Unfortunately, Awareness Alone Won’t Do It: Successful Phishing Defense Requires A Layered Approach
October is National Cybersecurity Awareness Month, the time of year security pros remind individuals about the importance of cybersecurity strategy and educate them in hopes they won’t become a victim.
Despite being one of the oldest tricks in the book, phishing remains one of the primary methods attackers use to target end users and infiltrate enterprises. Security and risk programs, however, don’t always prioritize phishing prevention enough. Phishing exploits still work in 2019 because hackers are studying their targets and employing new techniques to get past email content security filters.
Once a malicious email lands in front of an employee, even your most security-conscious employees can be tricked by clever social engineering. Phishers often use psychological tricks to get users to take action that they might not usually take, preying on an employee’s desire to be helpful or their instinct to do what an authority figure tells them to do.
Training alone can’t protect you from phishing. Phishing prevention requires a layered approach that combines technical controls and user education. Each layer in this strategy acts as a safety net in case the layer on top of it fails. These layers are:
- Implementing technical controls to protect end users. Reduce the likelihood of malicious emails ending in your users’ inboxes with email security solutions as your first line of defense. These technologies include email content filtering, email authentication, and threat intelligence.
- Educating your workforce to recognize phishing attempts. Educating your users is your last line of defense for things that fall through technical controls. To keep your employees sharp at detecting phishing attempts, ensure that you implement ongoing training, have mechanisms for reporting phishing, and test and measure performance. Be careful not to shame users who fall victim to these attacks. Shaming makes users less likely to report phishing attempts and less likely to complete their training.
- Planning for technical and human failure. Despite your best technical and educational efforts, your users will be successfully phished. If all else fails, you need to be ready to respond to incidents to limit the impact of a successful phishing attack. Technologies such as browser isolation and multifactor authentication can help limit impact. Having an incident response plan ready ahead of time helps the quality and speed of your recovery.
To learn more about our multilayered phishing defense, please read our recently published report, “Best Practices: Phishing Prevention.”