Vice President, Third-Party Risk Management
As vice president, third-party risk management, Robinson oversees Optiv’s Third-Party Risk Management practice which includes the development and operations of TPRM-as-a-Service and Evantix. During his tenure at Optiv, he has worked as a core contributor around strategic internal initiatives including threat management, risk management, third-party risk management, vulnerability management and data program protection. He also develops and delivers a comprehensive suite of strategic services and solutions that help chief experience officer (CXO) executives evolve their security strategies through innovation.
Three "E"s of Modern Email Security for Phishing: #2 Employee Focus
The first "E" of modern email security for phishing is Enhanced technology that works to limit the delivery of phishing emails to users within your organization. The second component of the three-pronged approach to mitigate phishing attacks is Employee focus.
It is important that your employees are educated, aware and engaged in preventing a phishing attack. Relying on enhanced technology alone will never make you 100% successful in blocking phishing emails. Individuals need to know how to identify and react appropriately to a phishing email when they are targeted.
General Education and User Awareness
On-click education awareness is a great tactic to employ. Here’s how it works: your organization sends a fake phishing email to its employees, and if they take the bait (e.g. click a link, download a file, enter information, etc.) they receive just-in-time education. Think about it the same way you would teach young children – when they misbehave, you can’t punish them a few days later; you have to discipline them at that time so they understand what they did wrong. I’m not saying your employees are children, but in our busy lives we all make mistakes, and the same principal applies. If an employee clicks on a malicious link, education should be delivered right away, so they can take the time to learn from the mistake, and then get on with their job. I have found this approach is much more effective than bringing employees into a room for an hour, telling them that they should worry about phishing, and providing information about some things they should do. In this second instance, the message doesn’t resonate because it isn’t top of mind. In fact, most of the time the employees glaze over the presentation and are more focused on the free coffee and doughnuts.
Incentive Programs Creating programs that incentivize your employees can be a fun and effective way to get them involved in securing your organization’s environment. They turn every employee into security personnel, and provide an avenue to escalate events for incident response.
“Catch of the Day” is an email bounty program where employees are encouraged to send any suspicious emails they receive to the IT security response team. The emails are then analyzed by the team and every month, the best one from across the organization is chosen. The winning employee is recognized and rewarded for their efforts in identifying the phishing attack. The prize can be something as simple as a $100 gift card – a small investment for your organization, but enough to get employees excited and motivated to participate.
Continuous Testing Once you have put training and educational programs in place, it is important to test their level of success on an ongoing basis. You should send out different types of phishing emails to your employees and capture the results of these “tests.” The aggregated results can help you understand the effectiveness of the programs you have in place and make any necessary changes to improve them. If you notice that people are more susceptible to download a file versus enter sensitive information in a form, you can use that data to tailor your education efforts.
When employees are educated on phishing tactics, it reduces your organization’s attack surface. In my next blog post I will discuss the third and final "E" of modern email security for phishing, Enterprise visibility.