The Issue at Stake and the Problem to Be Resolved
Consistent with the findings of the 2022 Data Breach Investigations Report1, 82% of breaches involved the responsibility of the human element. Consequently, employees play a critical role in preventing cybersecurity breaches. They are often the first line of defense against cyber-attacks, as well as the most likely source of cybersecurity incidents triggered by human error.
For instance, phishing is up 61% year to year2. More organizations are getting hacked, and phishing remains one of the most commonly targeted attack vectors. Phishing is a form of social engineering whereby cyber-attackers deceive people into revealing sensitive information or installing onto devices malware such as viruses, worms, trojan horses, spyware and ransomware3.
 Jansson, K.; von Solms, R. (2011-11-09). “Phishing for phishing awareness.” Behaviour & Information Technology. 32 (6):584-593.
Phishing attacks have become increasingly sophisticated and often transparently mirror the website being targeted, allowing the cyber-attacker to observe everything while the victim is navigating the website, and transverse any additional cybersecurity boundaries with the victim4.
 Ramzan, Zulfikar (2010). “Phishing attacks and countermeasures.” In Stamp, Mark and Stavroulakis, Peter (Editors). Handbook of Information and Communication Security. Springer/Sci-Tech/Trade, 2010th Edition, 867 pages.
Phishing is basically a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss5. As of 2020, phishing is the most common type of cybercrime, with the FBI’s Internet Crime Complaint Centre reporting more incidents of phishing than any other type of computer crime6.
 PHISHING.ORG, https://www.phishing.org/what-is-phishing
 “Internet Crime Report 2020” (PDF). FBI Internet Crime Complaint Centre, U.S. Federal Bureau of Investigation. https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf
To further add complexity, bad actors are resorting to more unorthodox methods to compromise people and businesses. Smishing or phishing via SMS, phishing over voice (vishing), and phishing via social media are on the rise. Phishermen are also personalizing messages, in a technique call spear phishing attacks, that are often initiated with an email that appears to be from a trusted source, such as a colleague, friend, or business partner.
The spear phishing email typically contains a request for sensitive information, such as login credentials, or a link to a malicious website designed to steal information or install malware. In a nutshell, spear phishing is a cyberattack method that hackers use to steal sensitive information or install malware on the devices of specific victims. Spear phishing attacks are highly targeted, hugely effective, and difficult to prevent7.
The Importance of Cybersecurity Awareness Training
Cybersecurity Awareness Training focuses on raising awareness among employees about the threats and risks associated with cybersecurity and it provides practical information and advice on how to respond to those risks. For instance, it helps employees recognize and respond to suspicious emails, identify malicious websites, and understand the importance of strong passwords. It covers topics such as phishing, password management, and secure data handling, and is designed to be engaging and interactive to hold the employees’ attention.
The benefits of Cybersecurity Awareness Training include but are not limited to:
The cost of mitigating phishing is rising. The costs are not always palatable for small companies, but the costs of getting breached as a result of being phished are also unsustainable. Conducted in 2020, a recent CDW Canada Security Study found that the average cost of a breach has increased to $6M9. Luckily, there are more resources available that company leaders can leverage at low to no cost. Business leaders should familiarize themselves to some of the free resources below:
- The Simply Secure is an online course developed by the Rogers Cybersecure Catalyst (Toronto Metropolitan University). It provides resources and training to help small and medium-sized businesses grow a culture of cybersecurity within their organization. (https://simply-secure.ca/)
- ISC2: The World’s Leading Cybersecurity Professional Organization has created a Cybersecurity Awareness Training which is free to audit on the Coursera MOOC platform.(https://www.coursera.org/learn/security-awareness-training)
- Amazon provides free multilingual training. (https://learnsecurity.amazon.com/en/training/story.html)
- Jigsaw Phishing Quiz. (https://phishingquiz.withgoogle.com)
- Phishing Quiz. Think you can outsmart Internet scammers? (https://www.opendns.com/phishing-quiz/)
- The US Federal Trade Commission has developed a series of quizzes to help companies learn about cybersecurity. (https://www.ftc.gov/business-guidance/small-businesses/cybersecurity/quiz)
- Top nine phishing simulators [updated 2021] from Infosec Institute (https://resources.infosecinstitute.com/topic/top-9-free-phishing-simulators/)
- Get CyberSafe Canada: a national public awareness campaign created to inform Canadians about cybersecurity and the simple steps they can take to protect themselves online (https://www.getcybersafe.gc.ca/en/blogs/lessons-fighting-phishing)
-  CDW Canada Security Study 2020. Cyber Resilience: An Evolving Perspective (https://www.cdw.ca/content/cdwca/en/solutions/cybersecurity/security-study-2020.html)
 CDW Canada Security Study 2020. Cyber Resilience: An Evolving Perspective (https://www.cdw.ca/content/cdwca/en/solutions/cybersecurity/security-study-2020.html)