Mindset: Motivating people to rethink as quickly as possible
It seems that many employees have not yet realized that people are the biggest weak point in spear phishing attacks. It is therefore high time for companies to initiate a rethinking process and appeal to the personal responsibility and self-efficacy of their employees. This should be done within the framework of information campaigns that explain the sophisticated phishing methods and the often serious consequences of successful attacks – ideally using the example of damaged companies.
The information campaigns should be initiated by management and supported by executives and IT security officers. To have the greatest possible impact, the content should be communicated through events, team meetings, videos and circulars. Employees must internalize the importance of their role as a human firewall against spear phishing.
Skillset: Responding correctly to fake mails
Employees must also learn how to deal with fraudulent e-mails. Security awareness training courses that combine online and face-to-face training with innovative spear phishing simulations are ideal. While traditional offerings provide general knowledge about phishing attacks, phishing simulations use real company and employee information to recreate real attacks. If employees are taken in by a simulated phishing email, they are taken directly to an explanation page where they are given clues about suspicious features of this email: from letter misspellings in the address line, to fake subdomains, to dubious links.
Phishing simulations offer two advantages: First, they reinforce the quick decisions of employees:who are responsible for the often ill-considered clicks on the malicious emails. In addition, they take advantage of the “most teachable moment” of the mail recipients by informing them about potentially harmful behavior at exactly the right moment. This ensures that more care is taken with incoming e-mails in the future. To maintain the learning effect, phishing simulations should be repeated and updated regularly.
Toolset: Supplement with innovative technology
To deepen the spear phishing defense, it is advisable to use suitable tools. Password managers, for example, can be used to centrally store and manage digital identities. They help prevent employees from always choosing the same passwords for their accounts, thus opening all doors and gates to log-in data thieves. IT-Seal’s Reporter Button, which integrates with Outlook, allows employees to identify questionable emails and get qualified feedback from internal IT support.
Employee Security Index (ESI®): Key figure for training success
With the Awareness Academy, IT-Seal has developed a security strategy that covers the triad Mindset – Skillset – Toolset with best practices. The core is the patented Employee Security Index (ESI®), a key figure for measuring the security awareness of your employees. After you have defined your target ESI® at the beginning, we align your awareness campaign with it and train your employees based on the indicator. In this way, you can check the current security level and the development of employee groups at any time on the basis of the ESI® and thus verify the effectiveness of the awareness training. Employees who have reached the target ESI® take a break, while groups with training needs undergo further measures.