Employees receive phishing emails, texts, and social media messages across their personal accounts. These personal phishing attacks threaten employee safety and, increasingly, company safety as bad actors move laterally to company assets and compromise privileged employees.
These attacks are effective for a variety of reasons. First and foremost, your team is receiving mixed signals, so they never develop the habits or processes needed for real security.
In the workplace, your team is probably given anti-phishing tools and training. They get none of that at home – they’re getting legitimate requests which look like phishing, which decreases their sensitivity to what’s real.
To give a specific example, I received an email from an airline I frequently fly. I had a bad customer service experience, and the airline wanted to make it right. In so doing, they sent me an email requesting minor personal information.
Out of curiosity and an abundance of caution, I ran the usual checks. It was a legitimate email asking, unsolicited, for personal information.
The average person cannot discern real phishing emails by hackers and the legitimate emails they’re trying to imitate. The typical employee is given no resources to identify phishing in their personal life and, what’s more, is getting legitimate emails that look just like phishing!
The reality is that we cannot protect ourselves from threats online. Incentives are wrong, and your employees are unequipped to protect themselves – or your company – from these attacks.
So what, you may be asking? Why do we, as security professionals, care if our employees have incidents in their personal lives?
The problem is that these attacks don’t stop at personal devices and accounts. Employees are reusing personal passwords, sending emails from personal accounts, and logging into business apps (including multi-factor auth) from personal accounts and devices.
Personal security is a company problem, and personal email phishing is the tip of the spear. Even if you eliminate the lateral risks of personal phishing (which I don’t believe is possible), employee behavior still brings these risks to the workplace.
The problem is that security is a habit and a process, not a one-time act. As much time as your team may spend at work and on organization-owned devices, they spend more time on their personal devices and personal accounts (often while at work!) No amount of corporate security training can instill sound security habits if it’s all thrown out as soon as your team switches screens or accounts.
We need a better solution.
Your employees need a consistent process to follow to prevent phishing across all devices and accounts. That’s how security becomes a habit and how you’ll see actual results at work – and in their personal lives.
If you aren’t protecting your team in their personal lives, it sends the message that their private lives are an unimportant threat that is not worth worrying about. As we’ve seen with the explosion of employee-targeted digital threats, this couldn’t be further from the truth. Your team follows your lead, and they must be shown with action, more than just words, that their personal lives are a vital threat surface.
As we see the number of personal phishing attacks – and the damage that bad actors inflict from them – increase, it’s more important than ever to implement a robust personalized, managed cybersecurity program to protect your team from these threats.