Editor’s note: The following is a guest article from James Karimi, the CIO and CISO at GTT.
As companies move employees back into the office, some side effects from the pandemic that are not going away are the pressing threats of phishing, smishing (phishing via text message) and other sophisticated man-in-the-middle attacks.
Since the start of the pandemic, phishing attacks have skyrocketed. But it’s not always as obvious as a direct message from someone pretending to be Elon Musk asking you to buy cryptocurrency.
While the security ecosystem is flush with tools and expertise to build the most advanced systems possible, an organization’s employees are always a potential weak link as they don’t always know how to keep themselves and the enterprise safe.
Every CISO or CIO must rethink their cybersecurity training and education practices by updating their procedures, simulating attacks, and breaking down the siloes to get other leaders onboard.
Train employees smarter, not harder
It used to be that sufficient cybersecurity training meant taking an annual two-hour course, but that approach has become insufficient in light of the rapid evolution of cyberattacks.
Organizations need to move to a more agile model of one or two brief (five to 10 minutes) training sessions a month. That respects employees’ time and allows security teams to update content more often.
You should also add questions at the end of each session to ensure knowledge absorption.
To keep pace with the latest tactics used by fraudsters, the content of training courses must stay fresh with no repeat materials and occasionally focus on broader topics like business continuity plans and data privacy principles.
Ultimately, they should teach employees to embrace philosophical/critical thinking about cybersecurity to drive a culture of compliance within the organization.
Think like the enemy to uncover security holdouts
CISOs and CIOs should launch simulated phishing attacks to see how employees apply what they've learned and retrain anyone who fails to absorb the lessons. Security organizations need to craft their own attacks, like a fake SSO login from an external source, and incorporate email forensics for the full picture of what happens.
The goal is to uncover “security holdouts” — employees who are not taking security measures seriously. Someone who falls for two attacks twice in one month requires additional attention, including a loss of privileges in some cases.
CISOs should partner with HR on adding teeth to programs in order to best deal with “security holdouts.” Sending people to one-on-one training is one option, but harsher measures may be needed for those won’t buy into increased security measures at first.
HR can help navigate any compliance or legal issues with what is appropriate depending on where employees are located.
Getting the whole team involved
Just like with the training sessions, CISOs must continually update their simulated phishing attack strategies to reflect the evolving approaches used by malicious actors.
For example, they can start by working with developer teams to build more sophisticated resources such as enhanced fake login pages for employee work portals.
Another important project is building a phishing button for your email client, so employees have a one-click option for reporting fake attacks.
It's also crucial to expand the program’s focus beyond full-time employees. Contractors also need the same level of rigor and need to be aware that they are just as vulnerable. Coordinate with other departments to mandate that contractor groups are given the same training as regular employees.
The rule of thumb is that anyone who can access internal data must undergo the same rigor.
Better training builds better connections
As phishing attacks get more sophisticated, attackers leverage more information available on the web against employees. Attackers are trying to use as much personal data against you and your employees as possible, and this includes posing as your partners, vendors, and service providers.
Everyone in an organization must be vigilant — using critical thinking and reliance on personal knowledge such as “if a message smells fishy, call the person to check.”
Because security is only as good as your weakest link, building an educated workforce will help ensure your security practices succeed.