The Phish Is Only the Beginning


Human error has been a thorn in technology’s side forever. The cybersecurity market has its own horror stories to tell about disastrous human blunders and glaring gaps in basic security protocols. The recent Verizon Data Breaches Investigations Report reinforced our long-held notions – 90% of breaches happen when someone falls for a phishing or social engineering attack. 

So, the question arises, what can be done to cover this persistent security vulnerability called human error. Here are some expert opinions that give ample food for thought.

5 Human-Centered Security Enhancements We Need Right Now!

Move the Security Money to the Human Layer

For the most part, cybersecurity money has been focused on making IT systems more secure against external and internal threats. Big Tech and all its big players have become more sophisticated in rolling out security updates and using persistent baseline software. This leaves the human aspect vulnerable.

Companies don’t realize that the real problem lies in the human element of it all and how individuals respond to potential threat vectors. More robust training and education in cybersecurity must be given to employees.

Anti-Phishing Education Pays

Studies on phishing and security education have shown that the right training programs can bring down cyber incidents from 40% or above to less than 10%. The most successful programs usually cover cornerstone areas like protection, education, evaluation, and reporting. The focus is always on minimizing exposure by plucking out the phishing link right at the click-through stage. Trained employees show that this is possible and in fact, greatly bolsters a company’s overall email-based cybersecurity defense. 

Further, programs can also use mock emails that mimic the most popular tactics to see how many employees fall for a potentially compromised link. These fake malicious links could then be redirected to a training module or safe page where defaulting employees can be educated about their mistakes.

Evaluation Succeeds Education

Gathering data on how employees perform during training and mock phishing email modules can really help a business understand its human layer vulnerabilities. This can help them further curate their training modules and phishing-related educational content and protocols. Once that is part of the overall remediation process, companies can look to systematically reduce their screening time for potential email-based phishing attacks.

Variety is the Mace to the Face Hackers Need

Another key factor in cybersecurity education has to do with integrating varied types of threat vectors. This includes all kinds of spoofed and phished emails along with crucial infection points like ransomware as links or downloads, social engineering attacks like BEC and VEC, and others. The key idea here is to provide employees with a clear idea of all the alternative ways hackers can choose to target any given business. 

The ensuing dialog on these kinds of attacks and the sharing of observations among employees can bolster know-how for spotting phishing emails. It also creates a culture of openness and enables businesses to generate more feedback on potential attack incidents.

A Reporting-driven Culture is a Good Thing

As we mentioned above, reporting in a cyber-secure environment can be the final line of defense and could potentially avert a catastrophe. Of course, this requires creating a culture of guilt or apprehension-free reportage which employees can rely on when they report a potential breach. The notion of facing consequences for reporting a potential breach too late should be removed since it causes more damage instead of preventing it. This prevents massive losses and also creates an open-minded environment where relaying threat information is part of the job. 

In particular, any phishing email that lands in your inbox and gets reported is certainly an opportunity to study novel attack vectors as well. All such URLs and files can be stored in a shared repository for reference in tandem with systematically evolved anti-phishing education modules. This enables businesses to draw crucial insights from multiple sources including employee feedback and more.

How Should Companies Make the Human Layer Cybersafe?

The best working environments with cybersecurity needs are sensitive to changing trends and respond with comprehensive measures to mitigate evolving threats. Mostly, using a well-developed employee education platform like HumanFirewall can help steer businesses onto the right part right from the get-go. Using market feedback and threat analysis tools, companies can augment their learning modules to best reflect their threat mitigation requirements. This gives them the best chance to eliminate threats and vulnerabilities from their workforce.