Skip to main content

This is the third article in our 10-part series for National Cybersecurity Awareness Month. Look for new cybersecurity topics explained by Alpine Cyber experts every Tuesday and Thursday in October. 

About Your Recent Amazon Order

Did you order something from Amazon lately? If so, the following email would look right at home in your inbox:

 

The savviest user can look at this and know that it belongs in the trash can. It doesn’t show anything about the order items, the email is from a phony domain (amazon-shipping-updates.com) and most importantly when you hover over the link you’ll see it’s not to amazon.com.

Hook, Line and Sinker

There are a lot of people that wouldn’t catch these details. Instead they click or tap in a hurried moment only to land in the next phase of a phishing attack.

Almost every breach that we hear about in the news starts with a phishing attack. These attacks typically result in wide-spread destruction or data loss within an organization.

Why Traditional Training Fails

Can we always blame a user for clicking on a suspicious link? Their training was probably a 5-minute video they had to watch 3 years ago. Worse, phishing attacks are becoming more devious.

And when a savvy user does spot a phony email they usually send it to the trash. Meanwhile the rest of the organization is still under attack.

Instead, companies should regularly train their employees to identify and report all suspicious emails. This allows the IT or Security team to identify an attack and more quickly protect the company.

Managed Security Awareness Training

Enter the managed security awareness training approach. This is one of the first things an organization should implement to bolster their security. Compared to other security tools this ends up being relatively inexpensive and delivers a high return on investment.

A good security awareness platform should contain a phishing test mechanism, phishing reporting features, and professional training modules.

Phishing Test Mechanism

You want to create and send test phishing emails to users. It should also be able to track statistics such as who opens the email, responds, clicks on phishing links or opens an attachment. Bonus points if it also includes pre-built templates using the latest phishing attacks seen in the wild.

Reporting Option in Email Client

A solid program will allow you to install a button in your email client that allows the user to report when they see a phishing email. When the user clicks this button in the event of a test phishing message they will be congratulated for their identification of a phishing attack, and that will be recorded in the platform.

When the user clicks the button on a phish that is not part of a test, then that email will be forwarded to the identified security person or team for further analysis.

Professional Training Modules

The other benefit to a managed security awareness platform is you usually get professional, up-to-date, training content for your organization. This is easily the most important feature of a security awareness training platform. One should identify a product or service with a robust suite of trainings from tips & tricks to in-depth videos.

As time goes on and users get proper training and more targeted phishing tests the company’s security will naturally increase. The user is the most important security asset and now is the time to act on it.

Wondering How Your Team Would Stack Up?

Would your colleagues score well on these phishing tests? Would you? Contact us to find out. We offer phishing tests and a complete managed security awareness training service.

Happy Cyber Security Awareness Month! If you missed last week’s posts we covered avoiding ransomware trouble and 5 rules for passwords. Follow us on LinkedIn and Twitter for more cybersecurity topics each week.

Photo by Laura Stanley 

Frank Urbanski

Author Frank Urbanski

Frank worked for 8+ years as a Software and Cyber Security Engineer within the defense industry. At Alpine Cyber Solutions Frank oversees the Security Services line of business. He has his passions set on Incident Response, Automation, and Threat Management.

More posts by Frank Urbanski