Email is frequently used by criminals as a way into organisations. Email can be used to deliver malware, ransomware and most commonly phishing emails. Despite the multitude of ways of communicating today, email remains the primary method to communicate for many organisations. It is trusted (rightly or wrongly), provides a useful reference source, can be organised and provides a useful audit trail. Criminals exploit that trust and familiarity to deliver messages that many people are likely to respond to instinctively. Phishing emails can be used to capture login credentials, initiate bank transfers or simply steal information.
One approach that has been used by a number of organisations is to offer a reward for good behaviour. One example could be offering a small reward, say a box of chocolates, for the most interesting, unusual or realistic phishing email received each month. The results of the mini-competition can be shared amongst staff each month. The offending email helping others to be aware of the threat and increasing their knowledge of the current cyber threats. Consider this to be a small-scale way of sharing threat intelligence.
My suggestion would be to run the competition for one year and then close it. You may well be surprised to find that reports of phishing emails continue once the competition has closed.
Phishing is a great example of the need for defence in depth.
The PPT (people, processes and technology) mantra (strategy) works because it scales to organisations of all sizes and across a range of sectors. Protection from phishing attacks is a combination of awareness, training and technology.
As always, your staff are your best asset.
How have you help prepare your staff? Do share your experience in the comments below.
The NCSC staff awareness training – step 5 is devoted to phishing advice.