It all starts with a seemingly innocent email.
Joanne wants to connect with you on LinkedIN.
But lurking behind that email is an invisible threat that could cost your organization millions of dollars and destroy your reputation.
This happened to a friend of mine a few years ago. Let’s call him Peter.
Peter was working at the time for a multinational corporation as a training manager. He was responsible for training employees in his division on company security policies.
Like any training manager, Peter ran annual security awareness courses that covered everything from document transportation to email security.
It was a long, boring course. But at the time, he didn’t think anything of it.
“Information security is serious,” he’d say. “The course needs to reflect that.”
But then something happened. Something that got Peter into some serious hot water at work.
His company suffered a data breach.
A data breach that started with an innocent looking email, similar to the one I mentioned earlier:
Joanne wants to connect on LinkedIN.
That email cost his company over $7 million dollars.
As you can imagine, Peter’s boss wasn’t too happy. Afterall, Peter was supposed to train employees to spot these kind of emails.
But phishing was just one of the many topics Peter covered in his day long security courses. He had no way to test whether his students had learned the information he taught them. And definitely no way to ensure they were applying it.
It was an oversight that cost Peter and his company millions of dollars and seriously damaged their reputation.
Now, you might be thinking: this can’t possibly happen to me.
But here’s the thing... this wasn’t an isolated event. Peter’s company isn’t alone.
Not even close.
Phishing attacks are a growing problem
According to the Anti-Phishing Working Group, the first quarter of 2016 saw the highest number of phishing attacks on record. (1)
Hackers are sending more and more phishing emails to companies big and small, across all industries. Why? Because they seem to be working.
According to another study, 30% of phishing emails were opened last year, and 12% of targets went on to click the malicious attachment or link, allowing the attack to succeed (2).
To put that in perspective, the average click-through rate for a email marketing campaign is about 3%. That means the click-through rate for phishing emails is 4 times higher than the average marketing email.
The complexity of those attacks is also increasing. Spear-phishing attacks surged in popularity last year, with 67% of organizations reporting a personalized and targeted attack. (3)
And employees are woefully underprepared to tackle these kinds of phishing scams.
That’s right, even people who studied phishing attacks, who dealt with them day in and day out, couldn’t identify a phishing attack from a legitimate email.
And the scary thing? It only takes one wrong click to open the flood gates to these cybercriminals. Criminals that are growing smarter, and bolder, all the time.
“Isn’t this IT’s job? Aren’t they supposed to protect us against hackers like this?”
Sure, IT does it’s best to protect against different kinds of cyber attacks. But hackers don’t just send phishing emails to your IT department -- employees all over your organization are targets. And most of the time, those employees are your weakest link.
Case in point, a recent phishing attack in LA County duped over 100 government employees, convincing them to disclose their credentials.
That one mistake put over 750,000 people’s personal information at risk. Information like social security numbers, credit card data, and health information.
All because their employees couldn’t identify a phishing email.
Information security is a team sport
Whether you like it or not, your company’s security is in the hands of every single one of your employees. Think about that for a second.
Every single one of your employees.
Not just your IT department.
Not just the employees who are generally well versed on security policies.
But the employees who are maybe not so careful. Who spent training on their phone. Who think information security isn’t their problem.
Do you trust every single one of them to be able to spot a phishing email -- one that even top security experts didn’t spot?
There’s a reason phishing attacks are catalysts for the majority of data breaches.
Humans are easier to fool than computers.
People get busy, forget, act on an emotional impulse. And hackers know this.
That’s why phishing emails often target emotional responses and ask employees to take actions quickly -- so they won’t take the time to think before they act.
Something needs to change
No matter how great your IT team or security system, your employees are always going to be a vulnerability.
We all make mistakes. It’s human.
That’s why it’s so important to invest in better phishing awareness programs. Employees need to be reminded (more than once a year) that phishing is a real problem. And they need to be trained on how to spot and defend against these kinds of attacks.
The truth is investing in better phishing awareness training could be what stands between you and a $7 million data breach.
But what makes great phishing awareness programs? How can we better train employees and test if they’re applying that information?
We'll cover that and more next week, so stay tuned!
This is the first post in a two part series on protecting against phishing attacks with employee training. Read the next post here.