Despite more than a decade of research dedicated to combating phishing scams, the fraudulent practice of sending emails purporting to be from reputable companies or sending people to fake websites, continues to overwhelm businesses of all sizes and in every industry. According to the Anti-Phishing Working Group, a global coalition against cybercrime, the total number of known phishing attempts is up 65 percent compared to last year – causing significant financial and brand damage across the board.
The Ponemon Institute reports that these fake website and phishing scams cost organizations about $4 million annually. Spear phishing, the tactic of sending targeted emails supposedly from a known or trusted sender in order to trick individuals to reveal confidential information, alone has been reported to cost an average business $1.8 million each year.
There is an argument to be made for saying employees possess some responsibility the business itself is responsible for creating and maintaining a strong culture of ongoing education and timely training around cybersecurity. Just as learning how to identify counterfeit currency is essential on-the-job training for bank tellers and retail workers, knowing how to identify and appropriately react to targeted and untargeted attacks should be integrated into regular trainings for today’s connected workforce which ultimately impacts nearly every business in every industry. Most businesses understand they have too much to lose by ignoring this, but many do not know where to start.
Here are three ways businesses can take the lead and create a security-minded workforce:
Despite the hundreds of news articles a week on cybersecurity and phishing, many employees do not know what phishing is or how attacks happen. Meanwhile, in the new 24-hour news-and-work machine, it is extremely easy for a multi-tasking employee to click on a malicious link or not notice a misspelling in a website domain, such as a zero replacing the ‘o’ in Amaz0n.com. This combination spells disaster, but thankfully, through proper training and awareness, this behavior can be changed.
As G.I. Joe says, “Knowing is half the battle,” awareness is the foundation of any organization’s cybersecurity program. To arm employees with knowledge and understanding, make it a team effort. Work with the internal comms team to incorporate reminders into weekly emails and the design or marketing team can create flyers for the break and meeting rooms.
Awareness is a great start, but it only goes so far. To create change, motivation must be involved. Enter gamification, or game-based-learning. The concept is not new – as anyone who learned how to count playing hopscotch can attest – but the corporate world has only recently caught on to the power of harnessing gamification to modify employee behavior.
By making education about phishing scams and cyber threats fun and providing positive reinforcements such as rewards, the hard-fought awareness and education in the first step is more likely to stay with the employee and make an impact.
While a sophisticated awareness and training regimen can significantly reduce a successful phish, socially engineered-spear phishes, sometimes dubbed business email compromise (BEC) attacks, can look so real, they can get past even the most discerning expert. A Houston-based Ameriforge Group Inc., suffered such a fate last year when its accountant was targeted by a phishing scam that led him to wire $480,000 into a bank account in China.
Therefore, it is imperative that each company sets up processes to prevent similar losses. For example, create a rule that funds cannot be transferred nor any other sensitive information can be shared via email without an in-person confirmation.
Phishing is and always will be largely a human issue. If every person looked closely at every email they received, phishing as a serious cybersecurity threat would be greatly reduced. With a deep-rooted culture of security, employees can become an organization’s strongest line of defense and the eyes and ears constantly on the lookout for new threats.