone who can help others recognize the warning signs they miss.
Even with top tier cybersecurity in place, employee’s reaction to the daily glut of emails proves to be the weakest link. If just one person accidentally clicks on the wrong email, the phishing attack is successful. That is why IronOrbit, with our complete regimen of multifactor authentication, antivirus, firewalls, IDS/IPS, web app security, content filtering, and 24/7 monitoring, we also include an in-depth review of security policies with the entire organization. Make use of the best cybersecurity technology available; yes, but simultaneously start creating a human firewall.
Take steps to ensure a certain baseline of computer efficacy with all employees. Cultivate a corporate culture of internal community building so that everyone feels connected to a team. Develop a good neighbor policy that promotes inter-office communication so that one employee is encouraged to ask another, “what do you make of this email?” Of course, it is difficult to get company-wide zero response to fraudulent messages. It has to be a multi-pronged on-going practice.
Corporate Training sessions are always based on intrinsic motivators. Move away from traditionally planned once-a-year “complete your IT training” mentality to a more organic approach that holds managers and teams accountable for results. You can even use a game-playing approach where one team tries to thwart another team with various phishing exercises. These security practices can be applied outside of the workplace and protect their personal cybersecurity at home. These strategies work because they make the lessons more personal; thereby, easier to remember.