Recently, I had the opportunity to attend the Boston Cyber Security Summit. One of the most common topics discussed at the event was organizations’ information being compromised by the end user. There were reports, charts, and data that showed no matter how much time, money, and technology an organization invested into their cybersecurity program, if a user clicked a link or didn’t follow an established procedure, a compromise was more likely to occur.
As you try to protect your organization’s information, what can you do to reduce this common factor? The obvious solution is to remove all end users and only have machines do daily operations, right? While this is only a tongue and cheek solution, the real solution is taking a closer look at your organization’s security awareness program. Do you conduct annual security awareness training (to check a compliance box) that never changes and users just click through so that they can get back to their daily tasks? While annual security awareness training is important, you should consider additional training activities throughout the entire year to keep your employees security-aware and vigilant.
One of the easiest ways to accomplish this is to conduct training exercises frequently while mixing up the method of education as well as the information in the training. This could be in the form of periodic phishing tests sent out to your users to gauge their level of phishing awareness in a real-world scenario, quarterly meetings to discuss new and emerging threats that the organization has witnessed or heard of, or even utilizing a third-party assessor to do physical social engineering walk-through assessments of your facilities from time to time.
How to Train Employees on Phishing
When conducting phishing tests, the emails should be targeted to specific departments and should look like a legitimate email in order to simulate what may be received from an outside attacker. The goal of the test is to identify those risky users that click a link or provide information to the fraudulent sender. It should be used not as an opportunity to shame those who fail the test, but to provide them with additional training and education to be able to prevent such actions when confronted with an actual phishing email. Being able to identify and re-educate these individuals should be the top priority. However, if a user refuses to or cannot identify a potential phishing email after re-training has been conducted on multiple occasions, a serious look at whether they should be allowed access your data and remain employed by the organization should be considered to reduce the likelihood of a compromise.
In today’s corporate landscape, some employees may receive hundreds of emails each week. While there are mechanisms and tools that can help filter out the malicious ones, there are still those emails that are crafted to be missed by these tools. The end user is your last line of defense to prevent malicious content from entering your environment and their security education should be a top priority to the organization.
Protect Your Company's Data With Compass IT Compliance's Security Services
The team at Compass IT Compliance has spent the past decade educating end users in both the public and private sectors to recognize and respond to such threats. We offer a continuous, multi-faceted training and testing approach to ensure users remain up to date on the latest attack vectors. Contact our team of cybersecurity experts today to discuss your unique situation and craft a training plan to fit your organization’s needs!
.webp?width=2169&height=526&name=Compass%20white%20blue%20transparent%202%20website%20(1).webp "Compass IT Compliance")
-1.webp?width=2169&height=620&name=Compass%20regular%20transparent%20website%20smaller%20(1)-1.webp "Compass IT Compliance")
No Comments Yet
Let us know what you think