think before you click meaning essay

#CyberMonth: How to Promote a ‘Think Before U Click’ Culture

James Coker

Deputy Editor , Infosecurity Magazine

• Follow @ReporterCoker

Phishing remains one of the most common and effective forms of cyber-attack. This vector  exploded  since the start of the COVID-19 pandemic, fuelled by increased reliance on digital communications and numerous emotive events that served as effective lures. In February 2022, Proofpoint  research  found that more than nine in 10 (91%) UK organizations were successfully compromised by an email phishing attack in 2021, underlining its ongoing potency.

Such compromises can pose major problems for organizations. “When phishing is used to steal login credentials, it opens up a world of possibilities for the cyber-criminals and a world of hurt for the impacted individual or business,” explained David Richardson, VP of product management at  Lookout . “With one set of credentials, bad actors can then try to log in to a number of common cloud-based services such as Microsoft365, Google Workspace, AWS, Salesforce, etc. Once they’ve successfully logged in to one of these accounts, they can move laterally within an organization and find highly sensitive and valuable information to either encrypt for ransom or exfiltrate to sell on the dark web.”

While there are a growing number of security tools designed to prevent phishing messages from reaching recipients, this issue remains, at its core, a human one. Therefore, a focus on awareness training is key to tackling this ongoing scourge. Too often, however, organizations only  pay lip service to training in this area , such as setting up annual phishing simulations and other tick-box exercises.

This is why one of the focuses for this year’s  European Cybersecurity Month  is phishing, with a theme of ‘Think Before U Click!’, highlighting the need for users to be equipped with the knowledge to avoid falling into the trap of attackers.

Here are five steps organizations can take to enhance their phishing training, achieving greater employee engagement and effectiveness.

Explain the Why

In addition to highlighting how staff can detect and react to potential phishing emails, it is also vital organizations explain why these measures are necessary. In an interview for the October 2022 IntoSecurity podcast , Jessica Barker emphasized the importance of ensuring awareness messaging is relevant to people’s lives, making them much more likely to adhere to recommendations. “Rather than telling people what to do or what not to do, it’s much more helpful to frame it from coming from that context of why we’re making those recommendations,” she noted.

This principle can also be applied to specific training activities. Javvad Malik, lead security awareness advocate at  KnowBe4 , commented: “The security team should be upfront and let their colleagues across the organization know why they are conducting simulated phishing and how it benefits everyone as a whole. Getting people to understand the reasoning behind an activity can greatly reduce the resistance.”

"Getting people to understand the reasoning behind an activity can greatly reduce the resistance”

Short but Frequent

Organizations should carefully consider the effectiveness of training delivery and frequency.  For example, research  has shown that ‘microlearning,’ short sessions of five to 10-minute modules, significantly improves retention compared to single lengthy sessions of up to an hour. These bite-sized sessions are also far easier to fit into  employees’ busy workdays .

Therefore, experts believe that short but frequent phishing training sessions are most effective at ensuring messaging sticks and changing behaviors. Malik said: “Organizations don’t need to try and boil the ocean at once by giving long training sessions on do’s and don’ts. Rather, they can focus on a couple of high-risk behaviors and use small, engaging content on a more frequent basis that reinforces the message. Ultimately, the goal is to change behavior, not to make people security experts. So if the desired behavior can be reinforced through the messaging, it can lead to greater results.”

Teach Cynicism

Cynicism is not always the best trait to follow in life, but it is often crucial in cybersecurity. A fundamental attitude that should be imparted to employees is to be suspicious of certain types of emails and not rush to respond to them. This is recognized in this year’s Cybersecurity Month theme of ‘Think Before U Click.’ Lookout’s Richardson said: “Phishing attacks have continued to evolve in techniques and sophistication, but the basic approach of trying to create a sense of urgency or impersonating a figure of trust or authority has remained pretty constant. When contacted in this manner, it’s important to take a step back, evaluate the situation and find alternative ways to validate the request.”

Phishing messages are generally designed to create a sense of urgency or panic, focusing on topics of tension or concern, such as COVID-19, and demanding immediate action. Tal Memran,  cybersecurity expert at  CYE , explained: “The content of the email is often phrased in a way that pressures the recipient, i.e. if you don’t respond within a certain time limit, your access would be revoked.”

Other suspicious signs highlighted by Memran are when the email includes an attachment with deliberate instructions to open it and the body of the message contains a link, “usually a shortened one for you to click on, and in most cases would ask you for a set of credentials.”

There are a number of actions that can be taken to assess the validity of these types of messages. One is to check the domain from which the email originated, which often attempts to impersonate well-known brands. “Carefully examine the domain for any purposeful typos,” advised Memran.

Other easy techniques include hovering over any links included in the email with the cursor to see if it is a legitimate website. This can also be cross-referenced using a reputable search engine.

Straightforward Reporting Processes

The process of reporting potential phishing messages should be as simplified as possible, involving no more than a click of a button. “If people have to raise a ticket or phone someone, or otherwise take an action which inconveniences them, it won’t be taken,” noted KnowBe4’s Malik.

There should then be acknowledgement given by the security team following a report of a suspicious message, whether it turns out to be a phishing attack or not. This will help encourage vigilance in the future and an understanding that their contributions are helping the organization. Malik added: “The security team should provide feedback whenever a person reports an issue. Even if it’s a false positive, thanking the person encourages greater engagement in the future.”

Record Phishing Attacks

To enhance employees’ awareness and understanding of phishing, security teams should publicize attempts discovered within the organization following employee reports. Memran said: “Make sure to frequently inform your employees about widely known and used phishing campaigns to increase their alert level for suspicious emails.”

This includes sending the email itself to staff as an alert, once made safe, to ensure they are on the lookout for the same type of message. “Phishing schemes often target multiple people in an organization, so letting fellow staff members know what to look out for can make it easier to spot and stop phishing,” commented Paul Bischoff, consumer privacy advocate at  Comparitech .

This approach also enables a record of phishing techniques to be maintained, potentially allowing a deeper analysis of trends in this area to continually update and improve awareness training.

You may also like

#cybermonth: how to protect yourself from phishing attacks, for phishing protection, rely on more than users, #howto enable effective security awareness training, how to create a culture of incident reporting, phishing simulation training escalation, what’s hot on infosecurity magazine.

• Editor's Choice

LoanDepot Data Breach Hits 16.6 Million Customers

Top 10 cyber-attacks of 2023, zero-day vulnerabilities surged by over 50% annually, says google, women charged over sexually exploitative child modeling sites, only 3% of businesses resilient against modern cyber threats, nigerian 'yahoo boys' behind social media sextortion surge in the us, new phishing campaign uses linkedin smart links in blanket attack, adapting to tomorrow's threat landscape: ai's role in cybersecurity and security operations in 2024, us government releases new ddos attack guidance for public sector, 17 billion personal records exposed in data breaches in 2023, nist national vulnerability database disruption sees cve enrichment on hold, new acidpour wiper targeting linux devices spotted in ukraine, cracking the culture code: building a cybersecurity-aware workforce, beyond passwords: securing the digital age with mfa, 2fa, and passwordless authentication, untangling the web: navigating third-party risk in a hyperconnected world, understand and combat the top healthcare cloud threats today, disinformation defense: protecting businesses from the new wave of ai-powered cyber threats, infosecurity magazine spring online summit 2024: day one, infosecurity magazine spring online summit 2024: day two, russia’s midnight blizzard accesses microsoft source code, i-soon github leak: what cyber experts learned about chinese cyber espionage, lockbit takedown: what you need to know about operation cronos, women in cybersecurity at infosecurity europe 2024.