Employee training is an essential long-term defense against phishing attacks, according to David Barton and Kimberly Anderson at UHY Advisors. In an article for Accounting Today, Barton and Anderson note that most cyber attacks depend on phishing or another form of social engineering, so organizations need to focus on educating their employees about these tactics. Organizations should assume they’re already being targeted by these attacks, so they shouldn’t wait until it’s too late.
“Nearly every company will be the target of a cyberattack at some point as long as their doors are open,” Barton and Anderson write. “The better employees are at recognizing a phishing email, the more likely the company will be able to avoid an attack that could damage their reputation and cost them precious time and money. It is essential for companies to have core cybersecurity practices in place and for employees to know what to look for and how to handle it.”
Barton and Anderson note that the average employee receives sixteen phishing emails per month, and only one of these needs to succeed in order to compromise the targeted organization.
“It only takes one click of a mouse on the wrong email to cause damage to a company’s well-being as well as their reputation,” they say. “It is worth investing in the proper training and processes to prevent a mistake that could cost the company millions of dollars. A recent Ponemon Institute study that focused on the cost of phishing and the value of employee training found that training reduced click-throughs on phishing emails between 26 percent and 99 percent, with an average improvement of 64 percent.”
Real-world experience is the best way to learn about these attacks, so organizations should use realistic phishing simulations as part of their training programs.
“Practice is necessary in order for people to be able to recognize phishing scams and learn how to deal with them appropriately,” Barton and Anderson write. “Employees are on the front lines of all phishing attacks. Conducting internal phishing campaigns gives employees the opportunity to practice safely while providing companies a mechanism to track progress. Training and testing employees on phishing recognition skills will decrease the chances of a company-wide breach.”
New-school security awareness training is the best way to gain experiential knowledge of social engineering attacks. If your employees routinely receive realistic but fake phishing emails, they’ll be much less likely to fall for real ones.
Accounting Today has the story: https://www.accountingtoday.com/opinion/reeling-in-a-big-phish