As I've written in several articles here on the blog, it's extremely important to raise employee awareness about information security, and especially about phishing. It's important that everyone learns at least the basics of how to stay safe online. However, according to research by Tessian , two-thirds of employees are not regularly trained on cyber threats. And most of those who are trained don't remember what they were taught. So, how can training really prevent people from falling victim to phishing attacks?
For those unfamiliar, phishing attacks are threats in which a criminal pretends to be a trustworthy entity to trick a target into clicking on a malicious link, sharing credentials, or transferring money.
In another article, we've already discussed how a single phishing email can cost a company half a million reais .
Employees don't know how to detect threats in email.
The number one gateway for threats in companies is email. As a good IT manager or analyst, you understand that raising employee awareness about email security and phishing is important for the organization. However, research reveals that only one-third of companies provide any training or courses on email security.
Furthermore, a large portion of the employees surveyed said they don't know how to identify a phishing attack or what to do if they receive a suspicious email.
This is very concerning, as 95% of all attacks on companies are the result of phishing, representing a 76% increase compared to last year. This is even more alarming with the rise of spear phishing , a much more sophisticated type of attack targeted at a specific individual or organization.
Without training and awareness about these threats, how can companies expect employees to identify malicious emails and keep the organization secure 100% of the time?
What are the main targets in the industry?
Charities and NGOs are the most exposed and vulnerable, as they typically lack the focus to educate their staff on how to combat cyberattacks, such as phishing attacks. Consequently, criminals don't let this go unnoticed, as they are well aware of the amount of valuable data these institutions possess, including personal data and financial information of donors – which includes high-net-worth individuals and well-known brands.
However, this sector is not alone in neglecting information security training. According to the research, the education sector (schools and universities) and engineering companies are also constant targets of criminals. This explains the low percentage of employees (30%) who have had any training in defense against cyberattacks.
With so much at stake and the threat of spear phishing increasing, information security needs to be a central part of any company's cybersecurity strategy. Education and training on threats are fundamental to helping detect malicious emails and websites.
But to what extent does training actually solve the problem?
We understand that training is important and greatly helps your employees detect threats if done regularly, not just once a year. But we also need to accept the fact that cyberattacks are constantly evolving.
A spear phishing attack, for example, can be too sophisticated for a person to identify. In these attacks, criminals target an individual and attempt to impersonate a trusted contact within the company's network, trying to persuade them and achieve their objectives.
Generally speaking, there are three categories that represent an advanced spear phishing attack and are extremely difficult to identify:
- Internal contact – the criminal impersonates a work colleague.
- External partner – the criminal impersonates a supplier or client.
- Service provider – the criminal impersonates a service company such as a bank, Microsoft, or Locaweb.
Regardless of the spear phishing category, the criminal uses various manipulation techniques to try to impersonate a genuine profile. In some cases, the criminal attempts to build a relationship with the victim that can last several days until they feel the victim's trust and send an email requesting a money transfer, for example.
Okay, just training isn't enough...
So what can be done to prevent phishing attacks in the company?
We already know that training alone isn't enough to prevent people from falling victim to scams. Companies that believe employee awareness is their only defense against phishing attacks are extremely vulnerable. This is not only because employees are faced with the impossible task of identifying every type of attack, but also because people make mistakes, break the rules, and are easily deceived.
Therefore, in addition to employee training, companies should use technology as an ally to help ensure information security and prevent data and financial losses. Modern technological solutions can identify phishing with greater accuracy and speed.
In the case of emails, it's important that companies prioritize using a reliable email service that helps detect a significant portion of malicious emails. Here at Lumiun, we chose Gmail , part of Google's G Suite. Another good example is Outlook in the Microsoft 365 suite.
Tessian research , also has a service that increases email security.
Now, if you want more comprehensive security that, in addition to email, can also identify malicious websites on any type of internet access, a good solution is Lumiun . Lumiun is a service that protects users against phishing and increases internet security for small and medium-sized businesses through a cloud-based platform.
Watch the video below to see how a phishing attack works, and how Lumiun comes into action to protect your company:
We know that today there is no way to completely eliminate phishing attacks. But we can use technologies that greatly improve the information security and, at the same time, the productivity of its employees.
It's important to remember that problems with data leaks or loss of information, as well as equipment downtime, also impact productivity . Using network security tools allows employees to dedicate more attention to tasks that generate results, instead of worrying about uncontrolled security threats.
Request a demo of Lumiun and see firsthand how it's possible to transform your company's security and productivity.
8 comments
Comments closed