This past year was defined by change and adaptation. Many stories dominated news headlines, from learning to be more health conscience in public, presidential elections, protests happening all over the country in support of various movements, to a massive shift in workers performing their jobs at home. It’s hard to wrap your head around all these changes, let alone keep track of them. To top it off, you are concerned about job security, expenses, family, etc. You open your laptop and see you have received an email from your IT department informing you that your password expired and conveniently includes a link to a website so you can change it. Since you have so many things on your mind, you click the link, and it takes you to a website where you enter your current password and create a new one.
What you don’t know is that it was a trap. The email was a successful phishing attempt. The website you accessed downloaded malware onto your computer (e.g., a keylogger, Trojan). It captures your old password, the new one you just created, your email address, and Windows username. Someone you don’t know now has unauthorized access to your company’s network. This scenario is all too common these days and reinforces the need to train your users to think like cybersecurity experts.
Why Is This Important?
Studies found that the average person uses personal information in their passwords, information that is often readily available on social media accounts: pet names, birthdays, names of children or spouses, their favorite movie, etc. So, what can you do to help educate your users? You can try informing them of the consequences of their actions, but that isn’t the same as teaching them the correct behavior. The better approach is to engage a company or service specializing in educating users on how to identify attempts to breach your network.
You can have the best, most cutting-edge security appliances available, but all it takes is one of your users to bring it all down and allow ransomware or other malware onto your company network. User training is the key to keeping your networks secure.
There are several companies to choose from that offer training to educate your users about potential threats when opening unsolicited emails, so what is important when shopping for a company to train your users in security?
First and foremost, you will want someone who is well known in the industry, with good ratings and has been around for a while. Next, you want to evaluate what they offer in terms of user training and education. It isn’t enough to watch one training module and leave it at that; you want to be able to test your users regularly with simulated phishing emails and provide them the tools to report suspected phishing attempts to your IT department.
Know before it’s too late
ZAG partners with KnowBe4 to offer our clients exactly this kind of user training. It starts with a baseline test designed to see what percentage of your users are susceptible to phishing attempts. Once this is completed, we set up an initial training campaign that teaches your users what to look for when receiving suspicious emails, from how to evaluate who the email is really from to the links contained within, along with several other common red flags.
Another step we take is installing a tool in Microsoft Outlook called the “Phish Alert Button,” which allows your users to report any suspicious emails to your IT department so they can be flagged and added to email filters.
Finally, we initiate a monthly campaign that randomly selects emails from various categories to send out to all your users to test their knowledge. If anyone clicks a link or opens an attachment from one of these simulated phishing emails, they are enrolled in refresher training. The program automatically enrolls any new employees you hire into the initial training program. We also offer a more targeted system that can be used as additional training for users who work in more sensitive areas like HR, Payroll, and Executive staff.
Criminals are usually one step ahead of the industry and are getting better every day at making fake sites look genuine. Firewalls, spam filters, and email security appliances can do a lot to help stem the tide of malicious emails, but it only takes one email to compromise your network. Are you willing to put the security of your network in the hands of your users without giving them the tools needed to avoid phishing attempts? Start looking into a training platform today, and take the necessary steps to educate your users. The keys to your kingdom are in the hands of your users. Now it’s up to you to show them how to protect them.