Ethical hackers are especially well-positioned to use their knowledge of attack techniques to educate people, according to Zoë Rose, a white-hat hacker based in the UK. On the CyberWire’s Hacking Humans podcast, Rose explained that since she knows what makes people fall for social engineering, she’s able to inoculate people against these attacks.
“I've found that the biggest thing is because I understand how to manipulate or influence a consumer into clicking my links or downloading a document, et cetera, I can understand how to correct that behavior,” she said. “So I focus in on these key human behaviors and I look at how to change them.”
Rose said organizations often make the mistake of thinking that phishing tests should be carried out without their employees’ knowledge. While this can give you an accurate picture of how vulnerable your organization is, it focuses on the employees’ failings rather than working with them to identify attacks.
“Unfortunately, a lot of times, phishing is looked at - well, let's trick the users, let's manipulate them and point out how they're failing, versus saying, well, actually, let's announce that we're going to have a phishing campaign so that people are already aware and they know they should actively be looking,” Rose explained.
The best approach is to be open about these techniques so that employees immediately become more alert and can learn from the entire process. Rose said phishing simulations should illuminate what employees can do to improve their security, rather than focusing on what they did wrong.
“So you're not just saying, oh, you failed,” Rose explained. “You're saying this happened and this is how you protect yourself in the future....And the reason that whole positive point of view – that is so vital – is because if you want people to do nothing, you talk about the negatives and you scare them. But if you want them to actually take action, that's when you talk about the positive and reinforce that they can do it and empower them.”
Realistic phishing simulations will change how your employees think about security. Simply being aware that they’re being targeted by phishing emails will make them scrutinize their inboxes more carefully, even if they know the people sending the emails don’t mean any harm. New-school security awareness training can build a culture of security within your organization so that your employees can defend themselves against real phishing attacks.
The CyberWire has the story: https://thecyberwire.com/podcasts/cw-podcasts-hh-2019-09-12.html