I’m often asked which
employees are most likely to be targeted by phishing emails. It’s interesting
to think about, but the truth is that adversaries will target whichever
employees can offer access to the enterprise’s network—and that could
potentially be anyone in your organization. Recent research from
ProofPoint confirmed this, finding that staff-level employees were
targeted by phishing attacks more often than middle and executive management.
The takeaway here is that
for security awareness to be effective, it needs to include everyone in your
organization. Aside from the obvious security necessity, including the entire
organization in your security awareness initiatives enhances your program in a
number of ways.
First and foremost,
inclusion of everyone in security awareness training reduces the security gaps
across organization. While training will never be 100% effective, the more
people who receive training, the more potential security risks will be reduced.
Including executives and
senior managers in training exercises creates solidarity within the workforce,
as staff will be more likely to embrace the exercise knowing their bosses are
participating. Training staff-level employees truly makes security awareness
part of your organization’s culture, and helps each employee understand that
everyone—not just the IT department—has a responsibility for IT security. If
you’re collecting metrics with your campaigns, you should be, including
everyone will provide a broader baseline of your user population’s
susceptibility and pinpoint strengths and weaknesses in your security posture.
