Phishing Protection. PHOTO: Cybercrime Magazine.

Cut Cybercrime Costs By Detecting Phishing Attacks Early

Security awareness training for employees is essential

Tatu Mäkijärvi

Helsinki, Finland – Dec. 22, 2020

Cyber threats have been evolving dramatically during the past couple of decades. At the same time, companies have done everything to protect their assets from attackers on the technical front. But the game has changed, and most attacks are eventually targeting the employees, the last weak element of the defense line. The easiest way to a company’s systems is through the employee that is unsuspicious of social engineering attacks and techniques and who fails to apply the correct behavior upon encountering a threat.

For a moment, think about the cyber kill chain — the model that describes step by step how an attacker is penetrating a network. In an ideal world, you want to eradicate an attack in the very beginning of the kill chain. When you prepare your employees to detect and report attacks, you will more likely be able to stop an attack early before it spreads.

Email-based threats need more attention

No matter how advanced the technical solutions are today, some email-based attacks will always get through the technical defense layers.

Focusing on the technological defenses and adhering to compliance can give a false sense of security, while the most significant attack surface, the employees, may remain unprotected.

It’s not exactly news that email-based threats are the most common method used by attackers. Ninety-three percent of organizations cite email-based threats as a primary threat, and employees are typically the largest attack surface for a company.

According to the Verizon Data breach report, phishing is the most common first phase of the attack. Attackers use phishing emails because they work. 30 percent of phishing attacks are opened, but only 3 percent are reported to the cybersecurity teams.

Because phishing is the most common technique intruders use, solving it can have the highest impact on your organization’s risk.

Still, many companies haven’t taken adequate measures to protect their employees against these threats, thus leaving their most significant attack surface vulnerable.

Companies usually try to cover phishing as part of their cybersecurity awareness training, educating employees on a range of different threats. They also set policies that try to force personnel to behave securely.

While important, traditional cybersecurity awareness alone is not enough to mitigate risks across all areas.

Preventing attacks early has the biggest impact

The closer to the beginning of the kill chain that you can detect an attack, the less it will cost to resolve in terms of both time and resources. If you notice the attack only when it has reached your network, you’ll have to spend more time investigating how far it has spread and what damage has occurred.

If you can’t prevent all attacks from reaching the employee, the best way to stop an attack is to make sure your employees know how to detect and react to attacks. Your employees can stop attacks even though they are already in the delivery phase. When they report a phishing email they spotted or an error, like downloading malware, it can tremendously help your team’s efforts to mitigate the attack.

Characteristics of a successful email-threat mitigation program

A successful phishing mitigation program starts with a people-first approach. The training needs to be effective and motivating, giving the employees the skills and confidence to help protect your organization. Together with your employees, you’ll create a positive cybersecurity culture where employees feel they play an essential part in protecting the organization.

Cybersecurity culture consists of attitude, behavior, and awareness. A successful phishing training program will positively impact these areas, helping you to create a positive cybersecurity culture.

Protect – Detect – Respond

In addition to personalized training that will shape people’s behavior, you need to encourage your employees to report real threats to form a protective layer for your network. If one employee reports a threat, it might be enough to remove that attack before other employees could fall for it.

As security teams have a range of different areas that they need to focus on, technology should ease some of the team’s workload rather than add to it.

Focus on behavior change to make an impact

A successful phishing mitigation program will help to reduce cyber risks. To reduce the risks, stopping attacks early in the kill chain is a must. To do that, make sure that your employees stay vigilant against these threats by educating them.

If you want to make an impact, make sure that you emphasize the need for behavior change throughout the organization. You can achieve this goal with the right training program that engages employees to protect your company by adapting safe online habits.

Hoxhunt Archives

Tatu Mäkijärvi is the head of marketing at Hoxhunt.

Sponsored by Hoxhunt

Our mission at Hoxhunt is to enable everyone to protect themselves from cybercrime. We want you to be able to protect yourself, your family and your company.

To this date, changing employee behavior to a secure one has been incredibly hard. Organizations have tried pushing information to their employees in classrooms and in e-learning solutions. They’ve tested the results of these awareness campaigns with phishing tools and penetration tests, giving extra training only when an employee fails. While some of these methods are great for other purposes — like e-learning is for regulatory compliance. The actual results in changing employee behavior to a more cyber-secure point out otherwise, the traditional methods to patch the human component do not work.

That is why we built Hoxhunt. We want to turn employees from a company’s weakest link into the strongest asset against cyber attacks. Our gamified platform trains employees against phishing attacks in a fun and engaging way.