Consistent awareness training is necessary to fend off phishing attacks, according to Keatron Evans, a principal security researcher, instructor, and author with Infosec. In an interview with Security Boulevard, Evans explained that employees need to be reminded that social engineering attacks can occur at any time.
“What we’ve found in most cases is that organizations are very reactive to social engineering attacks, but most cultural changes that come as a result of the attacks are short-lived,” Evans said. “For example, we have clear data that shows that within 45 days after a successful phishing campaign, users are very aware and do a good job of screening emails, phone calls, and adhering to other anti-social engineering recommendations. However, when we check again after 60 days or so, we find that these same users have largely reverted back to their old habits.”
Evans added that employees can grow complacent with phishing attacks if they don’t realize the harm that these attacks can cause.
“I think the organizations that regularly fall victim to phishing scams are often a result of an ineffective security culture, which can, in turn, affect their cultural norms when it comes to security,” Evans said. “If the successful scams don’t cost significant loss or public relations damage to the organization, the organization will often become numb or desensitized to the attacks and adopt the ‘just part of doing business’ mindset.”
Evans also noted that if an employee does fall for a phishing email, the most important thing they can do is report it immediately. As a result, organizations shouldn’t punish employees for reporting these incidents.
“If an employee is phished, reports it to security and is later heavily reprimanded, employees may be less likely to report similar incidents in the future,” Evans said. “This is why it is imperative that leadership be proactive in driving the security awareness message from the top down in the organization and showing commitment to maintaining good security posture—and culture.”
New-school security awareness training can create a culture of security within your organization by teaching your employees to follow security best practices.
Security Boulevard has the full story.