Cyberattacks are on the rise, and “phishing,” the practice of tricking insiders into answering emails, clicking links or otherwise exposing company networks to criminal intruders, is a leading tactic.
Modern encryption can thwart many hackers, so crooks are focusing on the weakest link in the chain – people themselves. A recent study from the Anti-Phishing Working Group logged more than 1.2 million phishing attacks in 2016 – an increase from the previous year of 56%.
Furthermore, an analysis of known attacks from PhishMe, a company that helps employers guard themselves against email-related frauds, estimates that 9 out of 10 cyberattacks in recent years began with a phishing email.
Unfortunately conventional training methods often don’t work. Even employees who have completed training continue to fall prey to increasingly sophisticated phishing attacks.
Red Cell Training
The solution: Turn the training from a chore to a game.
Employers are increasingly turning to “red cell” training. Here’s how it works:
A group of skilled intruders – the “Red Cell” or “Red Team” conducts a simulated phishing and infiltration attack against the company. Their job is to attempt to get an employee or other company insider to grant them access to data, computer systems, files and other confidential information.
Many times the simulation is all online: The Red Cell will send emails to targeted workers pretending to be with IT or Human Resources and try to get them to update passwords or email confidential information back to the Red Cell.
Company leaders and Red Cell consultants monitor the results. Where employees successfully detect and report or defuse the phishing attempt, they can be praised or rewarded. When employees fall for phishing attempt, they can be trained, coached or counseled.
For best results, say industry veterans, tell the workforce that the Red Cell is out there and will be trying to penetrate the company. Workers will become sensitized to the threat, and will be doing their best to defeat the Red Cell.
Best Practices
While a full 3D Red Cell exercise is costly for small employers, there are a number of steps employers can take to make themselves a harder target for data thieves:
- Report phishing attacks. You can report phishing and other cyber attacks to the Federal Trade Commission at www.ftc.gov.
- Train workers on common signs. Few phishing attacks are undetectable if you know what to look for. Examples include:
- Spelling errors
- Email addresses that don’t match the known domain name.
- File extensions such as .zip, .exe and .scr, which could contain self-executing viruses, malware and ransomware.
- Links to sites that should have a ‘padlock’ icon in the URL bar, but don’t.
- Links to sites that should have an “htpps://” extension, but don’t.
- Strange greetings
- Grammar errors from someone who should be fluent in English
- Any requests for log-in credentials
- Focus training on HR. Human resources offices possess a great deal of sensitive information, and they are always clicking on links to attachments as job applicants send resumes and applications by email. These attachments may contain viruses that compromise your systems.
- Have employees teach employees. Employees respond better when trained up by peers rather than outside consultants. But you have to invest in training the trainers.
- Install all patches and updates as soon as they become available. Often patches include new anti-virus and other hacker-thwarting elements.
- Enable multi-factor authentication. Do this for all financial and other sensitive accounts that support it. Multi-factor identification requires the user to enter a code sent to a cell phone or other information known only to the user to log into an account, in addition to the standard password and login information.
- Install anti-spam and anti-spyware programs. Keep your anti-virus, spam and spyware systems up to date.