Human Firewall. PHOTO: Cybercrime Magazine.

Dishing On Phishing: How To Turn Your Employees Into Cyber Defenders

IAP Worldwide Services uses fresh content covering the latest exploits in its security awareness training program

Gotham Sharma, Field Correspondent

Northport, N.Y. — Aug. 13, 2019

While humans are often referred to as the weakest link in cybersecurity, Lisa Sheldon believes they should be the first line of defense.

Sheldon is the CISO (chief information security officer) at IAP Worldwide Services, a leading provider of global-scale logistics and facilities management, with 2,000 employees in 25 countries around the world. She recently spoke with Cybercrime Magazine at KB4-CON 2019, the world’s largest security awareness user conference.

IAP’s commitment to continuous security awareness training helps keep them safe in a business atmosphere that predicts cybercrime damages will cost the world $6 trillion annually by 2021.

There are several components that contribute to a successful employee security awareness training program. Sheldon believes that immediate feedback is especially important to the process.

“When they [users] click a link and get the banner that pops up and says ‘you’ve been caught!’, it really has an impact. We found that without that, it seems to fall off their attention.” In addition, Sheldon acknowledges that it isn’t enough to just do a periodic training and expect it to make a real impact. “Ongoing phishing simulation training is the only way to keep it at the forefront of employees’ minds.”

Organizations that approach training as just another item on a checklist or from a purely compliance perspective of “one and done” can’t expect to achieve this same level of employee-driven security.

Cyber intrusions can have hugely damaging effects on an organization’s operations. This includes financial loss and reputational harm — leading to a lack of trust from customers.

Although large enterprises sustain, Inc. Magazine reports that 60 percent of small businesses don’t survive a cyberattack and are forced to close shop within 6 months. And the likelihood of getting hit? Ransomware is expected to attack a business every 11 seconds by the end of 2021, up from every 14 seconds in 2019.

Sheldon remembers several incidents where a lack of awareness could have been financially damaging to IAP. “Before we started [training], we had several occurrences of emails that we received in our AP department — ‘pay this vendor immediately’ type of thing. And we’ve come close several times where those employees started the process to actually make that payment. There’s an actual dollar cost to not having that awareness.”

It’s critically important for organizations to keep up with the latest threats and exploits, and to ensure that the training content is fresh. “If we hit [users] with the same training over and over, it’s boring, they’re not going to do it, and then they will lose that awareness.”

A common refrain among IT experts is that cyber intruders only have to infiltrate a system once to wreak havoc, but defenders have to successfully protect their systems every time. With new malware samples created daily and phishing emails responsible for 90 percent of cyberattacks, employees need to be the first line of defense — and not the weakest link.

To boot, Sheldon notes that security awareness training transcends the workplace: “It’s not only going to benefit the company, but it could benefit you personally at home.”

Dishing On Phishing Archives

Gotham Sharma is a Cybercrime Magazine contributor, and a cybersecurity educator, investor and mentor.

Sponsored by KnowBe4

KnowBe4 is the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We are a leader in the Gartner Magic Quadrant and the fastest-growing vendor in this space. We are proud of the fact that more than 50 percent of our team are women.