3 reasons why humans are the strongest defense against phishing attacks

Phishing, one of the oldest forms of cybercrime, is still rampant. In fact, nearly all cyberattacks begin with a phishing scam. Since phishing thrives on the manipulation of people, cybersecurity experts often label the employees as the weakest link. One could argue: are people the weakest link, or is technology failing at detecting email phishing?

The fact is, neither people nor technology are perfect. Here are three compelling reasons why people can be an organization’s strongest defense against phishing attacks:

Reason 1: Humans stand a better chance at detecting non-standardized attacks

Phishing attacks are becoming smarter by the minute. Gone are the days of bulk emails sent out

to as many people as possible, hoping for someone to take the bait. Today’s attacks originate from a legitimate mailbox or leverage stolen or compromised credentials, which is why most phishing and BEC (Business Email Compromise) attacks are undetected by security tools. In addition to this, phishing has evolved from traditional channels (such as email and web) to other mediums such as SMS, voice and social media manipulation.

Technology helps filter out bulk, low-tech phishing attacks. AI models/machine learning algorithms work on studying millions of data points or historical data. For example, if we show the machine often enough that this red ball is an apple, it will learn to categorize it as an apple. However, detecting new, never-before-seen spam in the wild doesn’t come naturally to AI unless it is programmed to identify specific types of anomalies.

This is why humans stand a better chance at flagging suspicious activity, especially when attackers continually craft new mechanisms or leverage new phishing mediums like voice and social media. Some researchers already endorse the thought that sufficiently trained users are more suitable at spotting phishing attacks than technology.

Reason 2: Human-powered crowd-sourced phishing defense can be a game-changer

 In a recent study by ETH Zurich, researchers studied the reaction time and flagging accuracy of 15,000 participants that were given a “phish alert” button to report suspicious emails. One of the goals of the study was to discover whether employees can do anything to help with phishing detection. Some interesting findings were that users leveraged the button to report phishing with 68% accuracy.

Another startling statistic was that 10% of the employee base reported phishing emails in under five minutes while 35% reported them in under half an hour. Therefore, if 100 employees are targeted with a phishing campaign in an organization, 8-25 employees will report phishing activity in under five minutes with high accuracy, while a much larger group will report the suspicious email in under 30 minutes. This proves that not only is crowd-sourced intelligence effective but if harnessed properly, can be a game-changer at detecting even the most sophisticated phishing attacks in real-time.

Reason 3: Humans are hugely complementary to AI

AI is already all around us, especially in cybersecurity. As the technology matures, it will likely take over many processes that are structured, logical, repeatable and systematic. AI will help humans process large volumes of cybersecurity data quickly and even attempt to red flag targeted emails that look suspicious. Having said that, AI lacks creativity and intuition and this is where humans factor in. AI also has its limitations; it cannot scan private phones and social media accounts for phishing messages nor can it grasp an abstract situation. When human intelligence and cybersecurity culture is layered over AI, it will create a much stronger cybersecurity system that is smarter, effective and more capable of detecting never-before-seen cyber threats.

Enhancing human phishing defenses

While technology has a major role to play in detecting and defending against phishing attacks, employees can also be a major source of threat intelligence to organizations as a powerful last line of defense. Here are some best practices that help:

Develop muscle memory in employees: Regular security awareness training combined with live simulation testing and exercises can help build muscle memory in employees and further the organization’s cybersecurity culture. Teach them to report suspicious activity and reward, recognize and celebrate those that do. Train them on existing policies and procedures and the consequences of employee actions to the organization. Use recent and relevant industry examples to explain the evolution of attack vectors.

Empower employees: Provide relevant tools and resources for employees to effectively report suspicious activity. For example, a simple button on their email client to report a suspicious email or a hotline where users can chat or contact security teams instantly.

Leverage crowd-sourced intelligence: Aggregate and analyze phishing activity that is reported by employees. This helps detect new attacks faster and prevents the phishing attack from spreading to other users and inflicting further damage. Take feedback seriously and involve them in the process. Research shows that users are hesitant to report phishing activity because of a lack of transparency in the IT process and a lack of swift responses in the system.

The time has come for your employees to be an important asset in your cybersecurity chain. The sooner your organization recognizes this, the faster will be the path to a strong cybersecurity culture.

Stu Sjouwerman is the founder and CEO of KnowBe4, developer of security awareness training and simulated phishing platforms, with 41,000 customers and more than 25 million users. He was co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, including “Cyberheist: The Biggest Financial Threat Facing American Businesses.” He can be reached at ssjouwerman@knowbe4.com.

Related:

• Can a business forgo a cyber insurance policy?
• Want to boost cybersecurity? Embrace the attacker mindset
• Phishing: Watch out for these 6 tell-tale signs
• 5 steps to recovering from a ransomware attack