Technology reduces spam and protects against malicious attacks, but it’s only part of the solution. Organizations must create a culture that promotes people and employees as a second line of defense, experts say.
Take, for example, Vicki Irey, CIO of Overland Park, Kan., who uses Google’s G Suite for Government. The solution incorporates spam protection and security into its Gmail offering, but some spam still gets through. So Irey holds regular training for city employees, focusing on how to recognize spam, and her team also conducts periodic phishing tests.
“The same service we use for the training lets us sample spam and test those emails on our employees,” she says. “We receive reports on how many people open the fraudulent emails, click on links or compromise their credentials,” she says.
All organizations should emulate this strategy, says John Pescatore, director of emerging security trends at the SANS Institute.
“Routine anti-phishing does work if you do it often enough,” he says. “Once a quarter, use test examples of what techniques the bad guys are using.” It’s also important to train people to recognize spam before they click to open it, says Steven DeBerry, CIO of Norfolk, Va.
“We teach people to look at email addresses and be cognizant of little inconsistencies. People need to understand that they absolutely must look before they leap,” he says.
Finally, IT should consider application control for whitelisting, which can block specific applications and keep users from making costly mistakes.