Phishing accounts for 90% of all data breaches, yet despite the best efforts of organizations to educate their employees, 30% of duplicitous emails are opened regardless. By waging successful attacks, cybercriminals can cost an exploited firm $3.8 million on average. How can organizations better prepare their employees to be more vigilant and learn to avoid taking the bait of phishing scams?
Detailing findings from their research, Commerce Professor Ryan Wright and Matthew Jensen of the University of Oklahoma suggest that practicing mindfulness, creating strong team dynamics, and instituting gamified training may help to mitigate the risk and reinforce valuable security practices.
In a September-October 2020 Harvard Business Review article, “Boost Your Resistance to Phishing Attacks,” Wright and Jensen explain that while requiring employees to complete training modules once or twice per year is useful for increasing awareness and setting guidelines, repetition of rules can actually become counterproductive.
“Rather than ask people to memorize a laundry list of constantly changing cues, organizations can take a more holistic tack,” Wright says. By adding mindfulness instruction, employees may slow down and be more purposeful in their analysis.
The research (some of which was conducted in a working paper with fellow McIntire Professors Steven Johnson and Brent Kitchens) suggests that strong group dynamics can help prevent vulnerability to attacks, as those employees who were more connected to each other were less duped by phishing schemes. Sharing security information among employee teammates, either formally or informally, may also help managers to hold groups accountable for staying attentive to necessary training.
The HBR article also explores a technique for making the most of group dynamics through gamification—adding a competitive angle to better enforce cybersecurity. In one example, by incorporating a leaderboard to award points to employees for correct reports or to deduct points for false alarms, the act of openly comparing the performance of those involved proved to be an effective motivator for providing useful phishing reports.