A recent report says that 75% of corporate executives believe what 100% of cybersecurity professionals know: phishing emails represent the greatest cyber-threat to business computer systems and networks. Humans are still the weakest link in the cybersecurity chain. Cybersecurity awareness training and simulated phishing testing is seen as the most effective way to improve detection and avoidance in employees. To be truly effective training frequency should happen quarterly, but often is only done annually.
Companies who are subject to regulatory compliance such as PCI-DSS or HIPAA are required to provide at least annual training to employees. Modern training and phishing systems are more affordable than ever, yet companies often do not budget for it.
Phishing attacks have become more sophisticated, and phishing emails are often identical to real emails from cloud service providers, vendors, banks, and others. Spearfishing attacks originating from real, trusted, by compromised or hijacked email accounts make phishing detection even harder. Frequent training helps keep employees updated on the changing strategies of attackers.
In addition to training, companies should have policies and procedures in place that let employees know what to do if they think they have encountered a phish. Forwarding suspected phishing emails to a designated IT support employee or email abuse mailbox can be part of that solution.
Companies that can afford it should also be using email filtering appliances to catch and quarantine suspected emails before they make it to employee inboxes. Moving to Office365 for email may also reduce phishing emails.
Phishing is still a top threat, but there are solutions out there. Its up to management to take action and deploy these solutions
Share
OCT
About the Author:
I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com