Skip to main content

Watch on YouTube

Listen to the Podcast


Check out the show description

📝Show notes:

What are phishing emails? How can organisations protect themselves against them?

In the second week of the Cybersecurity Awareness Month, Michala Liavaag shares how leaders can help their organisations to tackle phishing: those messages that aim at tricking people into clicking a malicious link in order to steal data.

Do your Part. #Be Cyber Smart.

More on the Cybersecurity Awareness Month here:


Found this useful? Please rate and review, as it helps reaching more people

👍You can also subscribe and share on social media

💬 Contribute to future episodes with your cyber security concerns and questions


🤝Connect with Michala and Cybility Savvy:




✍🏾Written and produced by Michala Liavaag

🎦Co-produced and edited by Ana Garner video

🎵Music by CFO Garner


Read the episode transcript

Welcome to Cybility Savvy, the show that demystifies cyber security for not-for-profit boards and leaders. Hello, I'm your host Michala Liavaag founder of Cybility consulting.


It's October week two of cyber security awareness month. Last week we spoke about the importance of pass phrases, long and strong, three random unrelated words. We talked about multi-factor authentication and using those authenticator apps on your phone if they're available. And finally, we spoke about the importance of software updates across all those systems.


This week we're going to talk about how we can fight phishing. Now fishing continues to be one of the easiest ways for an attacker to compromise any organization. Unfortunately, they only need to succeed once whereas we need to try and defend all the time.


So, what can we actually do to try and fight against this? I'm going to say something that might be a little bit out there for a cyber security professional now because I don't actually think it's reasonable to expect people to stop it by themselves. I think what we need to do is actually create an environment where they can try and be vigilant, know how to recognize phishing, but it's safe for them to report if they do actually click on something or open an attachment and things aren't as they should be.


So as a leader it's your responsibility to help create that psychological safety for your people so that when something does happen they recognize it, they report it, and you also have those defined incident response procedures in place to actually act on it. Whether you're a small organization, or a large one, it's still important to have that response procedure, it will just have different forms depending on the complexity of your organization.



In terms of how to recognize you know there's lots of things, and certainly throughout the pandemic it was just like Christmas has come at once for the cyber security criminals and attackers out there, because having Covid-19 in a subject line related to you know 'you need to open this to sign up for your NHS vaccine', or perhaps a text message which is known as Smishing, where you know you click here to book your appointment. It was just so easy playing off people's worries and that urgency that they'd create. Also think about your standard scams you know if it looks phishy it probably is, which goes back to recognize it, report it, respond to it.


Now the third message this week is that general one around thinking before you click. Whether it's links or attachments in emails, SMS on your phone. But think about social engineering in the wider context as well. What we've seen is that attackers for example in the hospice in the UK up north a few years back that was a combination of using a phishing email with a follow-up phone call that's known as vishing by the way. And it's that combination of things that then add credence and make it more convincing for people to fall for some of these scams.


I'm actually going to add a fourth message into this week and that's thinking about your responsibility as a leader to make it easier for your people to do the right thing. Things like investing in phishing simulations. There's a wonderful example, or not depending on which way you look at it where an organization sent out a convincing looking email from HR advising of a pay award for staff. It was a fishing simulation by the IT department you can imagine how upset a lot of people were especially in the current climate where lots of people have had their pay frozen. So, fishing simulations can be a good investment in terms of helping people as long as the education comes at the right point in the process and is something they can engage with, not actually be distracted by or resent, because it's blocking them from doing their work, different tools have different ways of doing this so if you do choose to invest have a think about that. You want an education awareness program around fishing that supports your staff to do the right thing, not a blame game. One of the other things you can do if you do fishing simulations and you're a leader who falls for it record little video talk about what happened share it with your staff it will help create that all-important psychological safety to report.


Now the final thing I'd like to say to you this week about phishing is if you have the money to do so invest in technical solutions to remove the emphasis on your staff to protect the organization, allow technology to help you where it can. Now this might take the form of email filtering solutions, it might be some sort of protection on the device itself for you know malware protection if somebody does actually click on something. One of the things I'd like to point out is they don't all have to be expensive, and quite often people will be sold these all singing, all dancing solutions when actually you've probably got things that can do part of the job already it's just they may not be configured appropriately. So, before you invest in new tools ask the question whether it's of your IT servers provider or your in-house team. What phishing controls do you have at the different layers in the process to actually help protect your organizations.


That rounds up week two of cyber security month, remember recognize it, report it, respond to it quickly.