Cyberattacks hit companies daily as malicious actors seek to benefit by preying on vulnerable business systems. While there are a myriad of different attacks plaguing organizations of all sizes, phishing is an increasingly common threat.
WHAT IS PHISHING?
Phishing is a type of cyber fraud that seeks to trick victims into giving up something valuable, such as information or money, using deceptive email or other digital communications. While most phishing scams arrive via email, they can also be deployed through fake social media messages, text messages, misleading websites, voicemails, or even live phone calls.3 The attacker usually pretends to be someone the recipient trusts - targeting humans rather than technical vulnerabilities. Some organizations assume such attacks are easy to spot, and they’d never fall victim. Others cross their fingers and hope it won’t happen to them, but smart companies work to mitigate the risk by providing anti-phishing training to employees. Phishing awareness training is a powerful tool that can educate employees on recognizing and reporting suspected phishing attempts, which helps protect the company from cybercriminals, malicious actors, or hackers seeking to disrupt operations and steal information.
WHY IS ANTI-PHISHING TRAINING IMPORTANT?
Taking the time to train employees is vital because phishing scams can harm people and companies in many ways. These scams often cause employees to mistakenly give away sensitive data like credit card and banking information or Social Security numbers, granting attackers the ability to access accounts, make purchases, or steal identities. Phishing also often leads to downloading harmful spyware or ransomware, and the consequences can be devastating. Individuals can lose their savings, while companies stand to lose revenue, intellectual property, and sensitive customer data. In addition, ransomware can put a company out of business at least temporarily, if not permanently.3 In fact, research indicates that 60% of companies that suffer a cyberattack close their doors within six months due to an inability to recover.4
Companies can help ensure their doors stay open by building awareness around potential attacks and purchasing cyber insurance coverage as part of a strong risk management plan. However, while cyber policies commonly provide coverage for first-party breach losses, response, and legal liability, they often don’t cover phishing scam losses. As carriers face a rise in phishing claims, some employ exclusions and narrow coverage to limit phishing exposures. Debate continues to surround the fact that employees who fall victim to a phishing scheme often technically “authorize” any payment made to the attacker. In some instances, courts have agreed and differentiated between what is considered a data breach and what qualifies as a non-covered phishing loss. In response, some insurers have begun addressing this exposure with “social engineering loss” endorsements that cover phishing scam losses, but others are hesitant to do so until more companies take the preventative steps needed to reduce phishing attempts in the first place.1 Carriers providing cyber coverage expect to see robust dual control systems in place, especially around any financial transactions. Without them, insureds can expect underwriting to apply an exclusion like those noted above or greatly reduce the limit of social engineering coverage.
DO EMPLOYEES NEED ANY OTHER CYBER AWARENESS TRAINING?
Because the nature and goal of cyberattacks continuously evolve, regular training helps employees recognize cyber dangers and prevent a breach that leaves businesses with a hefty bill and a big mess to clean up. While phishing training should be at the top of the list for every employer, training in other safety and security practices can also help protect a business, its employees, and valued clients. Educating employees regarding data incident reporting procedures ensures that they know what steps to take if a computer is infected with a virus or seems to be operating slowly or with unexplained errors. There’s also value in training employees on how to create strong passwords, avoid the use of unauthorized software that can increase the risk of malicious downloads responsible for corrupting data and the limits around browsing the internet safely in the workplace. Because social media platforms now play a larger role in company marketing strategies, it’s also a good idea to provide employee training in safe social media engagement and the appropriate use of both company-owned and personal mobile devices when conducting business.5
These days doing business often means engaging with email, the internet, and other online tools that help businesses grow and present challenges around cyber safety. Cyber insurance applications now regularly ask about employee training practices and expect insureds to provide thorough training at least annually and during the onboarding process for any new hire. At a minimum, carriers want to see that companies are taking cyber safety seriously and trying to mitigate any potential loss.
Many cyber policies also offer risk management tools to insureds, such as a specific number of free training sessions or background checks at no cost to help insureds reduce exposure. Clients can also seek out training through qualified third parties. While it can be difficult to provide general pricing for anti-phishing training, provider calculators indicate annual anti-phishing training prices as of 2020 ranged from as little as $500 for up to 25 employees to more than $40,000 for companies with more than 10,000 trainees.2
In the end, the cost that comes with effective anti-phishing or other cyber training for employees is significantly lower than the cost of halting operations or cleaning up after a breach. With thorough, consistent anti-phishing training, employees are less likely to engage with phishing emails, which prevents the introduction of malware into organizational systems and the loss of valuable data or functionality. Unfortunately, training won’t solve the issue 100% of the time, and even with additional security controls, a company may still face a data breach and associated restoration costs. Contact your local CRC Group producer today to discuss how we can help protect your clients against the potentially devastating effects of falling victim to cybercrime.
- Mike Edmonds is an Assistant Vice President with CRC Group’s Seattle office where he specializes in Cyber & Technology, E&O, Healthcare, and Management Liability as part of the Seattle ExecPro Team.
- Why Phishing Prevention Should Be a Cyber Insurance Condition, PropertyCasualty360, July 31, 2018. https://www.propertycasualty360.com/2018/07/31/why-phishing-prevention-should-be-a-cyber-insurance-condition/
- Anti-Phishing Training: Is It Working? Is It Worth It?, Carnegie Mellon SEI Blog, January 23, 2020. https://insights.sei.cmu.edu/blog/anti-phishing-training-is-it-working-is-it-worth-it/
- What Is Phishing?, U.S. News & World Report, January 19, 2022. https://www.usnews.com/360-reviews/privacy/what-is-phishing
- How Cybercrime Impacts Organizations and What You Can Do About It, Legal Reader, February 21, 2020. https://www.legalreader.com/how-cybercrime-impacts-organizations/
- 8 Tips and Best Practices on How to Train Employees for Cyber Security, Cox Business. https://www.coxblue.com/8-tips-and-best-practices-on-how-to-train-employees-for-cyber-security/