With phishing attacks on the rise, businesses of all sizes are falling victim to the proliferation of scammers in today’s world. Assisting your clients with identifying these types of attacks not only protects them from external threat actors but also shows your added value as an expert in the field.
Without a doubt, COVID-19-related spear-phishing attacks are increasing. Since the end of February, these types of cyberattacks are up 667 percent, according to Barracuda researchers. This crisis is simply spotlighting how cybercriminals target businesses when they’re most vulnerable.
But businesses don’t have to become part of the statistics. If their employees are trained properly, companies can avoid many of the phishing scams being deployed in today’s ever-changing threat landscape. Here’s the truth: simulated phishing attack training yields up to a 37 percent return on investment, according to a 2015 study. If you’re not offering anti-phishing training to your clients in an environment where phishing attacks are increasing, you’re leaving money on the table.
If you’re considering an anti-phishing training offering for your customers, there are a few things you should know.
Educating your clients on phishing is the key to protecting them
Anti-phishing training is a great way to educate your clients on the clear dangers of phishing attacks for an organization.
While many of your clients may nod their heads when you’re stressing the importance of their employees knowing how to spot these scams when they appear, they — your clients — aren't actually paying attention to what you’re saying, so it’s important that you change that.
You can provide them with anti-phishing training yourself, if you have the time and resources to do so. If you’d rather hire an outside firm to conduct testing exercises, there are penetration-testing companies available in the market today. These firms typically use authorized hackers to simulate attacks on specific networks and systems to assess a company's cybersecurity strength.
If keeping your anti-phishing training in-house is the right move for you, then consider how you want to approach it.
Further reading Coronavirus Phishing Awareness Guide
Get those test emails ready
Go all out with your phishing emails. Don’t hold anything back from them or go easy on your clients. These emails should look and feel real to the receiver. That’s the entire point of running these exercises. You’re testing your clients on what they’ve learned from your training sessions.
Deliver these emails quarterly or monthly to your clients. You should also increase the difficulty of these exercises over time. As you know, not all phishing emails are the same, so change up the templates, senders, attack type. You don’t want your clients to catch on to what you’re doing.
Even though they may get better at identifying phishing scams, which is a good thing (it means you’re doing a good job), you don’t want them to know you were behind the emails — at least not immediately.
Further reading How to Prevent Spear Phishing Attacks
How well did your clients do?
You must eventually inform your clients about the results of your testing. This is where performance reporting really comes into play. Evaluating the results for your clients is where you’re proving your true value. Provide your clients with measurable data they can use to monitor progress.
Collect relevant data for them to review. How many of their employees opened your emails? How many employees clicked on the links in your emails? Did any of their employees provide you with their log-in credentials? These are the key metrics you should track to educate your clients on how their employees can better identify phishing scams.
With the right skills in hand, your clients’ employees can protect themselves from the growing number of phishing attacks. Provide your clients with an anti-phishing offering, not only to help them to combat these threats, but also to increase your MRR.