The field of cybersecurity training and awareness continues to put phishing at the forefront. For many organizations, phishing awareness has actually become synonymous with security awareness. Phishing is obviously an important threat vector, and it’s the catalyst for many cyber attacks, so being able to recognize suspicious messages is a good thing to teach people. However, phishing awareness alone is not enough for good security awareness—this article explains why.
Phishing Awareness Is Important
Phishing is one the most common attack vectors, and its prevalence has only increased since employees started working more from home. In a phishing attack, threat actors send fraudulent messages that convince recipients to click links, reveal sensitive information, or launch malicious software. These fraudulent messages provide adversaries with a non-technical way to bypass many perimeter-based security controls and get into networks.
With 56% of IT decision-makers saying that targeted phishing attacks are their top security threat, it’s clear that phishing awareness must be an important part of overall security awareness. Security leaders are right to be concerned about phishing given that people still fall for these attacks in their droves; more than 25% of American workers click phishing links, according to one recent report.
But, Phishing Myopia Hurts Security Awareness
Centering security training on simulated phishing attacks is a limiting approach to overall security awareness. When phishing is the sole focus of your program, employees start to see their entire security responsibility as not falling to phishing attacks. Bad security habits, such as using easy-to-guess passwords or inserting personal USB drives, or clicking on QR codes in the elevator, quickly become the norm.
Worse still, this narrow view of security makes employees far less adaptive in their abilities to recognize and anticipate new forms of cybersecurity attacks. Today’s threat actors have far more tools at their disposal than just phishing campaigns. Because of this, more and more organizations are seeing phishing as part of a wider Security Culture program.
Phishing as Part of a More Robust Security Culture
So, what does it look like when you build a more robust Security Culture that goes beyond the narrow phishing focus?
Wider Social Engineering Exposure
Phishing falls into the category of social engineering methods that psychologically manipulate people into taking particular actions. A better security culture program exposes employees to a diverse range of social engineering methods that can include:
Physical social engineering — threat actors may impersonate third-party personnel, such as IT companies, in an effort to get physical access to on-premise systems.
LinkedIn — malicious outsiders may create fake LinkedIn profiles, befriend multiple employees at an organization, and attempt to gather sufficient information about the organization that can aid with a successful cyber attack.
Pretext phone calls — scammers may call employees and invent plausible stories to establish a pretext that fools an employee into revealing confidential information.
The list goes on and on, and it evolves everyday. Broader exposure to the breadth of social engineering makes your employees more aware of the possibilities. This is totally lost with a phishing-only approach.
Security Training That Resonates
Generic security training may fill a compliance need, such as immediately training new employees. But it's always too generic to change behavior. That means people will forget the lessons, and won't be able to apply the lessons to new situations.
Customized live security training sessions for your organization can really have an impact on employees. Aligning security to your existing culture and your organizational goals makes security important, and it begins to align it to people's every day work. This leads to a stronger security culture by ensuring individuals know and appreciate their own roles in contributing to the wider security culture and mission of the company.
Light Touch Security Reminders
Going beyond regimented phishing drills and incorporating lighter touch elements helps to build a better security program. These lighter touch elements can include monthly security newsletters, security infographics or posters carefully placed in the office, or even rewards for good security practices.
Conclusion
The reality of the current threat landscape dictates that businesses need a stronger security culture than just making people aware of what phishing messages look like. Building this kind of culture is important, but it’s not easy. Security Pursuit helps businesses like yours ensure everyone takes ownership and enjoys doing their part to protect your most valuable assets and processes.