Cybersecurity professionals consider phishing attacks to be the "most dangerous" threat to cybersecurity for their organizations, according to research by Cyber Security Hub, an online news site for cybersecurity professionals.
In the third quarter of 2022, the Anti-Phishing Working Group (APWG), an international coalition, "observed 1,270,883 total phishing attacks, a new record and the worst quarter for phishing that APWG has ever observed."
Michael Redman, a senior associate of Schellman, a global independent security and privacy compliance assessor, suggested that the pandemic and mass exodus of employees to work in remote or home settings played roles in the increase of phishing. But phishing has already been on the rise and is a risk that companies find extremely challenging to deal with.
What Is Phishing?
Phishing (e-mail), vishing (voice), spear phishing (targeting a specific person or group) and whaling (going after a high-profile target) are all "tactics used by thieves who are 'fishing' for your personal financial or private information," Redman said. "They want account numbers, passwords, Social Security numbers and other confidential information that they can use to loot your accounts, run up bills on your credit cards or otherwise steal your identity."
Phishing attacks involve the use of e-mail, telephone or text messages that look legitimate and cause unsuspecting recipients to fall for the scam and put private information at risk. Employees who reveal company information can put a lot of private information at risk.
Phishing attacks are a form of "social engineering"—hacking computer systems, not through technology, but through the vulnerabilities of employees.
As Katie McCullough, chief information security officer at Panzura, a software company based in San Jose, Calif., pointed out, "studies show that all employees will eventually fall for a phishing scheme, regardless of technical skill, age or training." Studies also show, she said, that "a small group repeatedly fall for schemes even after training."
William J. Roberts, co-chair of Day Pitney's data privacy, protection and litigation practice in Hartford, Conn., noted that "data breaches happen to the best of companies, and data security mistakes happen to the best of your employees as well—no one is immune, and no one is perfect."
HR can play an important role in helping educate employees and minimize the potential risk to companies related to phishing attacks. An important first step is partnering with IT.
Partnering with IT
Neither HR nor IT is solely responsible for educating and communicating with employees about minimizing the risks related to phishing attacks. The two functions need to work together to maximize their impact. And, of course, they also need to enlist the help and support of senior leaders and managers across the organization in their efforts.
Almog Apirion is CEO and co-founder of Cyolo, a computer security service firm based in Tel Aviv, Israel. "To eliminate the risks of attacks, HR professionals must work in tandem with their cybersecurity team to make processes as smooth as possible for all employees within a company," Apirion said. "Silos, in this sense, need to be broken to ensure fluid communication between teams."
Apirion recommended a three-step plan for HR to support their organizations' security strategies: training, provisioning and limiting.
Training. Cybersecurity awareness should be part of every new hire's orientation and onboarding process to set the tone for people as they join the company, Apirion said. "Even if they have received training at other companies, ensuring they know what to look for and how to avoid malicious e-mails sets the cybersecurity culture."
Provisioning. Apirion recommends that HR work closely with IT to ensure users have access to what they need. "Ease of access will go a long way to helping them spot malicious e-mails," he said. "Many successful attacks impersonate trusted applications or systems to entice a click, so a user who knows with certainty how the system works will be less likely to fall victim."
Limiting. Only give employees access to what they truly need to do their jobs, Apirion advised. "Having access restrictions can be an emergency stopgap that prevents the infected software from propagating to other parts of the company network," he pointed out.
Communication, of course, needs to take place beyond the onboarding process.
Periodic security awareness training that incorporates real-time tests of cybersecurity responsiveness is foundational for protecting organizational data, Redman said. "Phishing e-mails are one of the most frequent methods by which malware is spread. As such, it makes sense to incorporate a live test of the employee's responsiveness when a phishing e-mail is received. Does the employee know not to click on malicious links? Do they know not to share personal or sensitive information that may be used to exploit our information systems and data?"
Preparing staff and teams "to identify indicators of a potential threat or attacks while providing them clear and unambiguous instructions affirming their response in these circumstances can truly help to minimize the impacts to your organization," Redman said.
"The key to successful HR integration to prevent phishing, therefore, is to establish a culture of awareness built around specific roles and responsibilities," said Mark Brown, global managing director, digital trust consulting at British Standards Institute in London. "One-size-fits-all generic training on cybersecurity has been proven in the aftermath of cyberbreaches to have been ineffective," he said. Instead, Brown advised organizations to use specific, role-based training. This, he says, "is much more successful, especially when delivered in regular—monthly or quarterly—shorter and more consumable sections, often lasting between five to eight minutes."
Despite their best efforts, though, organizations are likely to experience a breach related to a phishing attack. It's important to have policies and practices in place, up front, to know how these instances will be addressed.
Dealing with Repeat Offenders
"HR teams need clear policies on how to handle employees [who] repeatedly expose sensitive business data," McCullough said. Because of the risks related to phishing, some companies include in their policies that employees who consistently fail regular practice phishing campaigns may be subject to disciplinary action, she said.
Roberts, however, advised against this.
"The message from HR cannot be that employees who cause a data breach—such as by clicking on phishing links—will be disciplined or fired," Roberts said. "While there are instances in which sanctions, including termination, are justified responses to a data privacy matter, clicking on a phishing link is not such an instance."
There are very practical reasons to take this approach, Roberts said. "If employees feel like they must hide the fact that they clicked on a phishing link or that they will be disciplined or fired for doing so, that apprehension will harm your business worse than the actual phishing." In addition, he said, "failure to report may result in greater harm to your business's information systems and the data your business holds." For instance, failure to report could cause a company to miss breach notification deadlines, which may hold serious legal implications.
However, as Roberts said, there may be instances that do require discipline. It is important to clearly outline the types of infractions that could lead to discipline or termination, McCullough said. "Defining these policies and clearly informing employees of the risks helps organizations respond equitably and fairly when an employee makes a mistake that leads to a data breach."
It's important to establish a climate where employees feel like they're part of the solution and that they won't be treated punitively if they—like the vast majority of people—fall prey to a breach.
Lin Grensing-Pophal, SHRM-SCP, is a Wisconsin-based business journalist with HR consulting experience.