In this article, Cyber Security Center explores the best ways to educate employees on email cyberattacks and how to make sure they are following cyber security best practices.
When questioned by Cyber Security Center for its Mid-Year Market 2022 report, three out of four cybersecurity experts said email-based threat vectors social engineering and Phishing the attacks were “the most dangerous threat” to cybersecurity.
One of the reasons these threats are so dangerous is the scope of these attacks. The international consortium and fraud prevention group, the Anti-Phishing Working Group (APWG), recorded a total of 3,394,662 phishing attacks in the first three quarters of 2022. The APWG noted that each quarter broke the record as the worst quarter the organization has ever seen, with 1,025,968 attacks in Q1, 1,097,811 attacks in Q2, and 1,270,883 attacks in Q3.
Social engineering and phishing attacks are often used by hackers to directly target company employees. In 2022, a study by the UK Department for Digital, Culture, Media and Sport (DCMS) found that of all UK businesses that identified a cyberattack against them, the threat vector for almost nine out of ten (86%) of these attacks was Phishing.
As these attacks specifically target employees, this places the onus of ensuring that the attack does not progress into the hands of the employee. If employees don’t know what to do in the event of a cyberattack, which 56% of Americans say they do, it can have devastating consequences.
These consequences are likely why almost a third of cybersecurity professionals (30%) say that a lack of cybersecurity knowledge is the number one cybersecurity threat to their organization.
To ensure good cybersecurity within companies, employees should participate in their training so that they are better able to retain information and use it later when they encounter cybersecurity threats.
How to get employees involved in email security
If employees are more aware of how cyberattacks can start and progress, they will be less susceptible to it. However, it is important to ensure that employees remember this training. Email security firm Tessian found that nearly two-thirds (64%) of employees admitted to not paying full attention during cybersecurity training and 36% said they found the training “boring “.
If employees are not involved, they may miss information that could be vital in the event of a real cyberattack. With the World Economic Forum finding that 95% of cybersecurity issues can be linked to human error, businesses cannot afford this risk.
Under, Cyber Security Center explores tactics companies can use to better engage their employees during cybersecurity training.
Linking bonuses to performance in safety training exercises
In a discussion between Cyber Security Center, one member suggested linking cybersecurity to universal business goals. This helps employees understand that they are all responsible for cybersecurity.
The board member explained that to do this, their company will conduct several phishing tests throughout the year, with the score of these tests affecting employee bonuses. Indeed, phishing attacks have an indirect influence on a company’s results. Cyberattacks are very expensive, which means that if a cyberattack occurs, businesses will lose money in operating costs. Additionally, cyberattacks can cause customers to lose trust in one business and turn elsewhere, leading to an overall decline in profits.
With bonuses directly tied to profit, financially motivated employees will be encouraged to be more diligent about clicking on potentially dangerous links, as good behavior is reinforced and rewarded.
Simulated phishing attacks can also be used to ensure that employees are engaged in the topic, both as it requires hands-on learning and can demonstrate to employees the risks of not properly evaluating real-time emails. They can also be gamified to prevent employees from “burning out” during training, as one in three employees report increased learning engagement when using gamified learning techniques.
Use video content to share case studies
Companies can also better engage their employees through the use of short video content. Studies have shown that using e-learning techniques such as video content can increase information retention rates by up to 60%. With employees on the front line of defense against social engineering attacks, this increase in retention can really make a difference.
Video-based training content can include a number of different things, including real-life case studies performed by actors in the form of video testimonials. An example of this is a video shared on several social media sites titled “My LinkedIn post cost my business a fortune”.
In the testimony, an actor tells the story of an employee directly involved in a cyber attack. He explains that a person posing as a recruiter tricked him into contacting them first through comments on his LinkedIn posts and then through messages with a lucrative job offer.
He shares that the fake recruiter struck up a relationship with him and eventually sent him a PDF which supposedly contained the job posting. Instead, upon downloading and opening it, the victim discovered that it only contained a cover letter and two blank pages. When they contacted the supposed recruiter, he explained that it was a secure file and told him to download and install a secure PDF reader to view it properly. When it still didn’t work, the victim contacted the recruiter again, but he didn’t respond to any of his messages. He dismissed this, but weeks later a data breach at his company cost the company millions of dollars. The breach was attributed to him because the PDF reader actually contained malware that was used to launch an attack on the company.
In a final statement, the actor warns observers that job scam attacks are becoming more prevalent as people are often expected to communicate with strangers and download attachments sent to them.
By using these e-learning techniques, companies can reaffirm employees’ position in protecting the business from cyberattacks, as well as provide them with a framework of what to do during a cyber security incident. It can also provide them with advice on what to look for in potentially malicious communications.
Good cybersecurity relies on employee knowledge
Companies can ensure their employees are more involved in cybersecurity training by showing them that cybersecurity is intrinsically linked to their role, even if they don’t have a security-based role.
By using training techniques designed to boost employee focus, information retention, and understanding, companies can strengthen themselves against future cyberattacks by best equipping their employees with key knowledge.