95% of all cybersecurity incidents are down to human error, according to the World Economic Forum’s Global Risks Report 2022. To protect your business against the onslaught of diverse and increasingly sophisticated cyber-attacks, you need a cybersecurity strategy that includes the “human factor” and integrates the three central building blocks of a sustainable security culture: mindset, skill set and tool set.

Cybercriminals exploit the “human factor,” believing this to be the weakest link in an organization’s cyber defense. Increasingly, they are conducting social engineering attacks aimed at manipulating employees. They pose as supervisors, colleagues or business partners in cleverly forged emails to trick employees into handing over confidential data, clicking on malicious links and file attachments or transferring money to fake accounts. It is not uncommon for a successful spear phishing attack to serve as a prelude for cybercriminals to penetrate the entire corporate network.

Companies must therefore build a sustainable protective wall against cyber risks and ever more sophisticated phishing methods. To do so, they must instill a cybersecurity culture that follows the triad of “mindset, skill set, tool set,” with a fundamental change in employee security behavior at the top of the agenda.

Mindset: Motivating Employees To Adopt a New Way of Thinking

Many employees still believe that they can blindly rely on information technology (IT) security technology and click on any emails received without hesitation. But beware: although robust email security solutions can now intercept millions of fraudulent emails every day, some can still end up in employees’ inboxes, especially as attacks continue to evolve — and all it takes is one to unleash a potential disaster. Therefore, users need to recognize the importance of their role as a human firewall.

The most effective way to do this is through targeted information campaigns supported by management, executives and IT security officers and promoted through various channels. Employees need to develop an awareness of the dangers posed by phishing attacks, based on concrete facts and figures, including security incidents in their own industry.

In this context, an urgent appeal should be made to employees’ personal responsibility and self-efficacy. They must not develop a fear of spear phishing but instead must learn that their commitment and attentiveness are core contributors to the proper functioning of the entire company. This also applies to the mindful use of social media. Cybercriminals are increasingly using personal information that employees share on social media to build targeted spear phishing emails.

A solid information campaign creates the right mindset, thus preparing employees for their security awareness training.

Skill Set: Train To Elicit Intuitive Security Behavior

Awareness training is most effective when it combines theoretical classroom training or eLearning with real-world spear phishing simulations. These use real company and employee information to recreate real attacks. But, instead of landing on the scammers’ page, employees are taken to an interactive explanation page where they are given clues about the characteristics of the fake email: from misspellings in the email address to fake subdomains and dubious links.

Simulated spear phishing attacks take advantage of an employee’s “most teachable moment” by alerting them to their potentially malicious behavior at just the right moment. This strengthens the employee’s quick, intuitive decision-making ability and helps them be more careful with incoming emails in the future. To achieve a lasting learning effect, spear phishing simulations should be continuously repeated with varying messages and adapted to current attacker methods.

In addition, it has proven beneficial that the simulated phishing attacks are aligned with the individual training needs of each employee and allow for metrics-based documentation of learning progress. These metrics can help determine employee security awareness and can be based on how employees respond to phishing simulations of varying sophistication. Companies can thus determine at any time where deficits and need for action exist and where further training measures should be applied.

Tool Set: Using Innovative Security Technology

Employees should be provided with additional IT security tools, such as password managers that are easy to integrate and allow central storage and management of digital identities. This can prevent employees from always choosing the same log-in credentials for all their accounts out of convenience.

Further protection against spear phishing scammers can be achieved via special tools for detecting and reporting dubious emails, such as a reporter button that can be integrated directly into a user’s work email platform. If users receive a suspicious email, they can check at the click of a button whether it belongs to the phishing simulation or whether it is an actual phishing email. If employees are still unsure, they can forward the mail to IT security officers for analysis at the click of a button. This reduces the sources of danger while giving IT security officers a well-founded and updated overview of the phishing threat situation in the company.

Creating a Human Firewall

With this combination of didactic, organizational and technical methodologies, companies can implement effective measures against ever-growing cyber risks and phishing threats. The starting point is one of the biggest weak points in a company’s security — its employees, who can be educated, empowered and complemented with the right IT security technology.