Phishing attacks remain a serious concern for organisations around the world. No matter how much an organisation invests in firewalls, antivirus software or malware protection, all too often the weak link in the security chain is the human element.
Employees are increasingly becoming the hapless targets of elaborate phishing scams, and the volume of such attacks is very concerning: PwC’s 2014 Information Security Breaches report reveals that 57% of large organisations and 16% of small organisations were attacked by unauthorised outsiders trying to impersonate organisations over the Internet.
According to the report:
- 9% of affected organisations have to deal with phishing attacks several times a day.
- 5% of affected companies receive hundreds of attacks a day.
Even the most high-tech phishing attack works like an old-fashioned con job, in which a hustler convinces his target that he is reliable and trustworthy, thereby exploiting the vulnerable and ill-informed.
When phishing attacks are successful, there is often the same explanation: an alarming 70% of companies that experienced staff-related breaches had information security policies that were poorly understood by their employees. The message is clear: don’t let staff ignorance endanger your organisation.
Are your staff awareness programmes and policies effective?
Information security is an enterprise-wide concern, and the cornerstone of an effective information security posture is a comprehensive and easily understandable information security policy that is available to all staff.
Just having any old policy is not sufficient. Too often, policies lose their impact due to the excessive use of jargon and wordy explanations. Use simple explanations, short paragraphs, and provide illustrations and graphics to demonstrate concepts more effectively.
The information security team should ensure that all employees have access to the policy and know where they can find it. Employees should be reminded about the contents of the policy at least annually – not only at the start of their employment. The policy should be reviewed and updated periodically to ensure it remains relevant, without losing its impact and simplicity.
From the high volume of reported phishing attacks, it is quite apparent that staff awareness training is either not conducted frequently enough, or is not effective enough at instilling vigilance in staff regarding information security threats. The PwC report reveals that only 54% of small businesses and 68% of large businesses provide ongoing security awareness training.
It is prudent to reconsider your information security staff awareness programme to ensure it brings home the right message. When reviewing your staff awareness programme, it is important to consider whether it is a formal training intervention, conducted at frequent intervals across the organisation, or ad hoc. Do you conduct employee vulnerability tests before and after the intervention, to assess whether employees will readily click on harmful links or expose confidential passwords? Does your training programme have clear objectives and specific outcomes? Are you making use of the right technology to get your message across? E-learning courses, the use of security awareness posters and employee vulnerability assessments are quick to deploy and can be applied to maximum effect.
Phishing attacks are growing in their sophistication and are not only aimed at the gullible. Ensure that your information security programme incorporates effective staff awareness policies, tests and training interventions that work and continue to protect you from evolving attacks.
If you’re assessing the overall information security posture in your organisation, you’ll be interested in this month’s special offer: book IT Governance’s Combined Infrastructure and Web Application Penetration Test in November and get an email phishing campaign to test for staff awareness absolutely free. Click for more information >>