We’ve all had this moment: you get an important looking email or text from a company or the government or maybe a close friend. It sounds urgent! You need to take action immediately. So you click a link, fill out some sensitive information and then you feel it - that creeping suspicion that you’ve just been phished. You feel stupid. Embarrassed. How could you have fallen for this!? It’s the oldest trick in the book! Well it’s also the most effective.
Phishing is the number one attack vector for malware, ransomware and data exfiltration.
Cisco Cybersecurity Threat Trends Report estimated that phishing accounted for 90% of all attacks in 2021. Targeted phishing attacks (known as spear phishing) and attacks via text message (smishing) increase effectiveness by using social engineering to prey on victims' concerns and fears. Despite how effective it is, the cybersecurity community often treats phishing as a shameful trick that only the non-technical and uninformed fall for. Let’s be very clear:
Falling for phishing doesn't make you stupid.
Everyone is susceptible to phishing. Having a judgemental view of those that do fall for phishing scams does nothing to better your security posture. In fact, it makes you less secure. If you treat being phished as an embarrassing event, your employees will be hesitant to ask for help when they receive suspicious messages.
No matter how many tools or technical steps you take to prevent phishing attacks, people are always at risk of falling for simple social engineering.
So, how do we create a culture that can fight against phishing scams?
Encourage an environment where people aren’t afraid to ask questions.
Let your coworkers know that security professionals are there as a resource and to help them navigate suspicious emails and messages. There are no stupid questions.
Reconsider that internal phishing campaign.
Recent studies show that ethical phishing campaigns may not be as effective as previously thought and may also make employees more susceptible to phishing. If you do run an internal phishing campaign, make sure it is paired with positive and open communication about cyber threats. Educating your employees is more effective than tricking them!
Build a culture of security.
Don’t just educate your employees about best security practices, give them a sense of ownership over security. Instead of telling employees what they must do to follow security policies, help them understand why they should follow security policies. Share security articles and chat about the latest security breaches in the news with your team.
No matter how many tools or technical steps you take to prevent phishing attacks, people are always at risk of falling for simple social engineering. If you’re not creating an open, communicative and non-judgmental environment, you are increasing your security risks. When you create a culture where security is everyone’s job, where you empower your employees to take ownership of security, you decrease their indifference and decrease morale hazard. Above all, when you stop approaching security from a punitive viewpoint you not only create more secure employees, you create a more secure company.
No matter how cautious you are or how good your security stance is, you may still get hit by a phishing attack. When that happens, Elpha Secure’s unique combination of cyber insurance and endpoint software has you covered. Stop by our website to learn more about how we can help you through a cyber incident.