Whether it's downloading a malware-ridden email attachment or submitting their login details on harmful websites, an employee falling victim to a phishing scam is one scenario that can keep IT pros and business owners awake at night.
An increasingly effective approach for reducing this risk is through employee phishing awareness training, but what exactly does this type of training entail?
In this post, we'll cover:
Phishing awareness training is the ongoing education provided to employees that helps them to understand how phishing works, how to spot the telltale signs of an attack and what secure actions they should take when they feel as though they've been targeted.
Many businesses conduct regular phishing awareness training to prevent users from compromising their credentials, downloading malicious attachments or sending sensitive information to an impersonator.
There's a common misconception that phishing scams are easy to spot and that only people who are non-technical or naive would fall victim. There's also the false security of over-relying on technology to prevent phishing or thinking that "our business is unlikely to be a target".
The truth is, phishing attacks still work and are growing in prevalence and sophistication each year, with a combination of 'spray and pray' attempts mixed in with hyper-targeted spear-phishing attacks.
There are now nearly 75 times as many phishing sites as there are malware sites and nearly 36% of data breaches now involve phishing.
With these types of threats, it's vital for employees to be trained on how to spot and report phishing attacks before they can cause financial, operational or reputational damage.
After all, it only takes one successful phishing attempt to wreak havoc.
There are many different types of channels, formats and techniques used to deliver this type of training, but the most common are:
Many of us will remember the days of sitting through one-hour security awareness PowerPoint presentations at work, blankly staring at the instructor as they broadcast a checklist of tips on "how to stay safe online".
Thankfully, training has become more effective (and less painful) since then.
Computer-based phishing awareness training is pretty much what it says on the tin — rather than sitting through a classroom-based session, employees can work their way through courses on their computers through a modernised 'eLearning' approach.
Here is an example training video taken from usecure's automated security awareness training platform, uLearn:
There are many benefits of computer-based phishing awareness training, including:
If computer-based training is the go-to for raising employee phishing awareness, then simulated phishing exercises are the go-to for giving staff a truly practical learning experience.
An employee phishing simulation exercise is used to assess which users are susceptible to an attack, giving them real-world experience whilst analysing how they would react in a phishing scenario.
This is usually done by replicating a well-crafted phishing email and tracking which people input their login details or download a 'harmful' attachment.
Here is an example of a phishing template taken from usecure's simulated phishing tool, uPhish:
Seems like quite a legitimate email, right? We'll, 39% of the employees in this simulation thought so:
Here are some of the benefits of simulated phishing exercises:
An old-school form of training, some businesses still use classroom-based sessions to deliver anti-phishing education. There are, however, some key differences between this approach and the computer-based approach:
Studies have indicated that retention of certain subject matter may be up to 250% greater with computer-based training, rather than a classroom-based model.
Merrill Lynch, The Book of Knowledge
Having helped businesses across the globe reduce their employees' human cyber risk, usecure knows what it takes to truly drive employee phishing awareness.
That's why we always urge businesses to include phishing awareness into a broader employee security awareness training program that encompasses a wide range of security topics — for example, password hygiene, social engineering and handling data securely.
Learn more about launching effective phishing and security awareness training with usecure's free 2021 guide below, or try usecure's security awareness training courses with a free 14-day trial.