News & Commentary on ISO Management System Standards

    Preventing Phishing Attacks: Free ISO 27001 Training Video

    Phishing Infographic


    Recommended as part of ISO 27001 Training or Day 1 of a broader

    Induction Training for new recruits

    A cyberattack can destroy a business. Whether that involves Denial-of-Service, deletion of files, ransomware, or other types of cyberattacks, the most frequent event they all have in common is human failure. And currently, the most common human failure is becoming a victim of a Phishing e-Mail, which has been attributed to >90% of successful information security breaches.

    The most likely target organizations may surprise you, namely smaller organizations likely to be suppliers to major organizations, where the smaller organization is perceived as an easier route to successfully attacking the major one.

    From the moment anyone has access to a company PC, Laptop or another device capable of receiving and sending email, you are vulnerable to Phishing. And phishing emails are not always easy to spot

    Action is needed by you.  And so, this short video presentation, which is free, is recommended as part of Day-1 Induction Training for new Recruits and as a refresher course.

    Why is Information Security Training Necessary?

    From published research, we know that the human factor is the 'weak link' in cybersecurity. Yet, despite this knowledge, the situation is not improving.  This is confirmed by our own experience in on-site auditing. 

    People working for companies seeking ISO 27001 Certification are simply not vigilant when it comes to their part in maintaining the organization's information security.  And no more so than their lack of awareness of the dangers of spear phishing and their helplessness in the face of clone phishing.

    The fact that snippets of sensitive information from various sources within an organization can be spliced together to facilitate a crushing cyber attack simply does not register. 


    Costliest Phishing Attacks in Recent History

    Phishing Victim Industry Year Estimated Losses Mode of Attack
    Sony Pictures Entertainment 2014 $100 million Spear Phishing
    Facebook and Google Technology 2013-2015 $100 million (combined) CEO Fraud
    Crelan Bank Banking 2016 $75.8 million CEO Fraud
    FACC AG Aerospace 2016 $47 million CEO Fraud
    Ubiquiti Networks Technology 2015 $46.7 million CEO Fraud
    Leoni AG Energy and Data Management 2016 $44.7 million CEO Fraud
    Xoom Money Transfer 2014 $30.8 million CEO Fraud
    Pathé Entertainment 2018 $21 million approximate CEO Fraud
    Tecnimont SpA Engineering, Technology, Energy 2019 $18.45 million CEO Fraud
    The Scoular Company Farming 2015 $17 million CEO Fraud


    Data retrieved March 04, 2022

    Common Problems with Information Security Training

    In most instances of security breaches we have come across, there are training records to inform us that cybersecurity training has taken place but there are 2 repeated problems. 

    Firstly, the training is rarely given as part of induction training, when recruits are most likely to inadvertently compromise information security arrangements, and, secondly, the adequacy of the awareness training is rarely evaluated (such evaluation itself acting to reinforce awareness). 

    To begin to address the problem we have produced a short 9-minute video presentation called 'The dangers of Phishing'.  You can view it for yourself by clicking on the button below. 

    Add this to your ISO 27001 Training Videos or General Information Security Training Videos- it's free.

    If you like the video, feel free to use it as part of your Induction Training. Just add a link to it in one of your own Induction Training presentations.   

    Free Download of the Video

    Afterwards, we would recommend that for Cyber Security Awareness, you evaluate the effectiveness of the training given.

    The periodic circulation of a test phishing email, with subsequent review of outcomes with all concerned, is especially effective in engendering continuous vigilance. 

    Also, we suggest including short interviews of all staff as part of your Internal Audit Programme for your Information Security Management System.

    Interested in ISO 27001, the Information Security Management System Standard?

    If so, we got a selection of auditor and implementer training courses that might be relevant to you. See the overview of our ISO 27001 Courses to learn more. 


    Choose from eight ISO 27001 Courses


    If you have any questions, you may want to refer to our ISO 27001 course overview page where you can see some of our answers to frequently asked questions or contact us.  We're always delighted to help.

    Note: Originally published in January 2020, this post has now been updated.

    Related Courses

    Related Articles


    Note: First published in Dec 2020; revised and updated in Apr 2022.

    deGRANDSON Global is an ISO Certified Educational Organization

    ISO Compound Logo-2-1In October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.


    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts