An email designed to make recipients click on a malicious link or download a malicious file presents a major security risk for businesses. Dan Pienta, assistant professor of information systems and business analytics explains how businesses can educate employees about phishing attacks without compromising their trust.
“It's a delicate balance for chief information security officers. Employees are a large part of the organization. How do we motivate them to comply with the rules?” A few organizations will notify employees before a test, which defeats the goal. Other organizations may sneak a phishing attack, but what do they do if an employee falls for it?” How do we motivate them to identify a phishing attack and then penalizing somebody for jeopardizing the organization by falling victim to a phishing attack? Does that affect trust in the organization?
“We trade off some of our privacy when we enter into an organization, and we trade that for security of the organization. So there's a balance for the organization to make sure that it's secure, but making sure that they're respecting employees' privacy and their right to get work done.”
“It's important for employees to understand the risks of phishing. Employees can follow a simple checklist, like hovering over a link or looking at the sender address to see if there's anything fishy about it. Does it have HTTPS, then your semicolons after it, or have the phishers mimicked that email address? Make it a game, give them a reward for identifying phishing emails.”
“Business Review” is a production of Livingston and McKay, and the Hankamer School of Business at Baylor University.