The Golden Rule of Email Nick Podhradsky, Executive Vice President, SBS CyberSecurity, LLC ALTHOUGH PHISHING HAS BEEN A PROBLEM FOR YEARS, phishing emails have increased by an estimated 600% over the past two years. Setting a record number of cyber-attacks in that time, phishing continues to be a go-to source for hackers. Because of the mass amounts of phishing emails targeting victims every day, it is more important now than ever to remember The Golden Rule of Email. This modern version of the well-known principle is to treat every email as if it’s a phishing attempt. The cybersecurity field as a whole has been preaching phishing training for years. October 2021 marked the 18th year for Cybersecurity Awareness Month, yet we still see record-breaking attacks and losses. To help fix this recurring problem, organizations should consider modifying their training approach to focus on building habits versus one-off lessons. Instead of solely teaching specific details to look for, focusing on building a repeatable process can have a more significant impact. It’s not the security awareness training alone that makes the difference, but the repeated process taken while investigating an email. Implementing The Golden Rule of Email Process The first step in implementing The Golden Rule of Email is establishing it as part of onboarding techniques and general practices, similar to how employees comprehend the mission or values of a company. Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools to be mastered by every employee. If every employee was prompted to recite The Golden Rule of Email and the process it takes to spot phishing, with everyone responding promptly and accurately, employers and businesses might get a better sense of just how their company sits when it comes to defending against phishing attacks. Once the initial concept of the rule is adopted across the company, it’s time to start building the skills necessary to support the rule and act against any suspicious activity. A crucial step in helping employees steer clear of phishing emails is asking the three Ws – who, what, and why. Questions similar to the following should be considered for every email received: Who? • Do I know the sender? • Is this someone with whom I usually communicate? • Is the email sent to an unusual group of people? • Is the email address spelled correctly? • Does the email address match the email in the signature? What? • What action does the sender want me to take? • Does the email contain bad grammar, odd styling, or typos? • Is the email written in style consistent with the sender? • Is the action something you’d expect from the sender? • Is it an urgent request? Why? • Why do they want me to click on a link, download an attachment, or send information? • Are they presenting a sense of urgency? • What is the consequence they are threatening if no action is taken? Is it something I should expect? • Have they presented an unusual situation? Is it something I should expect? It’s also important to be wary of different phishing types: • Email phishing – Emails using fake domains to collect private and financial information. • Spear phishing – A more malicious email targeting specific people. Hackers normally have private Tech Talk— continued on page 22 Ultimately, the rule would be adopted by leadership and management teams and woven into training and educational tools to be mastered by every employee. NEBRASKA BANKERS ASSOCIATION 21
RkJQdWJsaXNoZXIy ODQxMjUw