5 security awareness topics your users need to know about NOW – part 1

Avatu - the email security specialists

Organisations can’t stop themselves coming under attack from thieves and other criminals trying to disrupt their business, damage their reputation or steal their data.

But they can prepare themselves in better way and minimise the risk.

In this blog, and the four others that follow in the series, we’ll cover five simple issues you need to be talking through with your employees right now.

We start with phishing: don’t take the bait

1. Phishing: don’t take the bait

Ensuring that employees have a great understanding of how to spot a phishing attack is often proven to be the most impactful element of a strong security awareness programme.

According to the UK government’s 2018 Cyber Breaches Survey, 75% successful data breaches arise from staff receiving fraudulent emails.

Concerningly, in the same period, Verizon’s Data Breach Investigation found that just 17% phishing emails are currently identified and reported by staff.

Improvements in employee recognition and reporting of malicious emails could clearly give rise to significant advancements in your organisation’s security posture but the growing sophistication of such attacks means you must deliver much more than a cursory annual webinar.

As phishing sites are increasingly hosted on sites using SSL certificates, asking users to look for the padlock in their address bar as an indicator of a genuine site is no longer enough.

Your regularly delivered security awareness course must prompt users to deeply scrutinise their inboxes: have they been taught to hover over a link before they click to decipher its true destination?

Do they know that a quick Google search for a suspect domain could reveal an attempt to scam them?

With 16 malicious emails received by the average employee each month, making them aware that social engineering is actively used by hackers to manipulate them into aiding criminal activity can have a hugely positive effect on their vigilance.

Simply encouraging users to stop and think about the credibility of an unexpected email is impactful.

Do they recognise the sender and is what are they requesting reasonable? Is this kind of request unusual?

Is there any proof that the sender and any links or attachments are genuine? Reinforcement of the key learnings on phishing attacks can be delivered very effectively via phishing simulations.

By synthesising the most common attacks, employees can be encouraged to learn practically, identifying the tell-tale signs of phishing emails and avoid falling victim.

Simulated phishing attacks should draw on the most common real-world threats today to ensure users are well prepared to identify a genuine phishing email should they receive one.

The impacts on your organisation of email-borne attacks can be extremely severe:

59% of phishing attacks are financially motivated, whilst 41% aim to steal corporate secrets via cyber espionage.

Turning your employees from a potential gateway for these attacks to gain a foothold into a knowledge-armed first line of defence can often demonstrate a significant reduction in risk.

Advice from Rob Savage, Chief Technology Officer with Avatu, the information security advisors.

Rob can be contacted on 01296 621121 or email: Rob.Savage@avatu.co.uk Want to know more? You can also download all five pieces of advice today, without waiting for the next blogs, here.