Ask Your Employees These Five Questions to Test Your Business’ Vulnerability to Phishing
Key Points in This Article:
- Data breaches from phishing and other forms of cyberattack are most often the result of human error rather than technical failures.
- An effective cybersecurity plan involves cybersecurity awareness training that includes current threats, active learning methods, and regular refreshers.
- Most businesses are more vulnerable than they think and should assess employee cyber awareness before it’s too late.
How safe is your business safe from phishing?
Answering this question isn’t merely a matter of discussing your cybersecurity setup. Of course, you should have industry-leading antivirus and anti-malware applications installed on your network and devices and appropriately configured firewalls in place.
You also need to utilize email services that automatically scan attachments for malware and have advanced spam filtering functions to help screen it out. Your IT staff or managed security provider (MSP) must monitor network activity vigorously and investigate incidents immediately to ensure that criminals have not gained a foothold on your network.
These approaches and more must be taken to keep your network safe. But there’s a big component missing here. One that is too often overlooked by business and IT leaders until they’re dealing with a data breach. And that’s your employees.
Phishing is a type of social engineering designed to dupe individuals and employees into providing access credentials, downloading malware, or both. And unfortunately, too many people do not recognize the signs of a phishing email in their inboxes.
Do Your Employees Recognize Phishing Attacks?
Your business is tremendously vulnerable if you’re not providing your employees with cybersecurity awareness training. But even if you are, how effective is it? How much are your employees retaining the information they’ve learned? And can they apply it?
Effective cybersecurity plans include training at regular intervals, with successive sessions including information on emerging threats and newly developed best practices. Ideally, such instruction incorporates active learning methods that compel employees to engage with the subject. Self-paced virtual instruction and lecture-based approaches won’t be as effective at teaching employees why they must be on the lookout for threats and what to do if they spot them.
You also need to test that your employees know and understand what they’ve learned and reinforced the importance of applying these lessons. If up until now, you’ve only directed employees to a cybersecurity awareness YouTube video or two, you should not be surprised by how large a knowledge deficit there is.
Ask Your Employees These Questions to Gauge Their Cyber Awareness
To better understand how vulnerable your business may be to phishing, take some time to ask a random group of employees the following questions:
- What are some signs that an email may be a phishing scam?
- What should you do if you receive an email noting you’ve won a monetary prize to your work email?
- How large does a company have to be to be targeted by phishing scams?
- Are most data breaches the result of faulty security software?
- What industries do cybercriminals target most?
Chances are you’ll be surprised at the answers you hear. And if you aren’t sure about the answers to any of these questions, here’s what you should beheading if your business is in good shape.
What Are Some Signs That an Email May Be a Phishing Scam?
You’ll often find that phishing emails are filled with typos and errors. For example, an email purporting to be from PayPal may have the company’s name written as Paypal. Phone numbers may have incorrect digits, or links may be oddly formatted. In spear phishing cases, where hackers send emails from authority figures, you may see requests for information that is suspicious or inappropriate. So if your boss asks you for your email password or personal credit card information, report it immediately.
What Should You Do if You Receive an Email Noting You’ve Won a Monetary Prize to Your Work Email?
Report it to your IT administrator. Even if you dismiss it as a phishing scam, chances are someone else in your office has also and may fall for it. Don’t keep it to yourself; report it immediately.
How Large Does a Company Have To Be To Be Targeted by Phishing Scams?
Phishing scams have targeted companies of all sizes. Businesses have had to contend with this threat, as have individuals, nonprofits, colleges and universities, hospitals, government agencies, and even military departments. It costs next to nothing to send out millions of emails. But all it takes is a couple of people to fall for a phishing scam for a criminal to make a lot of money.
Are Most Data Breaches the Result of Faulty Security Software?
The overwhelming majority of data breaches result from human error, not technical failures. While poor network security and controls often play a role in data breaches, they most often start with an employee falling for a phishing scam, downloading malware, or losing an unsecured device, among other incidents. A recent Verizon study found that 82 percent of data breaches stemmed from humans, which makes the need for cybersecurity awareness training all the more pressing.
What Industries Do Cybercriminals Target Most?
Many employees and business leaders wrongly assume that criminals will only target large, well-known, and successful companies. Nothing could be further from the truth. Criminals will often attack companies in a region or industry indiscriminately, as it costs little for them to cast a wide net.
You’ll find everything from high finance to small retailers among businesses that have fallen victim to phishing attacks. And while some industries may have seen repeated attacks, such as healthcare and manufacturing, that’s usually because these industries are notorious for poor cybersecurity controls.
Ideally, your employee will say that every industry is vulnerable. You don’t want them to think your business is immune because you work in a niche industry or sector. That kind of thinking signals that they may not be as vigilant as you need them to be.
How to Improve Your Cybersecurity Defences
The latest security application, best physical security, or world-class MSP cannot work effectively if your employees offer criminals access credentials or repeatedly download malware. They must understand common cybersecurity risks and keep their eyes open for them. All it takes is one employee to open one attachment for an organization-wide disaster to strike.
If you’ve asked your employees these questions and gotten different answers, it’s time to revisit your cybersecurity awareness training plan. Ask yourself:
- How often is it offered? (Is it offered at all?)
- Is it mandatory or optional? For all employees from the top down or just some?
- Is the format suitable for adult learners?
- Does it employ active learning methods?
- How are learning outcomes assessed?
- Is the training regularly updated with new, relevant content?
- Is the content aligned with your internal IT governance documents and other policies?
You’ll also want to ensure that employees understand that they are responsible for applying the course content as part of their responsibilities. Work with your human resources staff to determine appropriate disciplinary measures for those who, after receiving training, continue to act in a manner that puts your business at risk.
Strengthening your cybersecurity awareness training cannot wait until next quarter. After all, criminals are working to target your business and others just like it right now. Take the time to assess how vulnerable your business is to phishing attacks today.