If I asked each reader of this post whether they would fall for a phishing email, I bet 80% of you would say “no.” But, when security firm McAfee sent a 10-question phishing quiz to 30,000 of their customers, 80% of them fell victim to at least one phishing email in the quiz. And get this, only 3% of them actually aced the test.
Do you think you’re at the elite 3% level? Go ahead, find out by taking this phishing quiz from Dell SonicWALL security solutions.
Not as easy as you thought, was it?
It takes time and effort to spot a phishing email.
Do you think everyone on your staff would be as diligent and careful as you were when taking that quiz? Don’t count on it.
You might have already read my post, 7 Ways Smart People Get Hacked by Social Engineering. And perhaps you wondered, “what can I do about it?!” Well, here are some non-technical things you can do to minimize the likelihood of staff at your organization falling victim to social engineering—a non-technical tactic for tricking people into breaking security procedures.
1. Provide regular security awareness training to staff.
Everyone groans at the thought of mandatory IT training, so make it easy and enjoyable for them.
- Host departmental breaks or lunches (attendance required) where you teach colleagues how to spot the latest and most common social engineering and phishing schemes. Tip: the points are more likely to stick if you use visuals and real stories.
- Don’t limit security lessons to office scenarios. The line between home and office is too blurred, especially when devices are used for both personal and professional purposes. Tip: personal life examples may resonate more strongly with some of your staff.
- Provide security training for all new employees. Schedule regular (say, every 6 months) ‘booster sessions.’
- Keep reminding everyone to maintain heightened awareness by sharing phishing emails and stories of attacks. Post them in employee communications, on your intranet, in your community, or taped to the office refrigerator.
2. Reward savvy security behavior.
Don’t punish ‘dumb’ behavior—that isn’t going to motivate anyone to behave differently. But do reward smart behavior. Recognize people who pass every phishing test and who submit phishing emails to share. Make good security habits part of your organizational culture.
3. Recruit leaders as security champions.
Don’t let the C-suite and other senior staff slide on training session attendance—they’re not immune from making the mistakes that cause security breaches. And, more importantly, senior staff must model the behavior necessary to protect your network and your member, staff, donor, and customer data. They need to be comfortable talking to staff about security threats and policies. If they’re not walking the walk, others won’t either.
4. Provide the opportunity to fail and learn safely.
Help everyone on staff develop good security habits by testing their decision-making in real life. You can hire a firm or purchase software that will send staff phony phishing emails. If the target ‘fails’ the test by clicking on a link or opening an attachment, they’re notified of their error and instructed to watch a brief video to learn what to do next time. It’s much better for them to learn from these fake mistakes than to learn their lesson the hard way.
5. Develop reader-friendly security policies.
Let’s face it: most security policies are a yawn-fest. Employees sign the dotted line after a perfunctory scan—they haven’t really read the information or understood it. Even if your security policy is well written, do employees understand why such a policy is necessary? Are there people on staff who feel the “rules don’t apply” to them?
To make your policies more effective, provide an easy-to-understand summary of each policy. Highlight what staff absolutely need to know. Provide a rationale that makes sense to them. Ask a few colleagues to be beta-readers. Use their feedback to refine the message. Hire writing help if that’s what it takes.
6. Consider your departmental reputation.
Are employees comfortable admitting an embarrassing and damaging mistake to you as soon as it happens? Do they hesitate when it comes time to ’fess up?
How you and your team react to the questions and requests of staff sets the tone for your relationship with them. If you are perceived as the ones who always say “no,” the dream killers, the enforcers, or the eye-rollers, you’ve got work to do. Everyone should be comfortable asking even the ‘dumbest’ questions or admitting their mistakes—like “I clicked on something and I don’t know what’s happening to my computer right now.”
7. Get to know your counterparts at member firms.
Develop relationships with your IT counterparts at member firms—even better, organize or join a professional community. If a particular type of attack starts to occur with more frequency in your industry or professional niche, your member IT network will alert you and other IT staff in the community. You can proactively protect your organization and warn members about the new attack or scam. You’ll have more eyes on the lookout, more warning signals, and a better chance of catching suspicious activity before it hits home.
Humans will always be the weakest link in the chain. That’s why you can’t rely on technology alone to prevent phishing and other social engineering attacks—you have to give your colleagues the knowledge and skills they need to not fall victim in the first place.
Looking for more information about information security? We’ve got you covered. Check out our eBook The Cybersecurity Watchlist for Association and Nonprofit Executives for more information on threats to your organization’s security and how you can prevent your data from being compromised.