Training employees in security practices is neverending

Image by wk1003mike for Shutterstock

There’s a good chance that data security is what keeps most IT executives up at night. And every IT pro knows that maintaining cybersecurity involves more than setting a unified data solution and complying with security and privacy regulations. The bulk of data breaches come through phishing attempts. Users get hoodwinked into clicking on a malicious attachment or URL that then lets the bad guys in.

A phishing attack can have devastating results. The most recent projections performed by the Ponemon Institute report the average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015. A Phished report reveals that 22% of employees are likely to expose their organization to the risk of cyberattack via a successful phishing attempt. Of those who open a phishing message, 53% are likely to click a malicious link contained within it.

The good news is that employee security training has come into its own, with a number of vendors—NINJIO, ESET, KnowBe4, etc.–offering security awareness training and simulated phishing platforms. We spoke with one IT director about the measures he takes to reduce successful phishing attempts with his end users.

Marc Gabrysiak is the Director of Information Services at Journey Mental Health Center, a behavioral health organization located in Madison, Wisconsin. To stem phishing risks, his shop uses a combination of in-person training and technical resources. The data Gabrysiak is overseeing is considered Personal Health Records (PHR) and the company is HIPAA-compliant.

“We’re regularly targeted with phishing like everyone else. When we onboard an employee, part of the training process is in phishing and cybersecurity in general. As the IT Director, I spend about 20 minutes to half an hour talking about cybersecurity at orientation. It’s big-picture stuff,” Gabrysiak said. “Employees get a couple of emails from KnowBe4 when they first get onboarded to see how they react. It’s not about getting people in trouble, it’s just about giving them a practical example of what we’ve talked about in general terms.”

The security training continues for employees, with the platform itself issuing simulated phishing attempts at regular intervals to see how employees react. If an employee opens a suspicious email, the administrator is alerted.

“Again, we’re not looking to punish anybody. We want to educate and make sure that we’re helping our employees avoid this risk. We want them to understand why we’re doing what we’re doing; what the consequences can be not just for them as a user, but for the organization if we get into some kind of ransomware situation.”

Gabrysiak’s shop also uses Microsoft Defender for Office 365, which contains additional and more advanced anti-phishing features. The platform has a number of impersonation protection settings for specific message senders and sender domains, mailbox intelligence settings, and adjustable advanced phishing thresholds.

“It’s just a matter of time before somebody gets sucked into something. I’ve heard horror stories from peers whose companies have fallen victim to phishing and ransomware attacks. That’s the stuff that keeps us all up at night.”