The group began its discussion when moderator Kevin Dunn asked the group what they already do to protect against social engineering attacks. Most participants have internal training in place to identify and avoid phishing attacks. This training is continuous and ongoing, and it tests users frequently—if they fail the test, they must undergo further training. Consequences of not attending this training can range from job termination to deactivated email accounts. Some companies also do onboarding training, so new employees are brought into the fold with an awareness of how to avoid phishing or social engineering attacks. One participant was quoted with a valuable takeaway: email is critical to the organization, so email is a critical risk. Equipping the enterprise to make reporting phishing and other social engineering attacks is also valuable in combating the issue. Installing simply buttons in the email to report a suspicious email, for example, is a great step.
Second, the group emphasized that preventing phishing and social engineering attacks is all about the workplace culture. If you cannot change your company’s security culture toward active defense, your strategy against these attacks will not reach its full potential. Security is often seen as an inconvenience, so shifting that perspective to something positive can make that culture change happen. Reward those who report an issue; change security terminology to make it easier to comprehend and less threatening; making it personal by showing them how this knowledge can also help them protect their families at home; these strategies can change the mindset of those in your organization to understand its importance without being intimidated. You have to give your employees the tools for security awareness. You can’t make them go seek it out—people are simply too busy to go out of their way, but if you hand it to them, you make it easier for them to initiate that education. Security culture will not change until you make it friendly.