Discover ways your organization can avoid falling for phishing attacks.
- [Narrator] Your goal now is to give everyone in your organization the same protections you now know from the previous videos. Start by setting expectations in the form of a concise easy-to-read policy. Use language that can be understood by anyone who works for you. A ninth-grade reading level is a good target. Keep the policy to one page if you can. Publish it to everyone and support your management teams effort to implement it. Be sure to fully answer any questions that come back to you.
Next, conduct regular training to explain how people can follow your policy. Short online training sessions are a good way to go. And it creates an automatic completion record. Now, to make sure the messages get through, have all direct supervisors give regular face-to-face reminders to their people. Here are some essential outcomes that the IT department must deliver on to implement your policy. But note that cyber attackers change their tactics often.
So this isn't a set it and forget it list. Be sure to revisit it at least every year. Using an automated system, filter out as much spam as possible without blocking legitimate messages. Have that system check all web links and attachments sent through email before delivering the message to the recipient. Flag email from external sources to make it easier for your people to spot attacks that pretend to be from insiders.
Set up network filtering to block outbound requests made by malware from malicious payloads or to steal your sensitive data. And implement a way for your people to report phishing attacks so you can warn others and tune your systems to block further attacks. I suggest that you seriously consider banning all email attachments in favor of a web-based secure file transfer system. In terms of critical processes, here are some basic improvements to consider.
Conduct monthly phishing testing of all your staff using phishing templates that are based on current events. Be sure supervisors talk directly with people who are failing the tests so they can get better. Also, prohibit any single person from authorizing the transfer of large sums of money or sensitive data based on the strength of a single email or phone call no matter who supposedly requested it. Remember that all successful business email compromises exploit this basic process weakness.
Instead, require two-person consent, not including the requester, for any nonroutine request to transfer large amounts of money or any sensitive data.
- Understanding why cyber criminals are targeting you
- Insider threats
- Germ theory
- Getting IT support
- Avoiding phishing attacks
- Stopping malicious code
- Avoid identity theft and financial cybertheft
- Avoiding cyberattacks while traveling
- Security and the cloud
- Contract "firewalls"
- Third-party cyber risk management