As phishing campaigns continue to improve in sophistication, organisations have trouble educating their users on the latest mechanisms and techniques. To empower your employees to protect themselves from phishing attacks, intelligent simulations are key. In this blog, we take a closer look at the impact of such targeted trainings.
Phishing attacks remain a persistent and pervasive threat in the digital landscape. And with phishing campaigns continuing to improve in sophistication, vigilance and awareness are key. By staying informed, adopting best practices, and fostering a culture of cyber awareness, organisations can effectively combat phishing attacks and safeguard their infrastructure.
Phishing simulations, for example, can be a powerful tool in increasing awareness and cyber resilience. In its annual Digital Defence Report, Microsoft takes a closer look at the end-user behaviour in phishing simulations and shares insights on the impact of such trainings. In this blog, we will walk you through the most important results.
Phishing remains a challenge
The fundamentals of phishing haven’t changed over time. No less than 90% of phishing attacks involve social engineering. With humans remaining the primary risk vector in social engineering attacks, the door to cybercrime is wide open. As phishing attack mechanisms are constantly evolving, and bad actors are increasingly creating new tactics, users often click on links and attachments by habit or without conscious consideration of their actions.
As the Microsoft Digital Defence Report shows, users are particularly vulnerable to drive-by URL attacks. The malicious URL in the message takes the user to a familiar-looking website that silently runs and/or installs code on the user’s device. To launch such attacks, cybercriminals inject a malicious component into a security flaw on the website.
A tailored approach is required
Most phishing awareness programs prioritise meeting compliance requirements over delivering an effective behaviour change program. They operate under the misguided assumption that periodic exposure to a simulated attack, accompanied by a brief educational encounter, equips users to identify and avoid advanced and evolving phishing attempts. However, these programs have proven to be insufficient.
To implement an effective awareness strategy, it is vital to adopt objective behavioural measures and contextual experiences that prioritise behaviour change over information delivery. Organisations must recognise that every user is unique and has its own behavioural tendencies. As a result, each user requires a personalised learning experience based on their unique behaviours and profile, such as job function, security posture, and past actions.
By going beyond generic, one-size-fits-all training and instead providing tailored and context-aware engagement models that can be implemented at scale, organisations can make a real impact in reducing behavioural risk against modern social engineering attacks.
A phishing risk-reduction tool
To support organisations in automatically deploying a security awareness program and measuring behavioural change, Microsoft provides administrators with the possibility of simulating phishing attacks and training their users on phishing prevention via the Attack Simulation Training module in Microsoft Defender.
Want to learn more about this hidden and often unused gem? Catch up on our Security Awareness with Microsoft webinar for a step-by-step guide to successfully setting up and executing a phishing simulation.
Content originated from the Microsoft Digital Defence Report