The sheer volume of successful phishing attacks indicates that security solutions – at very least – aren’t stopping all attacks. So how does security awareness training help top attacks and where should you place your focus?
Here at KnowBe4, we obviously sell Security Awareness Training. While the offering promotes being about many forms of good cybersecurity practices (which it does), a fair majority of it is laser-focused in on the largest single problem for organizations today that are trying to stop cyberattacks: phishing.
Microsoft MVP Nick Cavalancia says in a recent article on the topic of phishing awareness that “The current state of both cyberattacks and lack of cyber-readiness dictates that your organization look to elevate its security stance by making its users more aware of phishing attacks, the methods used, and the repercussions of attack success.”
Phishing awareness is a critical subset of security awareness training in that it is designed to educate users on the dangers and specifics of phishing attacks while also testing their understanding and vigilance using real-world scenarios. Cavalancia states that such training “begin by educating [your users] on what is phishing, what communications mediums are used, what phishing attacks look like, what social engineering tactics are used and how to spot a scam a mile away.”
But phishing awareness can’t stop with simply telling users how bad phishing is and what it looks like; it’s necessary for your organization to make certain it’s protected by testing the user to determine if they’ve actually learned something during their training. Phishing testing provides IT and Security teams with a feedback loop to see which users have and have not been properly trained enough to change their cybersecurity behavior.
Cavalancia recommends this kind of testing: “Creating simulated phishing campaigns – ones that are benign in their impact but use the same techniques and tactics as their malicious counterparts – are an impactful way to see where the user-layer, as it were, of your security is weakest.”
Phishing Awareness is one part of an overall Security Awareness Training program which is intent on creating a culture of good cybersecurity behaviors in your employees. By being phishing aware, employees are far more ready to face an attack and help defend the organization against it. And by being security aware, they are cognizant of the need to weave security-mindedness into their everyday actions, ensuring the organization is well-prepared against a cyberattack – phishing or otherwise.