:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/GOKU7SJZQF7MULTAOYLGA6QCV4.jpg)
:fill(white):background_color(white)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/XCLRPDDQEN2INZCITN7L5GQFXE.jpg)
Even as technology grows more sophisticated, the relatively low-tech approach of a phishing email remains a favoured way for criminals to gain access to a company’s network, steal money or install malicious software.
This tactic is so effective that, according to the Anti-Phishing Working Group, the number of unique phishing websites increased by 250 per cent between October 2015 and March 2016.
Phishing emails often evade technical safeguards because they are carefully crafted to appear genuine and trick the recipient into opening them or clicking on a link. This puts the onus on businesses to educate their people to spot potential scams.
“It’s not possible to shut down email, so it’s about embracing the challenges and being prepared for them. You need the tools in place to protect employees and the investment that the company has. That includes education and training and there’s also a place for governance,” says Nicola Mortimer, head of business products, marketing and operations at Three Ireland.
Cybersecurity awareness
“All it takes is for one member of staff to be quick-witted enough to flag up a spear-phishing attempt to prevent a significant business compromise,” adds Dr Ciarán McMahon, a director of the Institute of Cyber Security.
An increasingly popular approach to security awareness training is to start by sending employees a fake phishing email, made to look like it comes from the organisation’s own HR or payroll department. “It might say, please click this link or open this file, and when you are brought to a website, to ask for network login credentials. You can see how much information that people would give and then share general statistics with an organisation – not to say ‘person A or person B did this’,” says Jacky Fox, cyber and IT forensic lead at Deloitte.
Testing how many people fall for the ‘scam’ gives a baseline of cybersecurity awareness. After that, random tests can be used to measure the training’s effectiveness over time – and by extension, to improve the company’s security posture. “Statistically, the number of clicks goes down. From 30 per cent you can get it down to the 5-10 per cent range,” adds Fox.
Improving security
Empowering employees to be more security-aware involves changing a company’s culture, which can take time. “It needs good messaging, internal PR, buy-in from board level and recognition that security is important,” says Dr McMahon.
“Try to avoid box-ticking exercises: half-day seminars will not change corporate culture. The best awareness programmes start slowly and gradually educate the workforce as a whole over time. Security requires an ongoing development process – this is as much about human resources as it is about IT,” he says.
Dr McMahon says improving security is like introducing health and safety rules, and it can be undertaken in small steps. “It can be little things like resetting passwords, or encrypting information, which help to change the mindset. Even tidying your desk is a security exercise, because if there are open plan offices, should people have sensitive information on their desk? If you inculcate within your organisation that security is important, then when something untoward happens, you will bounce back an awful lot quicker.”
In the past, the standard approach to security was to treat people as the weakest link but this is changing, as employee awareness training is proving effective at reducing exposure to cyber risk.