If you've read the previous posts in our blog series, you might be recognizing that there are serious threats being sent to your employee's inboxes on a daily basis. If we've scared you, we're sorry, but that's our job! For us to help clients with their security needs, we need to work with people who understand the realities of the modern workplace. Moving forward, we want to discuss the ways you can be proactive and make moves that will protect you from these dangers we have discussed.
Training exercises that tell a compelling story and put the trainee in the position of somebody who has been targeted, such as a company’s controller, engage all the senses by making the trainee choose the best course of action in response to a suspicious email. When he has the opportunity to select the wrong response to an attack, “that employee definitely has an ‘Aha!’ moment because a big screw-up caused major problems” for his organization, says Kevin Mitnick, chief hacking officer for IT security company KnowBe4, provider of new-school security awareness training.
These exercises teach employees to carefully check all the details in an email for telltale signs of potentially malicious content: a “From” address with a misspelling, a hyperlink that when you pass your cursor over it reveals the actual URL destination you will be taken to (and that will infect your computer), and the suggestion of negative consequences if an action isn’t taken quickly and before confirming the email’s veracity.
Learning that dangerous emails often appear to come from reputable organizations or from someone you know and trust within your own organization drives home the lesson: think before you click. Making training interactive ensures it takes deeper root in an employee’s mind.
The ultimate goal of simulated phishing attacks is to train people’s reflexes so they learn the optimal response to such emails. “This is like learning how to catch a ball or to do any complex move that the human body might want to do, but this is doing it mentally,” says Perry Carpenter, chief evangelist and strategy officer at KnowBe4. “That means putting somebody in the situation where they’re having to make that decision and use that behavior that we actually want somebody to have embedded over and over again so it becomes something that doesn’t feel uncommon or different from their normal decision-making, but is integrated with and will just naturally become their pattern of habit.
Security education should start with phishing emails that use a method that is very easy to detect, and then gradually escalate to more challenging simulated attacks in order to fully inoculate employees against all kinds of phishing attacks. This will help them understand how persistent bad guys are in sending increasingly sophisticated attacks until they can trick somebody.
The idea is to repeat variations of the exercise continuously so a trainee has a chance to fail in a safe environment and be redirected to a form of corrective behavior, Carpenter says. “Even more important is to have multiple successes, multiple times to show themselves that they know how to detect a phish and report it so they have that behavior ingrained within the way that they do business every day.”