GUEST OPINION: Organisations face increasing threats from an old adversary: phishing attacks. While not new, phishing attacks continue to be a top tactic (56%) that malicious actors use to gain access to a network.[1] This access could lead to any number of devastating actions like espionage, breaches of privacy or ransomware. Consequently, companies and individuals need to be more vigilant than ever in spotting and combating these types of attacks.
Steven Woodhouse, Field Chief Information Security Officer, Australia and New Zealand, Fortinet, said, “Phishing remains a perennial challenge, and the intensification of these attacks is driven by the persistent expansion of the Ransomware-as-a-Service (RaaS) model. It’s crucial business leaders build a cybersecurity awareness culture and conduct regular user training. Too often, organisations will serve up poor quality, dull, or irrelevant cyber training to their employees as a compliance obligation. This is a recipe for disaster. Employees must be engaged, motivated, and enthusiastic about their part in countering the cyber threat. Employees can be the strongest and best line of defence against these types of attacks. Conversely, it takes only one mistake from an employee for threat actors to exploit a company’s vulnerabilities.”
Education and training have had a positive impact on individuals being able to identify a scam. Many users are aware of what a phishing email is and what they should look out for. This includes poorly constructed content featuring grammar mistakes and spelling errors and an unnatural sense of urgency to open links or attachments. However, many malicious actors are leveraging emerging tools such as artificial intelligence (AI) to help make their emails more convincing, and this can create challenges for employees who must upgrade their own skills to keep up with the evolving threat.
Steven Woodhouse said, “Advanced tools and technologies let cybercriminals craft more convincing and deceptive phishing emails by duplicating the exact design and layout of legitimate emails from reputed businesses, making them harder to differentiate from genuine communications. Better spelling and grammar also make it more likely recipients will click on malicious links or provide sensitive information.
“Meanwhile, attackers are also turning to spear phishing, which is a more targeted and, often, highly successful approach. Spear phishing attacks target specific individuals within organisations with personalised messages, often using information gathered from social media or other sources to make the email seem more legitimate. This increases the likelihood that the recipient will fall for the scam.”
Given that most ransomware attacks are delivered via phishing, arming employees with knowledge is critical. There are three ways business leaders can fortify their cyber resilience in the face of phishing attacks:
- Assess employees
Companies can assess employees’ resilience to phishing threats by running simulated attacks and evaluating employees’ responses. If employees can recognise the attack and decline to click on malicious links, this is a sign that the organisation’s cybersecurity education and training are working well. If, however, users fail to understand when they’re being targeted or what to do when an attack is underway, then the business can see that it must increase the focus on training and education.
- Conduct ongoing training
The only way employees will understand how to identify a phishing attack and what to do if they believe they’ve been targeted is to teach them what to look for and have a response plan in place. Just as an employee would dial emergency services and evacuate the building if the office were on fire, they need to know whom to call and what to do if they receive a phishing email.
Training shouldn’t just be a once-a-year activity but a continuous, comprehensive process aimed at building a cyber-aware culture. To make it more effective, it’s important to adopt a human-centric design and involve employees in creating both training programs and policies. This approach gives them a sense of ownership, which makes them more likely to engage and comply. Working with a trusted security partner can help companies prioritise security, deliver effective training, and meet regulatory or industry compliance training requirements.
- Clarify reporting protocols
Organisations need a straightforward and easily accessible protocol for employees to report suspicious emails or websites they encounter. By fostering an environment where employees are encouraged to adopt a better safe than sorry approach, they’ll be more likely to report anomalies without hesitation. Proactive reporting can be instrumental in preventing potential breaches and safeguarding the company’s digital assets.
Steven Woodhouse said, “To stay a step ahead of phishing scams, it’s imperative for every organisation to continuously assess and refine their security awareness initiatives. Business leaders must ensure that their workforce is equipped with the latest knowledge to avoid becoming the latest cyber breach statistic.”
[1] https://www.fortinet.com/content/dam/fortinet/assets/reports/report-2023-ransomware-global-research.pdf