Phishing is one of the most successful tactics that bad actors use to infiltrate small to mid-sized businesses’ networks. It has been a tried and true tactic for such a long time because it takes advantage of human behavior and emotions, like muscle memory and fear, greed, or trust. By now, nearly all employees get tons of emails every day, and most of us click through them as fast as possible to clear out the inbox, without critically examining every single one to make sure all is as it seems. Have you ever received an email that said your password has been compromised, or that some personal information has been disclosed, your credit card has been fraudulently charged, or that you have missed an important deadline? If so, you know how caution gets thrown to the wind as your heart starts to race, and you instinctually click the embedded link or open the attachment. This is an understandable reaction, but not acceptable behavior when trying to maintain a secure network. Here at GadellNet, we take security seriously. Our Guru Sentry program covers all four corners of the board when it comes to mitigating the threat from malicious phishing attacks:
Filtering
We implement sophisticated email filtering resources to identify and block known phishing URLs, websites without an established, safe reputation, and messages that fit an ever-evolving phishing profile. Because phishing is primarily a user issue, cutting down the number of times a user must decide whether they should click or not is a critical element of a strong security posture. However, because phishing campaigns and techniques are always evolving, no filter in the world can stop them all.
Training
Because this threat is mainly behavior based, the first step to changing poor behavior is proper education. We offer over a variety of training courses with widely ranging topics, from mobile device safety to PCI compliance, and strong passwords to CEO fraud, to ensure employees receive all the information they need. We can schedule training annually, quarterly, monthly, or on any timetable required, with automated email reminders and “training incomplete” user tracking to ensure 100% user engagement.
Testing
Just as important as education, is periodic testing to ensure that the lessons are sinking in. We run simulated phishing campaigns at least monthly, with varying degrees of difficulty to keep users alert and on their toes, and confirm that they are using best practices when it comes to email security. We don’t believe in being punitive when trying to remove bad habits and train best practices, but it is important to identify individuals that either simply do not understand the concepts or refuse to take the necessary actions to keep the organization safe from harm.
Reporting
Finally, we make it easy for users to report suspected phishing attempts. We install an Outlook plugin for every employee that allows them to send the email for review at the click of a button. Three scenarios are possible. If the email was safe after all, it gets returned to them with our seal of approval. If it was a part of our phishing test campaign, they are congratulated on their vigilant security posture. If the email was in fact malicious, the network is now even safer than before, as we know to filter messages like the one reported.