Phishing attacks are one of the most pernicious threats facing businesses today. They’re simple to understand, but increasingly difficult to combat. Smart criminals target what are perceived as the weakest links in a company. They send emails with malware disguised as innocuous PDFs, office documents, and other attachments. When employees click on the attachment, malware is installed onto their computer. From there, the criminals can harvest information immediately, or use the first infection as a beachhead to travel deeper in the corporate network. It’s likely that phishing is how Sony’s networks were breached, and thousands of companies suffer phishing attacks every day.
It’s estimated that 90% of corporate breaches start out as phishing attacks. The question of the best way to approach phishing is pressing. There are two standard approaches: training and punishment.
Some organizations are adopting contractual penalties to be applied to employees who fall for phishing attacks. In some ways, the logic of this approach is reasonable. Phishing attacks cause significant damage to businesses. They are easily avoided if employees apply straightforward best practices for handling their email. Employees often aren’t careful with email, even when they’ve been given training. Penalties may be an effective way of incentivizing employees to think before clicking on links in emails.
I think penalties are probably not the most effective approach. It’s true that traditional awareness training has been of limited success. But that’s largely because awareness training — often a brief workshop and a few warning signs scattered about the workplace — doesn’t go far enough.
Employees are the first and best line of defense against phishing. They’re also the greatest point of weakness, but if companies regard them a resource in the fight against online crime, and invest in decent and thorough training, the results are likely to be more positive. The carrot works better than the stick. An inclusive rather than combative attitude to security is likely to bear fruits.
We don’t believe that humans are a weak link at all … Having users that can recognize and report attacks can cover the holes left in your perimeter. Our experience working with over 500 enterprises shows that users can be conditioned to detect attacks – they can actually be a strong asset to an organization’s incident detection plan.”
Of course, Belani has an obvious motivation for promoting anti-phishing training, but the evidence is on his side. Phishing attacks will continue, and they will target employees at all levels of a business. Training them and giving them positive incentives to recognize and report phishing attacks stands a greater chance of success than negative reinforcement. Without training, employees are not likely to recognize the attack that will result in them being penalized — and applying a penalty after a breach has been discovered is like shutting the stable door after the horse has bolted.
Well-trained, vigilant, and incentivized employees, on the other hand, are more likely to notice and respond appropriately to phishing attempts.