Over the last several months, phishing, spear-phishing, and social engineering attacks have dominated headlines. But, phishing isn’t a new problem. These scams have been circulating since the mid-’90s.
Unfortunately, there is essentially nothing nonprofits can do to avoid getting targeted. Hackers play the odds and fire off thousands of phishing emails at a time, hoping that at least a few will be successful. The key, then, is to train employees to spot these scams. That’s why phishing awareness training is such an essential part first step in any cybersecurity strategy. To successfully spot a phish, employees have to know they exist.
By showing employees examples of attacks – including the subject lines to watch out for, a high-level overview of domain impersonation, and the types of requests hackers will generally make – they’ll immediately be better placed to identify what is and isn’t a phishing attack. But ensuring they know what to do if and when they receive one is an essential next step and is your chance to remind employees of existing policies and procedures. For example, who to report attacks to within the organization.
In the last several years, cybersecurity has become business-critical. But, it takes a village to keep systems and data safe, which means accountability is required from everyone to make policies, procedures, and tech solutions truly effective. By getting teams across departments together for training sessions and phishing simulations, leadership will get a birds’ eye view of employee behavior. Are certain departments or individuals more likely to click a malicious link than others? Are senior executives skipping training sessions? These observations will help leaders stay ahead of security incidents, can inform subsequent training sessions, and could help pinpoint gaps in the overall security framework.
While phishing awareness training will help employees spot phishing scams and make them think twice before clicking a link or downloading an attachment, it’s not a silver bullet. Hackers think and move quickly and are constantly crafting more sophisticated attacks to evade detection. That means that training that was relevant three months may not be today.
While phishing awareness training will help employees spot phishing scams and make them think twice before clicking a link or downloading an attachment, it’s not a silver bullet.
We only have to look at the spike in COVID-19 themed phishing attacks starting in March for proof. Prior to the outbreak of the pandemic, very few phishing awareness programs would have trained employees to look for impersonations of the World Health Organization, for example. Likewise, impersonations of collaboration tools like Zoom took off as soon as workforces shifted to remote-working.
Another significant factor is that training isn't targeted, or engaging, enough. You can’t apply one lesson to an entire organization – whether it’s 2 people or 2,000 – and expect it to stick. It has to be targeted based on age, department, and tech-literacy. Being respected at work is incredibly important to an older generation, so telling them that they don’t understand something isn’t an effective way to educate them on the threats. Many younger employees, on the other hand, have never known a time without the internet and they don’t want to be told how to use it.
Unfortunately, the average employee is less focused on cybersecurity and more focused on getting their jobs done. While it is good for mission-driven employees to be focused on doing their jobs, ignoring cybersecurity risks can open the organization up to vulnerabilities that could undo all the hard work they were hyper-focused on. While nonprofit leaders can certainly reinforce the importance of software and policies, training alone won’t help control employee’s behavior or inspire every single person to become champions of cybersecurity.
While training will curb the problem, it won’t prevent mistakes from happening. That’s why nonprofits need to bolster training with technology that detects and prevents inbound threats. That way employees can focus on their jobs, not cybersecurity. But, given the frequency of attacks year-over-year, it’s clear that spam filters, antivirus software, and other legacy security solutions aren’t enough. That’s where Gravyty Guard comes in.
By understanding human behaviors unique to the nonprofit fundraising space, Gravyty Guard uses AI to train models, deploy proactive alerts, and provide detailed, flexible reporting to protect employees from being the source -- maliciously or accidentally -- of the next donor data security breach.
Find out what risks your organization faces by taking our free vulnerability assessment today and learn how you can protect your donor data before it's too late.