Email phishing has become a big business and one of the most used and most successful attack vectors. Chances are if you ask around your company, most people know what email phishing is; however, most users don’t understand the various forms phishing can take. It isn’t just about clicking on an attachment anymore, as many phishing attacks don’t even have files attached or links associated with them. With 40,000 new variants of malware being developed every day, detecting an email attack requires constant vigilance.
Since email is the predominant communications vehicle in most companies, it’s easy for email security policy enforcement to become lax. But, estimates are that over 80% of a company’s intellectual property flows through their email systems. This intellectual property exposure, along with the liability of customer and financial data, it’s easy to see how organizations are exposed to a lot of damage.
Most users aren’t malicious, of course, but can nonetheless bring devastation to the company through their actions. For instance, an errant action could facilitate a ransomware attack resulting in dire financial and reputational impact. In today’s fast-paced and customer service-driven business models, employees are expected to respond quickly to requests. Cybercriminals know this, and it’s why phishing emails often convey a sense of urgency.
So, what’s a company to do? Have someone from IT deliver presentations? Sure, education is a crucial step and should be part of any security plan. But, what’s important is to make sure the education sticks. Researchers have found that immediately after a ten-minute presentation, listeners only recalled 50% of what was said. By the next day, the information retention rate had dropped to 25%, and a week later, it was only 5%. Contrast these retention rates to those of experiential learning – doing the task – and retention rates soar to as much as 90%.1
But, how do you experience a phishing attack without actually suffering a phishing attack? That’s where SilverSky comes in. SilverSky offers a professional service where our cybersecurity experts execute a phishing attack against users in your company to test their susceptibility to being phished. The whole process takes about a week and begins by scoping the attack. As we collaboratively structure the test, many clients choose specific users in specific roles or locations. From there, we determine the right template to use to seem realistic to the user, but still have the telltale signs that it might be a phishing attempt. We then execute the attack and monitor the users’ responses. The results of the test are documented in a complete report along with recommendations. We then work to educate your users on the outcomes and what they can do to be better prepared.
From a compliance standpoint, going through this test will help you establish a baseline for your susceptibility to phishing attacks and document your efforts. It’s essential to do these tests periodically so that you can set your trend line and prove your improvement to your auditors.
A final key consideration is that with many users working from remote workspaces, the combination of working remotely with ad-hoc devices and connectivity may make users more susceptible to a phishing attack. Furthermore, the unsettling nature of the COVID-19 pandemic may induce users to drop their guard more frequently than if they were in their typical work environment.
Email may be the most exposed part of your IT infrastructure, so it’s essential to take positive, proactive steps to ensure the safety of your company and your users. Experiential learning will be a great strategy to mitigate the risk and improve your cybersecurity maturity.
If you’d like SilverSky to help, contact us at 1-800-234-2175 or firstname.lastname@example.org.
“3 Reasons That Experiential Learning Boosts Performance,” Phil Geldart, Entrepreneur, April 12, 2017