Phishing is on the rise. The 2023 UK Government’s Cyber Security Breaches Survey reports that 79% of organisations experienced and reported phishing attacks in the last 12 months. That’s a notable increase from 72% of businesses surveyed in the previous year. Phishing — duping an employee by email with the intention of soliciting money, stealing data or causing reputational damage — is today’s single biggest disruptor and most prominent cyber threat. Unfortunately, business leaders don’t seem to be responding adequately to the problem: the report also reveals that a mere 18% of businesses have had employee training to prevent Cyberattacks on UK Businesses.
Your employees are the front line of attack when it comes to phishing threats. How would they react to a phishing email and how confident are you that they would spot one? Here’s how one Information Security Officer, cited in the report, perceives the problem:
“[Cyber security is seen as] a scary, messy business with lots of technical challenges, best left to the experts. But there’s a growing recognition that it’s staff behaviours that drive most of the cyber security risk, so we need to share more with the SMT [Senior Management Team], so they know where the threats are coming from and what behaviours might be seen as risky.
– Business and Resources Director (overseeing Information Security Team), high-income charity
Educating employees about phishing attacks is crucial for enhancing your overall cybersecurity. In small or mid-sized businesses, it’s not always someone’s job to take responsibility for this. Implementing a tailored training course can be resource-heavy and at risk of being cut when budgets are squeezed. We’ve been working in partnership with cyber defence specialists Barracuda MSP to find an efficient way to solve the problem. Products like PhishLine from Barracuda is a great tool for efficiently improving the resilience of employees against cyberattacks. It does this in three ways:
It also provides a report on who has completed their tutorials and who hasn’t, who fell for the phishing simulation and who didn’t, and who the most vulnerable employees might be — i.e. those who repeatedly skip the sessions.
Conduct regular awareness training sessions to educate employees about phishing attacks, their characteristics, and the potential risks they pose. Provide examples of common phishing emails, such as requests for sensitive information or urgent requests for financial transactions. Emphasise the importance of scepticism and caution when dealing with suspicious emails. PhishLine from Barracuda automates this process and delivers this education in an efficient way.
Use phishing simulation tools, like Barracuda’s PhishLine or other similar platforms, to create mock phishing campaigns. These simulated emails can help employees recognise the signs of phishing attempts and reinforce the training they receive. Ensure that employees are aware that these simulations are part of the training program and provide feedback and guidance based on their performance.
Establish clear guidelines for email usage within the organisation. Encourage employees to be cautious when opening email attachments, clicking on links or providing sensitive information via email. Remind them to verify the legitimacy of email senders, especially when receiving unexpected or suspicious emails.
Establish a clear and easy-to-follow procedure for reporting suspicious emails or phishing attempts. Encourage employees to report any suspicious emails to the designated IT or security team promptly. Ensure that they understand that reporting is essential, even if they are uncertain about the email’s legitimacy.
Regularly communicate with employees about the latest phishing trends, techniques, and real-world examples. Send out newsletters, security bulletins, or conduct short workshops to share information and raise awareness. Alternatively, PhishLine has this under control. Make cybersecurity a part of the organisational culture by integrating it into regular communication channels.
Promote the use of MFA for accessing systems and sensitive information. Explain how MFA adds an additional layer of security and protects against unauthorised access, even if a user’s password is compromised.
Phishing techniques evolve over time, so it’s crucial to stay updated on the latest trends. Provide employees with information about new phishing tactics, such as spear-phishing or social engineering techniques. This awareness helps them recognise and respond appropriately to emerging threats.
Recognise and reward employees who demonstrate good cybersecurity practices. Publicly acknowledge individuals who report suspicious emails or proactively engage in secure behaviour. This positive reinforcement encourages others to follow suit.
Remember that cybersecurity education is an ongoing process. If you’re struggling to commit the time and resource to this kind of training, get in touch with us. Our solution for implementing efficient cyber training for employees is designed to be efficient and effective in strengthening your front line of defence against cyberattack.
Our engineers and consultants are also on hand to lead you through the UK Government’s Cyber Essentials Accreditation Programme — a key part of our cybersecurity services and solutions for SMEs. This programme will give you the ultimate stamp of approval on your company’s cybersecurity readiness, resilience and ability to recover should all else fail. Get in touch if you’d like to learn more about how we are helping to prevent cyberattacks on UK businesses.