2020 and 2021 have seen a huge jump in the number of phishing attacks, many of which have been taking advantage of the unusual circumstances of the Covid-19 pandemic. Phishing is becoming increasingly sophisticated in adapting to different scenarios and preying on human nature.
The UK National Cyber Security Centre’s Active Cyber Defence programme removed more online scams from the internet during 2020 than in the previous 3 years combined, with HM Revenue & Customers (HMRC) being the most copied brand by fraudsters, along with the UK Government website, TV Licensing, and the NHS. That is just government-themed phishing attacks, probably the tip of the iceberg, when you consider phishing emails impersonating other well-known brands, including Microsoft, DPD, FedEx, Royal Mail, PayPal, Google, Amazon, etc. you name it! According to the FBI, in 2020 phishing was the most common type of cybercrime, and around 75% of organisations worldwide experienced a phishing attack during 2020.
Both human intervention and IT tools are needed to stop phishing attacks
It is incredibly hard for us to identify these cleverly disguised types of attacks. With all these different types of phishing emails, targeting specific departments or roles within an organisation, it’s difficult to know what’s legitimate and what isn’t. To help identify some of the different types we’ve listed a few to be aware of in our phishing glossary.
Phishing is an activity that plays on human nature and it is not something that should be just left to your IT department to deal with. Whilst the IT team may well have the tools that will help to detect potential threats, using clever algorithms and machine learning, if an email is not caught, the final decision as to whether to open a link or click through is the user’s. We are all capable of a well-meant click on a link!
Phishing impacts the whole business
Whilst phishing scams are targeted at individual email addresses, your business might be targeted specifically, or part of a mass attack where cybercriminals are trying to secure large amounts of data and passwords to sell on to other organisations and attackers. Phishing can affect businesses of all sizes, with a financial impact on fixing the damage incurred, reduced productivity from employees impacted, and potential data leaks which might damage a customer relationship and your reputation.
This has led companies to look into acquiring a platform to help improve their employee’s awareness of phishing and other cybersecurity threats. However, this is very often left down to the IT department, who are often pushed for time, and do not have the experience to efficiently deliver an ongoing training and development programme across the company. Such initiatives are normally the preserve of the HR manager or department. Cyber security awareness programmes in fact require a team approach to have a full impact.
Cyber Security Awareness is a cross-business initiative
Senior Executive buy-in
The importance of delivering cyber security awareness for employees of all levels, across the whole business, requires senior executive buy-in, as a real cultural shift is needed to ensure that cyber security training is embraced and supports the whole business. A successful programme requires employee recognition and rewards for helping in the cyber security effort, along with reporting to show the full impact of the programme and its benefits to the business.
HR/Learning and development expertise
The HR department is normally responsible for training and they have an understanding of what is needed for employees to acquire new skills. Cyber security awareness needs content that is relevant and engaging to employees, regular reminders, and reinforcement of learning (otherwise it is easily forgotten), alongside recognition and rewards. To ensure that the programme is a success and awareness is improved, HR needs to understand whether employees are engaging and picking up the relevant skills.
Employees need to be fully engaged
And, last but certainly not least, a truly successful cyber security awareness programme should fully engage employees in the learning process with:
- Content that is tailored and relevant to different parts of the organisation, and different employees within the organisation
- Fun and engaging content
- Regular training and regular testing on what happens when you receive a suspicious email
- Incentivising and rewarding employees for a job well done, in spotting a phishing email, is far more likely to gain results, than chastising when things go wrong.
Employees are fully engaged when they feel that they are making a contribution to the company. What is more, with phishing scams taking on any number of disguises, awareness is also beneficial outside of the workplace and in our personal lives.
In conclusion, Cyber Security Awareness is not something where you can say, “It’s not my job, leave it to the IT team”. The onus is very much on everyone in the organisation to ensure that it becomes an integral part of the organisation’s operations and culture. If your IT department is struggling to get a programme of cyber security awareness off the ground, or you are not able to give it the time it deserves across the business with a regular awareness programme, why not look at the School of Phish managed service. We will take care of cyber security awareness for you, working with your organisation to ensure it is a success and your organisation does not get caught out.