Blog

Phishing: Your Staff Are the Weakest Link

A recent report from the Australian Information Commissioner revealed that cyber security incidents accounted for 38% of data breaches in the first half of 2024 — a sobering reminder that sophisticated technical defences aren’t always enough. More often than not, the weakest link in your security chain isn’t a firewall or server, it’s the person sitting at the desk.

Phishing attacks remain one of the most effective ways cybercriminals gain access to organisations. They’re not targeting your technology; they’re targeting your people. A convincing email that appears to come from a trusted colleague, a urgent request from what looks like your bank, or a seemingly legitimate invoice attachment can bypass even the most robust security systems if someone clicks the wrong link.

Why Traditional Security Isn’t Enough

Your firewall, antivirus software, and email filters are essential, but they can’t catch everything. Modern phishing attacks are increasingly sophisticated, using personalised information scraped from social media and public records to create convincing messages. Some are so well-crafted that even tech-savvy individuals can be fooled.

This is particularly relevant for New Zealand organisations in sectors like law, healthcare, and government, where sensitive information makes you an attractive target. A single successful phishing attack can lead to significant data breaches, regulatory fines, and damage to your reputation.

The Power of Awareness Training

The good news? People can become your strongest defence with the right training. Regular cyber security awareness sessions help staff recognise the warning signs of phishing attempts: suspicious sender addresses, urgent language designed to bypass critical thinking, unexpected attachments, or requests for sensitive information.

But awareness training alone isn’t sufficient. Like any skill, recognising phishing attempts requires practice in realistic scenarios.

Simulated Phishing: Safe Practice Makes Perfect

Simulated phishing tests provide a safe environment for staff to encounter realistic phishing attempts without real consequences. These controlled exercises help identify who might need additional training and reinforce security awareness across your organisation.

The key is making these simulations educational rather than punitive. When someone clicks on a test phishing email, it should trigger immediate, helpful feedback rather than disciplinary action. This approach encourages reporting of suspicious emails and creates a culture where security is everyone’s responsibility.

Building a Security-Conscious Culture

Effective cyber security training goes beyond annual presentations. Regular, bite-sized training sessions, combined with ongoing simulated phishing tests, help maintain awareness without overwhelming staff. Consider monthly security tips, brief discussions during team meetings, or sharing relevant news about current phishing trends.

Remember, the Australian Commissioner’s report highlights that cyber incidents are increasing. Your staff’s ability to recognise and report suspicious activity could be the difference between a close call and a serious breach.

Creating a security-conscious workplace culture takes time and commitment, but it’s one of the most cost-effective investments you can make in your organisation’s cyber security. If you’d like to chat about implementing awareness training or simulated phishing tests for your team, our team is always happy to help.

Simon Falconer
Director, Resolve Technology
When he’s not finding a reason to buy the latest gadget, Simon is probably setting it up, breaking it, and fixing it again — all before breakfast.