As I have already written in several articles here on the blog, it is extremely important to make employees aware of information security and especially phishing. It's important that everyone learns at least the basics about how to stay safe online. However, according to research from Tessian , two-thirds of employees are not regularly trained on cyber threats. And most of those who are trained do not remember what they were taught. So how can training really stop people from falling for phishing attacks?
For those unfamiliar, phishing attacks are threats in which the criminal pretends to be a trusted entity to trick a target into clicking a malicious link, sharing credentials, or transferring money.
In another article we already talked more about how a single phishing email can cost a company half a million reais .
Employees don't know how to detect threats in email
The number one entry point for threats in companies is email. As a good IT manager or analyst, you understand that raising employee awareness about email security and phishing is important for the organization. However, the survey reveals that only a third of companies provide any training or course on security when using emails.
Additionally, most employees surveyed said they don't know how to identify a phishing attack or what to do if they receive a suspicious email.
This is very worrying as 95% of all attacks on companies are the result of phishing, an increase of 76% compared to last year. Even more so with the wave of spear phishing , a much more sophisticated type of attack that is targeted at a specific individual or organization.
Without training and awareness about these threats, how can companies expect employees to identify malicious emails and keep the organization safe 100% of the time?
What are the main targets in the industry?
Charities and NGOs are the most exposed and vulnerable, as they are usually not concerned with raising awareness among employees to combat cyber attacks, such as phishing attacks. Therefore, criminals do not let it go unnoticed, as they know very well about the amount of valuable data that these institutions have, such as personal data and financial information from donors – which include high-income individuals and well-known brands.
However, this industry is not alone in neglecting information security training. According to research, the education sectors (Schools and Universities) and engineering companies are also constant targets of criminals. This explains the low percentage of employees (30%) who have had any training in defenses against cyber attacks.
With so much at stake and the threat of spear phishing increasing, information security needs to be fundamental to any company's cybersecurity strategy. Education and training about threats are essential to help detect malicious emails and websites.
But to what extent does training really solve the problem?
We understand that training is important and that it greatly helps your employees detect threats, if done regularly and not once every year. But we also need to accept the fact that cyber attacks are constantly evolving.
A spear phishing attack, for example, may be too sophisticated for a person to identify. In these, criminals will target an individual and try to pose as a trusted contact in the company's network, to try to persuade and achieve their objectives.
Generally speaking, there are three categories that represent an advanced spear phishing attack that are extremely difficult to identify:
- Internal contact – the criminal impersonates a co-worker
- External partner – the criminal impersonates a supplier or customer
- Service provider – the criminal impersonates a service company such as a Bank, Microsoft or Locaweb
Regardless of the category of spear phishing, the criminal uses several manipulation techniques to try to impersonate a real profile. In some cases, the criminal tries to create a relationship with the victim that can last several days until he feels their trust and sends an email with a request to transfer some money, for example.
Ok, just training won’t solve it…
So what can you do to avoid phishing attacks at your company?
We already know that training is not enough to prevent people from falling for scams. Companies that rely on employee awareness being their only defense against phishing attacks are extremely exposed. Not only because employees are faced with the impossible task of identifying every type of attack, but also because people make mistakes, break the rules and are easily fooled.
Therefore, in addition to employee training, companies must use technology as an ally to help with information security and avoid loss of data and money. Modern technological solutions can identify phishing with greater accuracy and speed.
In the case of emails, it is important that companies firstly worry about using an email service that is reliable and that helps to detect most malicious emails. Here at Lumiun we chose Gmail , in Google's G Suite package. Another good example is Outlook in the Microsoft 365 suite.
Tessian , which made the research available, also has a service that increases email security.
Now, if you want more complete security, which in addition to email can also identify malicious websites in any type of internet access, a good solution is Lumiun . Lumiun is a service that protects users against phishing and increases security when using the internet in small and medium-sized companies, through a cloud platform.
See in the video below how a phishing attack works, and how Lumiun comes into action to protect your company:
We know that today there is no way to definitively end phishing attacks. But we can use technologies that greatly improve the information security and at the same time the productivity of employees.
It is important to remember that problems with data leaks or loss of information, as well as downtime equipment, also impact productivity . The use of network security tools allows employees to devote more attention to tasks that generate results, instead of worrying about uncontrolled security threats.
Request a demonstration of Lumiun and see in practice how you can transform your company's security and productivity.
8 comments
Comments closed