This is what the Ghost of Holidays Past would show you on a time-traveling trip back to Q4 of 2017. Do these stats have you muttering “bah-humbug?” Don’t give up hope on cybersecurity yet, Mr. Scrooge! If you have a well-trained workforce, you have an excellent defense already in place against seasonal phishing. Here’s why.
Right now, IT pros everywhere are doubling down on technology solutions to combat the barrage of seasonal cyberattacks they’re already facing. Unfortunately, technology struggles to protect against brand new or zero-day tactics that haven’t been seen before. Simply put, you can’t stop what you don’t see coming. In 2017 alone, 30% of the malware seen in Q4 was new or zero-day.
Even with a large team, unlimited resources and a war room, it would still be difficult to keep firewalls and technical barricades up-to-date (and we know most IT pros don’t have anything close to that at their disposal). So, what’s a pro to do to protect their organization’s data against the incoming avalanche?
A Phish Sense
If you’ve been investing in your employees’ cybersecurity awareness throughout the year, ‘tis the season where you’ll see it pay off. Firewalls can catch known threats, but well-trained employees have something that technology can’t offer: a phish sense.
Because effective anti-phishing training focuses on building cybersecure behaviors rather than building an encyclopedic knowledge of specific threats, employees don’t need to know the nitty-gritty details of, say, file-less malware (although keeping employees informed about emerging risks is a great idea!).
The overall skills employees have learned through anti-phishing training become extra valuable this time of year: they’ve learned to keep a keen eye out for suspicious behavior and social engineering, and have ideally developed what MediaPRO’s Chief Strategist Tom Pendergast likes to call “a healthy paranoia.”
Seeing the Forest for the Phish
One of last year’s emerging threats, Word document-based cyberattacks, serves as a great example of how learned skills can be more important than the details. Let’s say an employee receives an angry email which includes an (unbeknownst to them) malware-infested Word document as an attachment.
Although they may not be informed of the specific, new risk of Word document-based malware, the employee still recognizes the age-old tactics of social engineering. In fact, it likely matters very little to the employee whether a suspicious attachment comes in the form of a PDF, a video, or a Word document. The employee’s phish-detecting skills, built through continuous training, can still identify that something is, well, phishy. And, a well-trained employee will look for other telltale signs of a phishing attempt, such as misspelled names or email aliases.
On a technological level, cyberattack tactics shift rapidly. But at its core, phishing hasn’t changed dramatically, and the goal is the same: to trick the recipient into clicking, downloading, or otherwise interacting with their malicious gift.
From the employees’ perspective, they’re still fighting the same battle they’ve been training for all year. And it’s one they can win, so long as practitioners have taken the time to reinforce their employees’ cybersecurity training as often as they update their other firewalls.
The Phish that Keeps on Giving
Here are some quick ways to bolster that valuable employee knowledge over the next month:
- Send them our ‘Tis the Season….for Phishing! animation as a heads-up about the holiday spike in phishing attempts coming their way.
- Deploy a microlearning module on identifying phishing to reinforce their knowledge (you can use our free Phishing in 5 Mins or Less mini-course included in our Phishing Toolkit).
- If you’ve got a simulated phishing tool in place, create a specific holiday-themed simulated phishing campaign (or two!) to test their knowledge and reinforce the training with those who might need it.
This holiday season, like Scrooge, you have a new chance to show that your outlook on employees’ cybersecurity awareness isn’t so negative after all. If you’ve been training your employees on cybersecurity best practices, put the “bah-humbugs” away and have a little holiday faith.
Well-trained employees can protect us – everyone!