According to a recent study by SANS, 95% of all attacks on enterprise networks are the result of successful spear phishing. Other research by Ponemon Institute shows that the average loss on such attacks is $4 million.

Bearing in mind that phishing is becoming more and more common among cyber-criminals and has devastating outcomes (e.g. recent stories about Locky and the surge of ransomware attacks in general), enterprises are keen to fight this ever-increasing threat by any and all means.

Fighting against phishing is no longer just man versus machine. More and more enterprises are adopting user awareness programs on top of traditional anti-malware to enhance their anti-phishing capabilities, understanding that employees can serve as a valuable active defense layer inside the organization.

For that to happen – and for the first time ever – we see two major departments joining hands to create a more secured environment – IT and HR.

Yes, it’s definitely not common to see HR as a critical part of reducing cyber risks – however, HR is responsible for employee training, and today cyber training is becoming yet another skill set organizations are asking employees to add.

The IT/security department fights threats 24/7, but for them to use the human factor as an active layer of defense, they must cooperate with HR.

The numbers are already there: assessment and training are significantly increasing employee awareness, reducing click rates, and increasing reports of phishing. However, if you don’t do it right, phishing assessment and training can go very wrong due to employee reactions.

Based on our vast experience, here are the best ways to conduct a successful phishing assessment process..

Continue reading on infosecurity magazine