Providing employees with email best practice training can reduce the possibility of breaches or attacks, such as spear phishing, among other threats. Phishing remains a considerable threat to individuals and businesses. Scammers use social engineering in emails and messages to persuade people to give them personal information, like passwords or financial information, or to get them to perform specific tasks. These may include downloading malware. Phishing schemes are becoming much more sophisticated, with targeted spear phishing a threat to many organizations.
Here’s some perspective on the prevalence of spear phishing: about 15 billion spam emails make their way across the internet daily. In 2021, 83% of organizations reported experiencing phishing attacks. In 2022, more than six billion attacks were expected. As of 2021, more than 214,300 phishing websites were identified, and recent phishing attacks have doubled since early 2020.
Unfortunately, 30% of phishing emails are opened.
Of course, some of these click-throughs are accidental, but eliminating potential purposeful click-throughs is paramount. Here, the best offense is a stout defense. The starting point for this is employee education. Teaching employees to confirm external recipients and attachments to prevent inadvertent autocomplete email mistakes.
By pairing the combined power of security awareness training and anti-phishing simulation tools in your educational training sessions, you can better secure employees’ inboxes, data shows, but also ensure that your outgoing data does not fall into the wrong hands.
Training elements employees need
When providing security-based and other measures to reduce breaches, take into account that your employees need to receive robust materials. For example, while this might be obvious to you, they needed to know how to confirm external email recipients and attachments in outgoing emails to prevent data leakage because of auto-fill errors. Likewise, they should always scan email messages for any potentially sensitive data. Create rules to define sensitive data if needed.
Organization leaders may take additional protective actions, like enabling centrally managed settings where all settings are configurable using Windows Group policy and can be specified per group. Likewise, create audit trails.
Create security awareness that works
When building a security awareness training course, there are programs available out of the box already on the market. Still, there are options for creating your security awareness program that works best for your organization. Consider the following options: List six questions about your organization’s culture, goals, and compliance needs. Find training content based on your answers. Then set up a detailed calendar with a task list to get your program started, followed by a system so you can easily export detailed and executive summary PDF versions of your program.
Include actionable tasks, and helpful tips, put together training content, and make that calendar to view how you will achieve your security awareness goals and deploy your program.
Teach employees about common email scams
Spam and phishing are just two of the many common problems with email that your employees may encounter. Some email scams promise money if advanced a small amount upfront. Others take on the identities of people your employees know, asking them to download an attachment. Scammers try to use familiarity, with some effectiveness, in their phishing attempts.
Scammers launch thousands of phishing attacks like these daily — and they’re often successful. They update their tactics to keep up with the latest news or trends, but some of the most common tactics used in phishing emails include telling a story to trick recipients into clicking a link or opening an attachment. As a result, your team members may get an unexpected email that looks like it’s from a trusted source, like a bank or a credit card, or a utility company. Or maybe it’s from an online payment website, like PayPal or an app.
For example, the message from a scammer might say a recipient noticed suspicious activity or log-in attempts or claim there’s a problem with an account (PayPal) or payment information with a service (Netflix) when there is no problem. Other common fraud attempts include fake invoices, personal finance requests, make-a-payment links, refunds, or other prizes.
Thus, you’ve got to teach employees to use their best judgment, never send anyone money, never provide personal or proprietary company information during such requests, and never download unexpected email attachments.
Train users for mistakes
Any training program for email security best practices should include training for user ignorance or negligence, which has always played a prominent role in data breaches or financial frauds. Some important crucial points to consider in such situations include:
- Make employees aware of your domain, i.e., yourbusinessname.com. A fake may be something like, yourbusnessname.com. Users must know how to look for this trickery to train their muscle memory to look at the original email address every time they open an attachment.
- There is a difference between a display name and an email address. A display name can be configured however you like, such as ITguy. Train users to click on the “From” address if it shows the display name, so they can verify the email address before opening any attachments. It becomes a habit after a while.
- Name every possible compromise. Attacks change daily, from spear phishing to identity theft, sniffing, and viruses. Users should be cognizant of this every time they open an email. Arrange demonstrations on real attack scenarios, so users understand the risks.
- Ensure all users are required to use company-approved email clients with all the newest high-security encryption suites.
- The most important training may be on passwords built for security. For example, if a user applies the same password to all uses, public or private, one compromise can give the bad guys access to everything.
- Give responsibility to the users. Most companies have passive email security, so employees have less buy-in regarding breaches. Instead, everyone should be responsible for securing their own email account and other company assets.
Protecting your data
Data is the most valuable asset for businesses that are digitally connected. Establish robust data governance programs to ensure you maintain control of your data. Train your data custodians, processors, and controllers, building a privacy-by-design framework.
Finally, ensure that your employees are constantly concerned with data security protection and privacy for all sensitive data. That includes how data is collected, processed, and stored.
John Trest is Chief Learning Officer, VIPRE Security Group
