Just in the midst of the Covid-19 epidemic, the growth rate of phishing attacks has increased by more than 100 percent. The average amount of phishing attempts is around 1,185 per month per company. Bringing up phishing and the statistics is something most people are aware of in this digital world, but there is an underlying factor to this. Employees are not only a company’s greatest asset; they are also the largest security risk vector as well. Even though this may sound scary there are certain ways to improve this threat and make better changes as well. There are a few ways to make a difference, which are security culture with training, and filtering rules.
Training is the number one realistic goal to protect the company from being a victim of an attack from phishing. Training is not a new concept, but with how much technology changes and how sophisticated attacks are becoming, there has to be follow ups. For example, The Security Magazine said 76 percent of organizations train employees in cybersecurity, while 30 percent train quarterly, and 27 percent train only once per year. Looking at history, the Nigerian prince scam was a vast threat when it first arrived, but the sophistication of the social engineering attacks has risen to new heights since then and are only growing. Not only does training provide the team with skills to avoid these threats, it allows them to avoid malware such as trojans from downloading malicious programs. Yearly or monthly training of your team can also build a better security culture as well.
Security culture feeds off the training by keeping employees’ part of the group and more aware.
When the culture is part of a company, there can be a multitude of benefits such as more communication of possible breaches from employees, less phishing successes, and faster response times from looping these together. Building this culture does take time and effort, but by reducing the risk area the email filters and IPS will not be the first and last step.
Misconfiguring an email filter can result in an extensive attack vector, but it will still block something, while not having one in place will ensure there is a massive rise in breaches. Security is about building defenses. One tool in place will not secure anything for too long. Having a layered approach is the best action. This is why security experts do not just focus on a Nextgen firewall or UTM, mixing them with something like training adds a layered approach.
In conclusion, training will not eliminate the attack vector, but will help reduce it. Monthly or quarterly seminars of the dangers and how to avoid them is recommended as a defense and a team building exercise. Sometimes to change the culture, an outside security expert is needed to change the way of thinking. Filters, firewalls, endpoint security should be the first line of defense, but it should never be the full defense.