by Nick Ross
It is widely understood that human beings are the weakest link in the cybersecurity chain. So it should come as little surprise that in the vast majority of ransomware campaigns, cyber-criminals use social engineering techniques to exploit the individual. A majority of attacks start with a phishing email. For this reason, many organisations are looking for products and services to help mitigate this significant cyber-risk.
In fact, it’s become such a thriving segment of the cybersecurity market that Gartner has created security awareness training magic quadrants to rank vendors and their products. So what do best practice staff training programmes look like?
Getting started
Phishing awareness training should be seen as a continuing professional development (CPD) programme, not just a point-in-time tick-box exercise or something for new starters. Before you even think about hitting send on the first phishing simulation, you need a plan. Who is the training for? Perhaps you need different campaigns targeted at different departments. What training campaigns will you use? How frequently are you going to run campaigns? Are you ready to record the results and track progress? Try to answer these questions before getting started.
Next consider the following:
- Announce the programme to all users prior to running it, as employee buy-in is key to effective training. Email what you’re doing and why.
- Determine the general level of understanding by running a baseline assessment with all users, avoiding anything too advanced.
- Share the results of this test and identify the tell-tale phishing signs that users should have spotted.
- In any communications, avoid creating the impression you’re trying to catch people out. The idea is to create a culture where employees feel confident in reporting potential phishing incidents.
- Consider introducing a rewards scheme to incentivise staff into reporting suspicious emails.
Going further
Once you’re up and running, you might want to move things up a notch. Don’t be predictable. Avoid easily detectable patterns, such as launching campaigns on the first of each month or using the same template in consecutive quarters. Keeping users guessing will deliver the most realistic assessments. Also remember that you are emulating the bad guys. Attackers often piggyback on seasonal trends, so February, March, and April are a great time for a tax-themed simulation. Likewise, November and December are great for e-commerce-themed ‘attacks’. Think about the timing of campaigns to maximise their effectiveness.
While prevention is better than cure, we can’t simply rely on user awareness to protect critical IT systems. If you’ve moved your email infrastructure to the cloud (eg Microsoft 365 or Google Workspace) then you need to consider how you’re scanning those cloud-hosted mailboxes. Traditional email gateway products remain integral to blocking inbound threats and stopping any compromised machines from sending bad stuff out. But what about messages that don’t leave the organisation?
If you’re only scanning inbound and outbound messages, there is a risk that malicious emails floating internally within the organisation go undetected. This is particularly a challenge if the organisation has a bring your own device (BYOD) policy or allows unmanaged devices to access the company’s cloud email platform. There’s no way of knowing what nasties these devices might be harbouring.
Trend Micro can help
If you are looking for tools to help with your phishing simulation programme, Trend Micro has a free-to-use platform called PhishInsight. It is highly intuitive and contains rich content to simulate realistic phishing campaigns for staff. It also integrates with Active Directory, making it simple to onboard users. And it supports multiple email domains, which is handy for bigger and more complex organisations.
Trend Micro protects users from threats that bypass the built-in protection of cloud-based email providers. In 2020 alone, Trend Micro Cloud App Security blocked 16.7 million malicious emails that were missed by Microsoft 365 and Google Workspace. You can find more information here.