Employees are our first line of defence against these attacks and we promote secure behaviours to help mitigate this growing risk.
We focus on practical rules that we promote through films, e-learning and sessions delivered by senior managers and our digital security team. One of our rules addresses ‘phishing’, which is the attempt to trick people into revealing sensitive information and can involve installing malicious software to steal information without their knowledge. So we remind staff to ‘think before you click’ and be vigilant for phishing emails, calls and other suspicious requests for information and to report any such attempts to our digital security operations centre.
We conduct ‘ethical phishing’ tests to educate our employees in this area. In these tests, we use the same tactics as a real phishing request to see how our employees react, without compromising our people or information in any way. The number of employees who click on the links in the test emails has fallen by more than 70% since 2012. Over the same time, there has been a significant increase in the number of employees reporting the phishing tests.
The programme is driving real change in awareness, and we remain vigilant as the threat continues to evolve.