Simulated phishing exercises among effective strategies against cybersecurity threats

KUCHING (Aug 30): Simulated phishing exercises are among the most effective strategies for employee training and raising awareness to protect against cybersecurity threats.

Yap Chee Yuen, founder and technical director of Infosyte, an information and communication technology (ICT), cloud training, and certification specialist, emphasised that these exercises help ensure employees remain vigilant and aware of evolving threats.

He noted that many organisations already incorporate mandatory security training as part of their employee onboarding process.

“Security awareness is crucial, and it’s encouraging to see that many companies are adopting these practices.

“When new employees join, they must undergo a one-day or half-day mandatory security training. During this session, they are instructed on the proper use of company computers, including what is allowed and what is prohibited, establishing a basic level of security awareness.

“I have a client who conducts simulated phishing exercises as part of their security programme. After completing security awareness training, employees are taught how to recognise phishing attempts.

“A week or two later, harmless phishing emails are sent out as a test. If an employee clicks on the bait, their details are logged and sent to HR for retraining. Both initial training and ongoing retraining are essential for maintaining strong security awareness,” he explained.

Yap shared this during the recent Tek Talk programme titled ‘Getting Ready for E-invoice: Comprehensive Cybersecurity Strategies for Businesses’, in response to a question from host Pattrik Ting.

Ting, who is general manager of sales at K Media Marketing, had inquired about the importance of employee training and awareness in maintaining cybersecurity during the e-invoicing transition, and the type of training programmes businesses should implement to ensure their staff are prepared to handle potential threats.

Elaborating, Yap emphasised that security procedures vary by industry.

“Every industry has its own set of security procedures. For instance, the financial services industry (FSI) and retail have different security policies.

“It’s crucial for companies to tailor their training programmes according to their specific industry needs and the roles of their employees,” he said.

Yap also recommended regular internal audits, especially for employees with high-level access to information technology (IT) systems.

Kevin Lim, vice president of Infra365 and a specialist in cybersecurity and cloud services, echoed Yap’s sentiments, stressing the need for ongoing education.

“Cybersecurity is an ever-evolving field, much like real-world scams. A one or two-day training session isn’t enough; people tend to forget.

“We promote monthly, bimonthly, or quarterly assessments to keep everyone alert. This includes reminders about ransomware, malware, and phishing sites,” he explained.

Lim shared an alarming example of a fake phishing site that appeared just weeks before the implementation of e-invoicing on Aug 1.

“The phishing site was designed to look like it was from LHDN, and many people fell for it. This incident underscores the need for continuous vigilance,” he warned.

Ting also asked whether cybersecurity training should be limited to IT and administrative staff or extended to all employees, to which Yap and Lim agreed that every employee must be trained.

“Everyone needs to be informed. A chain is only as strong as its weakest link,” added co-host Vijjayandran Manickavasagar, managing director of VYPA Malaysia.

“When employees spot something suspicious, like a phishing attempt, they must report it to their IT security team immediately. This allows the technical experts to investigate and mitigate any potential threats,” said Lim.