The Threat of Phishing and the ‘Human Firewall’
Phishing is one of the most prevalent methods of breaching organisations’ cyber defences.
Phishing attacks remain the leading cause of data breaches, which makes it essential that effective cyber security training is provided for all employees.
Phishing is one of the most prevalent methods of breaching organisations’ cyber defences. You can have the best cyber security in the industry, but it only takes one ill-considered click and it’s all over. The ‘Human Firewall’ is your final line of defence when all other mechanisms have failed. If a phishing email is sitting in an employee’s inbox, it’s down to their security awareness to prevent disaster.
According to the National Cyber Security Centre (NCSC):
Phishing' is when criminals use scam emails, text messages or phone calls to trick their victims. The aim is often to make you visit a website, which may download a virus onto your computer, or steal bank details or other personal information.
The consequences for organisations who don’t take these email-borne threats seriously can be devastating. Some of these risks include:
Loss of business data (confidentiality)
Loss of private information (DPA2018/GDPR)
System integrity (website defacement)
System availability (downtime)
Business reputation/customer trust (loss of sales)
Time and effort to remediate (cost of remediation/loss of sales)
With over 83% of UK cyber-attacks originating from phishing in 2022, it’s more important than ever to ensure your ‘Human Firewall’ is as strong as it can be.
Empowering your workforce to be able to identify and take action against phishing attempts through training and awareness programs is one of the best approaches in this regard.
It can be challenging to some businesses to pin down where to start in their training and awareness programs. However, there are a growing number of phishing simulation and awareness toolsets available, which provide IT and security teams with an effective means of testing their organisation’s cyber security awareness via simulated phishing attacks. These emails work just like the real thing would, but carry no danger to the organisation if a link is clicked, attachment opened, or credentials entered.
Once employees from across your organisation are receiving simulated phishing emails on a regular basis, the next phase is analysing the results and identifying any trends, i.e. which departments or individuals are frequently caught out. All this data will inform your training requirements. In fact, most phishing awareness toolsets feature their own academy or training area, with a progression system that allows you to monitor your organisation’s progress.
It is important to consider how your IT and security teams interact with any phishing awareness toolset you have implemented, and how the follow-up training will be delivered. A phishing awareness toolset only delivers the full range of potential benefits when you’re actively monitoring its results, and ensuring there is positive engagement with all training.
Remember to ensure that your staff are aware of the reporting procedure for when they spot a suspicious email and encourage them to use these functions. Once again, phishing awareness toolsets can help, with many having a report button add-in for Outlook that will automatically notify your IT helpdesk of suspicious emails when clicked.
Bear in mind that you shouldn’t harshly criticise anyone who falls for a simulated phishing email. You should instead use this as an opportunity to train them and boost their cyber security awareness, so it doesn’t happen again. If you create a negative atmosphere, you will find your staff to be less engaged with your IT and security teams, which means they will be less inclined to report potential threats!
However, by following the steps we’ve looked at in this blog, you can create a positive and engaged cyber security culture, where everyone is conscious of email-borne threats (and more!) and aware of their own responsibilities as part of your ‘Human Firewall’.
Xpertex is the new partner of Phished.IO - a pioneer in AI-driven security awareness training. Together, we offer a new standard in security awareness training: 100% automated, fully personalised, and with no need for manual intervention. In fact, we already utilise the Phished.IO toolset as part of our own cyber security ecosystem, and thus are well-placed to implement it within your own environment. We also provide bespoke cyber awareness training that complements our Phished.IO solution. This covers all the most common cyber threats, and what employees can do to help guard against them.
If you’re keen to establish your own ‘Human Firewall’ and develop a true cyber security culture across your entire organisation, don’t hesitate to contact us.
Speak to our Cyber Consultants