Phishing attacks are on the rise, and they show no signs of slowing down. They’re also simple to carry out, making them a popular method of attack--and the results can be devastating. This ebook looks at how phishing attacks are being implemented, why they work, and what you and your users can do to avoid becoming a victim.
From the ebook:
More than 90% of cyberattacks and resulting data breaches start with a spear phishing campaign—and many employees remain unable to discern these malicious emails from benign ones. To improve cybersecurity education, some companies are turning to a nontraditional method: Phishing their own employees.
Too often, companies offer only annual training on cybersecurity that doesn’t keep up with the evolving threat landscape, according to Wesley Simpson, COO of (ISC)2. “Using internal phishing exercises is a very inexpensive tool that helps fight the risk and is an investment in staff’s knowledge and education,” Simpson said. “It’s not something that should happen once a year—it should be continuous.”
ISC(2) runs regular internal phishing exercises on employees. The IT team crafts the emails based on ones that employees actually receive, Simpson said: For example, those that mimic a coffee shop offering a free beverage or a postal service package notification.
Before making the campaign public, companies should take a baseline measurement of how employees react to one of the phishing exercises, said Carl Leonard, principal security analyst at Forcepoint. Then, you have a metric to measure improvement against.
“A company’s most accurate results will arise from tests conducted when employees have not been forewarned,” he said. “Ideally, they will be in a typical frame of mind and not in a heightened state of alertness knowing that a test will be conducted soon. This allows companies to more accurately baseline current status.”