Anti-Phishing Best Practices: Why Your Employees Are Hacked and What To Do About It

Share

More than nine out of ten of the successful cyberattacks start with a negligent employee. Why is that and what can be done about it?

91% of successful cyber attacks start with a careless employee and mostly with a phishing email (Source: IBM Cyber Security Intelligence Index Report). Why does this happen, why do employees get caught up in it? Experience shows that there are three main reasons why employees fall for malicious emails:

  • Technical deficiencies or misconfiguration of the computer
  • Lack of knowledge
  • Behavioral patterns
Anti-Phishing Best Practices: Why your employees are hacked and what to do about it

Some Reasons Organizations are Hacked:

If you want to counter this, then correcting technical deficiencies or misconfigurations of the PC and the network environment is a relatively simple measure. Most company computers today have a firewall activated, the latest updates are installed and backups are made. At least the basis for secure work is laid. Are misconfigurations then of any importance at all? Of course, something like this can be exploited by cybercriminals if they were to gain access to the company network.

Weak IT security skills among employees are another reason why they get hacked. The demands on employees’ security know-how have increased considerably in recent years, as today an employee must have knowledge in around 20 IT security domains. This starts with recognizing phishing emails, using secure passwords, being able to correctly interpret Internet addresses, and ending with knowing what business or even private consequences a successful cyber attack can have, for example, if the employee activates a malicious Excel macro in a downloaded spreadsheet.  Yes, the challenge of training the entire workforce in IT security has become significant!

And then we come to the most dangerous reason why employees are hacked: Human behavior patterns. From the perspective of cybercrime prevention, personal behaviors such as gullibility, ignorance, unreflective sense of duty, overconfidence, carelessness, and so on are the greatest risks that can lead to a successful cyber attack. It is not without reason that 91% of successful hacks start with a careless colleague.

Companies and the management are struggling with technical weaknesses, a lack of IT security knowledge and, above all, with outdated behavior patterns among employees.

In view of this, it is clear what is being done about it: You train and increase the awareness of your staff. And this is best done with a so-called cybersecurity awareness program, time, and with the help of an appropriate solution. And it makes sense: it’s not for nothing that over 87% (Source: Global Cybersecurity Outlook 2022) of IT security specialists state that without sensitized employees, a decent level of security cannot be maintained in the company.

3 Things Your Cybersecurity Awareness Training Program Should Include:

A good cybersecurity awareness program is comprehensive and mostly online. It pursues the sensitization of employees with at least these measures:

  1. Ongoing and repetitive training on IT security, cyber risks and the company’s security policies builds the appropriate knowledge in the employee.

  2. Secondly, regular and realistic phishing campaigns are used to consolidate and test the knowledge among the staff.

  3. And third, the provision of a phishing reporting button ensures that employees report suspicious emails and that the messages are subject to a downstream analysis and feedback process.

The ideal solution for this is the LUCY Awareness Suite powered by ThriveDX. It greatly simplifies the implementation of an awareness program. With the solution:

  • Training campaigns can be carried out

  • Phishing or smishing simulations can be handled

  • A phishing button and the incident reporting process are designed, configured and rolled out

  • Management is provided with an understandable reporting system

  • Infrastructure assessment functionality is also available to check PC and network configurations and their possible weaknesses

The example of the frozen food manufacturer FRoSTA shows it well: The company, which has around 1800 employees and is headquartered in Bremerhaven (Germany), is aware that the endpoints in the company are becoming better and better protected.

As a result, cybercriminals are shifting their attacks to employees’ e-mail communications. FRoSTA takes this into account with awareness measures and a reporting and analysis process for suspicious emails:

“In order to train our employees professionally and, above all, on a regular basis so that they can increase their security awareness with regard to cyber attacks and thus reduce the risk of an actual incident, we decided to work with LUCY powered by ThriveDX,” explains Mark Christiansen responsible for IT security at Frosta AG. Not only eLearnings are used, but also phishing simulations: 

Already the first results we saw showed the positive effects of the measures: Everyone who clicked on a phishing mail once in the course of an attack simulation and fell for the trap subsequently changed their behavior. There was a real change in thinking among employees. And it's just a great feeling to see that employees have become much more vigilant and now report to the IT department if they receive a suspicious e-mail, for example.

Mark Christiansen, IT Security at Frosta AG Tweet

Palo Stacho  joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, such as Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s SaaS division and has remained on as an Advisor to the company. Lucy Security allows organizations to measure and improve the security awareness of employees and test the IT defenses. Lucy offers 300+ customizable training modules, is on-premise or SaaS, integrates via SCROM, SSO & LDAP, is GDPR & DSGVO compliant and more.

Protect Your Organization from Phishing

Share

Explore More Resources

Learn how cybersecurity up-skilling and re-skilling transforms your workforce. Future cyber professionals may be working for you right now.
97 percent of successful company cyberattacks can be traced to employees. How a Biden COVID update impacts network security.
Developers are smart people without a lot of time. Here are six essential elements for any application security training program
The world is transforming digitally to the enormous benefit of learners and forward-thinking companies.

Your Trusted Source for Cyber Education

Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.

Contact ThriveDX Partnerships


Connect with us at the ASU + GSV Summit

If you are looking to connect with someone from our team on-site, please leave your contact information here and we will connect with you directly during the conference.

Skip to content