The recent worldwide ransomware attacks put a spotlight on two key cybersecurity issues. First, software vulnerabilities can lead to disastrous results if not patched. Second, duping users into opening malicious software or malware is the oldest but most successful trick in the book. According to published reports, many victims of recent attacks were enticed to open the malware by an email purporting to be legitimate — and actually downloaded malware or ransomware on their computers. This type of phishing email remains one of the biggest threats to companies today.

Companies need to take a proactive approach to effectively train their employees to identify, report and respond to phishing emails. For many years, cybersecurity training for employees was limited to reading material. Expecting employees to read a document and then be savvy enough to identify all phishing emails is not realistic, especially considering the diversity and sophistication of many scams. A more experiential training method has greater promise.

The idea is simple: Create a phishing email that mimics one your employees might actually receive, such as an important message from human resources. It should entice the user to click on an embedded link, and if they do, lead to training material notifying the employee that the email is part of a company-sanctioned training exercise. The message should highlight the phishing indicators in the email and advise the employee how to report phishing scams.

In this scenario every employee who gets caught receives needed training immediately. Phishing exercises like this leverage the same benefits of a fire drill or similar experiential training in which employees experience a situation with the opportunity to exercise the proper response. This training can be supplemented with videos and reading material.

Having run this exercise for different organizations, I can attest to its immediate and measurable impact on improving security awareness. At the start the percentage of users who are caught may be shockingly high. However, by conducting phishing campaigns monthly or quarterly, you will see the percentage steadily drop. Another benefit is that users might become so sensitive that they report phishing emails your security tools and monitoring missed, thereby increasing support for your cybersecurity program.

Despite the positive impacts of a company-sponsored phishing training program, there are two caveats worth mentioning. First, in a typical business environment, there will always be a small, single-digit percentage of users who will be caught by phishing emails. A steady schedule of phishing training campaigns is necessary to maintain a lower percentage. Second, establishing a training program as described requires planning and formal support. Do not simply create a phishing email and send it to your staff. That is a recipe for disaster and will not be effective in the long run. Consider getting help from a technology leader or other cybersecurity professional. Here are some tips for establishing a company phishing training program:

>> Before you start, make sure your company has procedures for handling real-world phishing attacks and that employees are trained in them.

>> Ensure your company leaders are all on board with the program, as executive-­level buy-in is important should any employee question the program and its methods.

>> Evaluate the software tools made specifically to implement a phishing program like this. Make sure the tool is from a reputable company, matches the skill level of the intended operators in your company and meets your training objectives.

>> If your training email impersonates an internal department, notify the department head before sending it.

>> When reporting your training results, focus on trends instead of on the individuals who are duped. Repeat offenders should receive additional training, but in general, focus on improving the company’s overall security posture.

By engaging employees directly with training that simulates real phishing attacks, companies can further reduce their risk of being affected by malicious phishing campaigns.

Michael Miranda is director of information security at Hawaiian Telcom. Reach him at michael.miranda@hawaiiantel.com.