How to avoid phishing attacks

If you lockdown your network, cybercriminals will move on to find more low hanging fruit.

phishing attacks
Keep the network out of reach of criminals

According to the Verizon data breach investigation report published last month, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.

Eyal Benishti, CEO of IronScales, provides some best practices to raise employee awareness and mitigate phishing risks. Remember, cyber criminals are lazy. If your organization is a tough nut to crack, they will move on to find more low hanging fruit.

phishing attacks
Credit: Thinkstock
Launch phishing simulations

Running phishing simulations followed by ad hoc, gamified training is a proven tool to increase awareness and reduce risk. Repeat the process at least once every two months - changing behavior is a process. Training is important, but continuous assessment is even better to set the right mindset.

phishing attacks
Use gamification as training methodology

Let’s admit it, people hate training. They are sick and tired of videos and training wizards with boring slides and bullets. Meanwhile, for us, the security managers, it’s not really measurable. This is why interactive training or ‘gamification’ is much more engaging. Plus, people love to get high scores to collect awards, so why not?

Create fun and interactive games to deliver your messages.

phishing attacks
Definitely include your senior management

They are main targets, especially for spear and whale phishing. Make no exceptions. Publicly promote their participation. It’s a good example for the rest of the company.

phishing attacks
Use real-life examples

It’s best to hit your employees with emails they might actually receive. Change difficulty levels and start from the ground up. Don’t expect people to understand advanced phishing examples from day one. Teach them step by step on both phishing scenarios and training modules.

phishing attacks
Credit: Thinkstock
Enforce training, and follow employee progress

To make it effective, employees must understand this is serious. They need to be reminded if they ditched the training. It’s your job to make sure they like it. It’s all about the messaging. They need to understand that they have a critical role in protecting the company and its assets.

phishing attacks
Encourage ongoing phishing reports

Make sure each and every employee knows how to report back to the security team about suspicious emails. Many people tend to believe that the technology on premise will automatically stop all malicious emails and attachments for them. Make sure they understand that they are an active line of defense.

phishing attacks
Ever vigilant

Phishing is the No.1 vehicle used by cyber criminals to deliver malicious software to your organization. The level of sophistication is increasing dramatically so traditional defenses are lagging behind. Make sure people are aware of the risk and well trained to spot and report it as it happens.

RELATED: From start to finish, inside a PayPal Phishing scam