Educate your employees on malware and phishing

A recent survey from the Ponemon Institute determined that 54 percent of companies experienced one or more successful cyberattacks that compromised data or infrastructure in the last year.1 In today's climate, phishing awareness plays an important role in ensuring employees remain on high-alert and understand that today's cyberattacks no longer come exclusively in the form of an anonymous email.

As the threat landscape evolves, what is the best way to bring your employees up to speed on the latest hacking trends so that they feel empowered to delete suspicious emails?

 

How does phishing work?

Cybercriminals engage in highly sophisticated attacks, like the impersonation of business associates. They also work around the restrictions of standard firewalls with fileless attacks, which, according to Barkly, a cybersecurity firm and the sponsor of the Ponemon Institute's report, are attacks that provide alternatives using malicious executable files to infect a device.2

As reported by TechRadar, fileless attacks turn the computer's operating system against its user by using certain Windows tools to install malicious files covertly.3 It's particularly problematic as standard security tools don't possess the ability to detect criminal use of standard Windows tools and utilities.

The hallmarks of an effective phishing email

While security professionals understand the elements of a phishing email, every employee must know when not to open an email. Whether your business engages a specialized firm to deliver customized cybersecurity training for employees, or you develop those materials and classes in-house, the training should cover the following:

  1. Define phishing in all its forms, including spear-phishing, which targets specific people, and whaling, which involves those in positions of power, such as CEOs and CFOs.
  2. Explain what happens when a phishing attack succeeds and the financial costs that companies incur as a result.
  3. Provide examples of the types of subject lines cybercriminals use to increase email open rates. 
  4. Look for clues, like grammar, spelling errors and attempts to instill a sense of urgency in the reader.
  5. A lack of personalization such as the recipient's name, title or the omission of standard company jargon.
  6. Emails with hyperlinks embedded within the text that link to sites bearing close resemblance to legitimate sites, such as a bank or file sharing site.

 

Did the training work?

Next, in order to test how much of the training employees retained, present emails and ask employees to classify them as legitimate or suspicious. Ideally, this test should require employees to circle every issue they see on paper, or click on each issue if delivered electronically. In either event, in order to simulate real-world conditions, limit the employee's review to five to seven seconds, which is typically the time individuals spend determining whether to open an email.

To ensure cybersecurity training for employees sticks, continue to share examples of phishing emails on the IT department's intranet site, department newsletters and on posters in break rooms. And since cybercriminals evolve their tactics often, require employees to participate in phishing awareness training on at least an annual basis.

 

Employee awareness is important

Some companies place a great deal of trust in their cybersecurity defenses to detect and prevent phishing emails. And while those tools help, as the appearance of fileless malware shows, criminals possess the wherewithal to trick even the most sophisticated technology. In short, there's no substitute for an engaged employee who understands the sometimes subtle differences between a run-of-the-mill email and one intended to cause damage.

1. Barkly and the Ponemon Institute. "The 2017 State of Endpoint Security Risk Report". Accessed June 1, 2018.
2. Barkly. "The Hype-Free Guide to Fileless Attacks". Accessed June 1, 2018.
3. Simon Wiseman. "Why 'fileless malware' is the biggest new threat to your business." Accessed June 1, 2018.