How User Awareness Proactively Protects Your Company from Phishing Attacks

June 21, 2017 by Alex Collins, IT Services Consultant

When we say that nobody is safe from today's modern phishing attacks, we do mean nobody.

A 2016 study commissioned by Wombat Security reports up to two-thirds of surveyed organizations suffered targeted, personalized phishing attacks (known as “spear phishing”), an increase of 22 percent from the previous year. A separate study breaks down the costs of such spear phishing exploits – victims suffer an average financial hit of up to $1.6 million.

And companies aren't the only victims of such attacks: our own democratic institutions are now also under siege. 122 election officials fell victim to a spear-phishing attack on a voting software company last year: underscoring just how ridiculously easy it can be to use social engineering techniques to circumvent some of the most robust security infrastructures ever built.

Billions in Investments Vs. One Click

Your company's IT infrastructure is only as secure as your user base makes it. Billion-dollar investments in anti-malware, firewalls, and security information and event management (SIEM) may be all for naught if one inattentive user clicks on a suspicious email attachment just that one time.

Luckily for your already-harassed IT staff, user education has been shown to be extremely effective in stopping phishing in its tracks. Ongoing, hands-on employee education should be part of any program devoted to securing IT infrastructure.

A recent study performed by the Ponemon Institute found that companies that implemented anti-phishing training programs saw improvements of up to 99 percent in phishing email click rates. The program more than paid for itself: the Ponemon study found that the improved click rates translated to cost savings of $188 per user, against training expenses of less than $4 per employee.

Why Training Matters

Not all training is created equal: anti-phishing training programs can be a complete waste of money if they don't follow these expert-approved characteristics:

Training starts at the beginning – and continues throughout. Employees should start training as new employees – and get periodic refresher courses every few months. It's not enough that training is done at all, if it's not consistently reinforced.

“We are reinforced on a daily basis to not talk to strangers, be careful with what we eat, save our money for retirement, say please and thank you, etc.,” explains Nick Santora, CEO of cybersecurity training company Curricula. “How often are we reinforcing current cybersecurity threats and educating our staff on a routine basis?”

Training accounts for increasingly sophisticated attacks. “Enterprises... need to educate employees on evolving attacker methods,” writes Jayson Street, author of the book Dissecting the Hack: The F0rb1dd3n Network. “Advances in spear phishing have made attacks targeted, highly relevant and personalized with the help of social media.”

A proficient training program teaches employees to increase their vigilance beyond simply ignoring badly phrased emails – context, content and sender must be considered in every case, with employees sending followup emails or calls to confirm the validity of suspicious emails.

Training that puts employees to the test. It's not enough to teach employees what phishing emails look like – you've got to put their training to the test.

“Perform phishing attempts against your own staff to gauge their level of sophistication handling phishing attempts,” suggests Frank Bradshaw, President of Ho'ike Technologies. “This will help you know if your staff is ready to handle such intrusion. Also test your management to see if they are adequately enforcing the policies.”

Hardening Organizations Against Human Vulnerability

Recognizing that phishing threatens businesses of all forms and sizes, All Covered's managed IT services - All Covered Care – Secure and Protect – incorporates effective anti-phishing training into its most basic levels of service.

Training and testing programs by All Covered partner KnowBe4 hardens organizations against email phishing, ransomware and other threats that leverage the human factor. A three-step process uses a simulated attack to set a baseline to assess the organization's vulnerability to phishing attacks; sets up an engaging training program for employees; and tests employees regularly to keep them on their toes.

“We help you create a human firewall, an additional layer on top of the existing software layers to enable an organization to have an effective defense against the current massive wave of phishing, spear phishing and ransomware,” explains Stu Sjouwerman, CEO of KnowBe4. “Our business is to train employees to make a smarter security decision by providing them simulated phishing exercises and interactive training modules.”

All Covered Care – Secure and Protect combines KnowBe4's anti-phishing training with 24X7 remote monitoring (RMON), protection against spam and viruses, patching IT security services, and a regular Managed Vulnerability Scan in its most basic service package.

For more information on All Covered Care – Secure and Protect and other services, contact All Covered Toll-Free Nationwide at 866-446-1133 or visit