Anti Phishing Best Practices: Why Your Employees Are Hacked and What To Do About It
- July 1, 2022
- Palo Stacho, Advisor at ThriveDX's Enterprise Division
More than nine out of ten of the successful cyberattacks start with a negligent employee. Why is that and what can be done about it?
91% of successful cyber attacks start with a careless employee and mostly with a phishing email (Source: IBM Cyber Security Intelligence Index Report).
Why does this happen, why do employees get caught up in it?
Experience shows that there are three main reasons why employees fall for malicious emails:
- Technical deficiencies or misconfiguration of the computer
- Lack of knowledge regarding anti phishing best practices
- Behavioral patterns
Some Reasons Organizations are Hacked:
If you want to counter this, then correcting technical deficiencies or misconfigurations of the PC and the network environment is a relatively simple measure.
Most company computers today have a firewall activated, the latest updates are installed and backups are made. At least the basis for secure work is laid.
Are misconfigurations then of any importance at all? Of course, something like this can be exploited by cybercriminals if they were to gain access to the company network.
Weak IT security skills among employees are another reason why they get hacked. The demands on employees’ security know-how have increased considerably in recent years, as today an employee must have knowledge in around 20 IT security domains.
This starts with anti phishing best practices, such as recognizing phishing emails, using secure passwords, being able to correctly interpret Internet addresses, and knowing what business or even private consequences a successful cyber attack can have.
For example, if the employee activates a malicious Excel macro in a downloaded spreadsheet, they need to understand the potential security implications that they are introducing into the system.
Yes, the challenge of training the entire workforce in IT security has become significant!
And then we come to the most dangerous reason why employees are hacked: Human behavior patterns.
From the perspective of cybercrime prevention, personal behaviors such as gullibility, ignorance, unreflective sense of duty, overconfidence, carelessness, and so on are the greatest risks that can lead to a successful cyber attack.
It is not without reason that 91% of successful hacks start with a careless colleague.
Companies and the management are struggling with technical weaknesses, a lack of IT security knowledge and, above all, with outdated behavior patterns among employees.
In view of this, it is clear what is being done about it: You train and increase the awareness of your staff. And this is best done with a so-called cybersecurity awareness program, time, and with the help of an appropriate solution.
It makes sense: Over 87% (Source: Global Cybersecurity Outlook 2022) of IT security specialists state that without sensitized employees, a decent level of security cannot be maintained in the company.
Anti Phishing Best Practices: 3 Things Your Training Program Should Include
A good cybersecurity awareness program is comprehensive and mostly online.
Aside from digging into anti phishing best practices in detail, it should pursue the sensitization of employees with at least these measures:
Ongoing and repetitive training on IT security, cyber risks and the company’s security policies builds the appropriate knowledge in the employee.
Secondly, regular and realistic phishing campaigns are used to consolidate and test the knowledge among the staff.
And third, the provision of a phishing reporting button ensures that employees report suspicious emails and that the messages are subject to a downstream analysis and feedback process.
The ideal solution for this is the LUCY Awareness Suite powered by ThriveDX. It greatly simplifies the implementation of an awareness program. With the solution:
Training campaigns can be carried out
Phishing or smishing simulations can be handled
A phishing button and the incident reporting process are designed, configured and rolled out
Management is provided with an understandable reporting system
Infrastructure assessment functionality is also available to check PC and network configurations and their possible weaknesses
The example of the frozen food manufacturer FRoSTA shows it well: The company, which has around 1800 employees and is headquartered in Bremerhaven (Germany), is aware that the endpoints in the company are becoming better and better protected.
As a result, cybercriminals are shifting their attacks to employees’ e-mail communications.
FRoSTA takes this into account with awareness measures and a reporting and analysis process for suspicious emails:
“In order to train our employees professionally and, above all, on a regular basis so that they can increase their security awareness with regard to cyber attacks and thus reduce the risk of an actual incident, we decided to work with LUCY powered by ThriveDX,” explains Mark Christiansen responsible for IT security at Frosta AG.
Not only does the company employ eLearnings, but they also conduct regular phishing simulations:
Already the first results we saw showed the positive effects of the measures: Everyone who clicked on a phishing mail once in the course of an attack simulation and fell for the trap subsequently changed their behavior. There was a real change in thinking among employees. And it's just a great feeling to see that employees have become much more vigilant and now report to the IT department if they receive a suspicious e-mail, for example.
Palo Stacho joined Lucy Security as a Co-Founder to help build the company in 2015. As a project manager and solution consultant, Palo has experience from dozens of cybersecurity awareness projects, such as Lufthansa, Bosch, Mobiliar Insurance, OMV, Swisscom and more. In 2022, Lucy Security was acquired by ThriveDX’s Enterprise Division and has remained on as an Advisor to the company. Lucy Security allows organizations to measure and improve the security awareness of employees and test the IT defenses. Lucy offers 300+ customizable training modules, is on-premise or SaaS, integrates via SCROM, SSO & LDAP, is GDPR & DSGVO compliant and more.
Protect Your Organization from Phishing
Explore More Resources
- Article, Blog
- Article, Blog
- Article, Blog
- Article, Blog
Your Trusted Source for Cyber Education
Sign up for ThriveDX's quarterly newsletter to receive information on the latest cybersecurity trends, expert takes, security news, and free resources.
