In this article, Cyber Security Hub explores the best ways to educate employees on email-based cyber attacks and how to ensure they follow cyber security safety practices.
When surveyed by Cyber Security Hub for its Mid-Year Market report 2022, three in four cyber security experts said email-based threat vectors social engineering and phishing attacks were ‘the most dangerous threat’ to cyber security.
One of the reasons why these threats are so dangerous is because of how widespread these attacks are. International consortium and fraud prevention group the Anti-Phishing Working Group (APWG) recording a total of 3,394,662 phishing attacks in the first three quarters of 2022. The APWG noted that each quarter broke the record as the worst quarter the organization had ever observed, with 1,025,968 attacks in Q1, 1,097,811 attacks in Q2 and 1,270,883 attacks in Q3.
Social engineering and phishing attacks are often utilized by hackers to directly target employees inside a business. In 2022, research by the UK’s Department for Digital, Culture, Media and Sport (DCMS) found that of all UK businesses that identified a cyber attack against them, the threat vector for almost nine in 10 (86 percent) of those attacks was phishing.
As these attacks specifically target employees, it places the responsibility for ensuring the attack does not progress in the employee’s hands. If employees are unsure of what to do in the event of a cyber attack, which a reported 56 percent of Americans are, then this can have devastating consequences.
These consequences are likely the reason why almost a third of cyber security professionals (30 percent) say that a lack of cyber security knowledge is the number one threat to cyber security at their organization.
Ensuring good cyber security within businesses requires employees to be engaged with their training so they are better able to retain the information and use it at a later date when they do come across cyber security threats.
How to engage employees with email security
If employees are more aware of how cyber attacks can begin and progress, they will be less susceptible to them. Making sure employees remember this training however, is important. Email security company Tessian found that almost two thirds (64 percent) of employees admitted to not paying full attention during cyber security training and 36 percent said that they found the training ‘boring’.
If employees are not engaged, they may miss information that may be vital in the case of an actual cyber attack. With the World Economic Forum finding that 95 percent of cyber security issues can be linked to human error, businesses cannot afford this risk.
Below, Cyber Security Hub explores the tactics companies can use to better engage their employees during cyber security training.
Link bonuses to performance in security training exercises
In a discussion between Cyber Security Hub’s Advisory Board, one member suggested linking cyber security to a company’s universal goals. This helps employees understand that they are all responsible for cyber security.
The board member explained that to do this, their company will conduct multiple phishing tests throughout the year, with the score of said tests affecting employee’s bonuses. This is because phishing attacks have an indirect influence on a company’s bottom line. Cyber attacks cost a lot of money, meaning if a cyber attack occurs, companies will lose money in operations costs. Additionally, cyber attacks may lead customers to lose trust in a company and take their business elsewhere, leading to an overall drop in profits.
With bonuses directly linked to profit, financially motivated employees will be encouraged to be more diligent in not clicking on potentially dangerous links, as their good behavior is reinforced and rewarded.
Simulated phishing attacks can also be used to ensure employees are engaged with the subject matter, both as it requires hands-on learning and can demonstrate to employees the risks of not properly evaluating emails in real time. They can also be gamified to avoid employees ‘turning off’ during training as one in three employees report increased learning engagement when using gamified learning techniques.
Use video content to share case studies
Companies can also better engage their employees through the use of short-form video content. Studies have shown that the use of eLearning techniques like video content can increase information retention rates by up to 60 percent. With employees on the front line of defense against social engineering attacks, this retention increase can really make a difference.
Video-based training content can include a number of different things, including real-life case studies performed by actors as video testimonials. An example of this is a video shared to multiple social media sites entitled ‘My LinkedIn post cost my company a fortune’.
In the testimonial, an actor shares the story of an employee who was directly involved in a cyber attack. He explains that someone posing as a recruiter enticed him into communicating with them first through comments on his LinkedIn posts, then via messages with a lucrative job offer.
He shares that the faux recruiter built a relationship with him and finally sent him a PDF which, supposedly, contained the job offer. Instead, upon downloading and opening it, the victim found that it contained only a cover letter and two blank pages. When they reached out to the supposed recruiter, the recruiter explained that it was a secure file, and prompted him to download and install a secure PDF reader to view it properly. When this still did not work, the victim contacted the recruiter again, but the recruiter did not respond to any of his messages. He dismissed this, but weeks later there was a data breach at his company that cost the company millions of dollars. The breach was traced back to him, as the PDF reader had actually contained malware that was used to level an attack against the company.
In a final statement, the actor warns watchers that job scam attacks are becoming more prevalent as people are frequently expected to communicate with strangers and download the attachments sent to them.
By using these eLearning techniques, companies can reaffirm the position of employees in protecting the business from cyber attacks, as well as offering them a framework of what to do during a cyber security incident. It can also provide them with tips of what to look for in potentially malicious communications.
Good cyber security relies on employee knowledge
Companies can ensure that their employees are more engaged with cyber security training by showing them that cyber security is inherently tied into their role, even if they do not have a security-based role.
By using training techniques that are designed to boost employee concentration, information retention and understanding, businesses can help strengthen themselves against future cyber attacks by best equipping their employees with key knowledge.