Can you identify and recognise a phishing attack?

Computer users recognize the need for strong passwords and know that public Wi-Fi hotspots aren’t necessarily safe for online banking or e-commerce.

However, they have big trouble in recognizing phishing schemes or determining if the web site where they’re entering credit card information is encrypted or not. These mixed results highlight that employee awareness of staying secure online remains a weak link in blocking cyberthreats.

“It is probably our No. 1 concern and No. 1 vulnerability,” said Retired Rear Adm. Ken Slaght, head of the San Diego Cyber Center of Excellence, a trade group for the region’s cybersecurity industry. “These attackers keep upping their game. It has gone well beyond the jumbled, everything misspelled email.”

Other findings in the Pew survey:

  • 75 percent of participants identified the most secure password from a list of four options.
  • 52 percent of people knew that turning off the GPS function on smartphones does not prevent all tracking. Mobile phones can be tracked via cell towers or Wi-Fi networks.
  • 39 percent were aware that Internet Service Providers can still see the websites their customer visit even when they’re using “private browsing” on their search engines.
  • 10 percent were able to identify one example of multi-factor authentication when presented with four images of online log-in screens.

Angus Loten at the Wall Street Journal also covered this, and quoted Forrester: “That general lack of online security awareness isn’t lost on chief information security officers and other senior IT managers. The percentage of security and risk professionals citing “security awareness” as a top priority rose to 61% last year, from 56% in 2010, Forrester Research reported in November.

“The human element is important in safeguarding a firm against cyberattack, since it’s both a first line of defense as well as a weak link,” Heidi Shey, a senior analyst at Forrester, told CIO Journal Monday. She said security awareness training isn’t always effective, since it’s often conducted once a year as a compliance issue and involves lists of dos and don’ts.

“Successful awareness efforts are focused on enabling behavioral change, and typically customized and specific to an organization, its workforce, and relevant risks.” Here is the full article in the WSJ and I recommend sending this link to your C-level execs:

The above points are clear indicators that all organizations need to start or continue their awareness training efforts. As an aside, we prefer to say that instead of calling awareness training “first line”, it’s rather your last line of defense, because your filters never catch all of it.

I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users which frankly is fun to do!

If you don’t, the bad guys will. Get a quote and you will be pleasantly surprised.