Cyber Defense eMagazine May 2019
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Cyber Defense eMagazine May Edition for 2019 #CDM #CYBERDEFENSEMAG @CyberDefenseMag by @Miliefsky a world-renowned cybersecurity expert and the Publisher of Cyber Defense Magazine as part of the Cyber Defense Media Group
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
down for days while teams worked to rid their network of the infestation. The cost of the city’s response<br />
to the cyberattack is estimated to be around $17 million. It is not known if this infestation was started by<br />
a phishing email, but phishing email have the capability to deploy ransomware and infect networks once<br />
ran by the recipient. Even though most organizations have spam filters which will catch and stop many<br />
malicious emails from reaching their employees, some email will always get through, which is where<br />
employee phishing training comes in.<br />
When an organization’s prevention systems fail to block a malicious email sender it is up to the recipient<br />
to catch that an email is malicious and deal with it accordingly. Your defenses don’t depend on high-tech<br />
anti-hacking coding, as much as they do on your people knowing what to look for and reporting attacks<br />
(Anti-Phishing, n.d.). Phishing emails can be tricky by their nature, but there are some things employees<br />
can look for to help spot a phishing email. The “From” address of an email is often a quick way to tell if<br />
an email is from a legitimate source because many scammers use email addresses that are close to<br />
legitimate sender addresses but are slightly different. If recipients take a second and double-check these<br />
“From” addresses, they should be able to catch the fake address and prevent the phishing attempt.<br />
Phishing emails will also usually request urgent action from the recipient in the hope that they will act<br />
quickly without thinking about their actions. Employees should be trained to be very cautious of any email<br />
requesting immediate action and when in doubt staff should contact their IT department before taking<br />
any action. Since most phishing emails are sent out to millions, the scammer needs to format the email’s<br />
text to be relevant to most of its recipients, which is why a generic greeting can be a big red flag for a<br />
phishing email. Another big red flag of a phishing email are incorrect hyperlink or website address. If an<br />
employee hovers over a link in an email and the link that appears is different, then this is a strong sign<br />
that the email could be malicious. When organization employees receive these tips and others from<br />
Phishing training they are less likely to fall for the phishing attempt. A study performed by Gordon, Wright,<br />
and Aiyagari (<strong>2019</strong>) found that among a sample of US health care institutions that sent phishing<br />
simulations, almost 1 in 7 simulated emails sent were clicked on by employees. Increasing campaigns<br />
were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of<br />
phishing simulation and awareness.<br />
According to HIPAA Journal (2018), A survey conducted by a consultancy firm Censuswide revealed that<br />
one in five workers had not been given any security awareness training whatsoever, but even when<br />
training was provided, many office workers still engaged in unsafe practices such as clicking hyperlinks<br />
or opening email attachments in messages from unknown senders. This survey result helps emphasize<br />
that just providing a training is not enough, but that you need to provide the right training for your<br />
organization and your organization needs to enforce that training. Just like there is no one type of phishing<br />
attack, there is not just one type of phishing training or training vendor. There are multiple vendors<br />
available today that offer great phishing simulation and training for end users and I will briefly discuss<br />
three noteworthy platforms include SANS Security Awareness, PhishingBox, and KnowBe4. SANS, a<br />
company well known for its training courses, offers a well-rounded end user training course which<br />
includes animations, live action scenarios, hands on simulations, and interactive cyber-attack games.<br />
SANS tailors its trainings to a large audience by making it available in over 30 languages and delivering<br />
training videos with subtitles, voiceovers, and transcripts. PhishingBox advertises their phishing<br />
awareness training as an easy-to-use platform that is mobile friendly and has real-time reporting.<br />
PhishingBox offers several training courses ranging from general information security to more targeted<br />
phishing awareness training and allows the organization to create their own training. KnowBe4, a<br />
54