How organizations can fight phishing and social engineering

Preventing a scam from reaching the end user is always better than having the user confront the scam.

It is no secret that 68 percent of breaches stem from one thing and one thing alone — social engineering. (Credit: jirsak/AdobeStock)

The cyber threat landscape is so vast and complex that it often leaves security teams feeling overwhelmed, uncertain as to where to apply limited resources. This is why a data-driven defense strategy is needed – understanding and identifying the most common ways organizations are being attacked or compromised; ranking those methods in order of their risk profile and likelihood, then finally deploying mitigations to reduce those risks.

It is no secret that 68 percent of breaches stem from one thing and one thing alone — social engineering. Unfortunately, organizations struggle to block social engineering because it relies so heavily on manipulating human behavior, something they have little control over. To harness or control human behavior, organizations must adopt a defense-in-depth philosophy, or a layered approach consisting of the following elements:

1. Phishing policies and documentation

Policies and documentation are one of the core pillars of user education. The idea is to communicate clearly and transparently, without any ambiguity, what is expected from users as it relates to cybersecurity. For instance, every business should have an acceptable use policy (AUP) that every employee signs and agrees to (annually). The same applies for vendor partners and suppliers. The AUP must specify recommended security approaches such as using strong passwords, updating systems regularly, avoiding use of unauthorized software, being careful what you share on social media, et.al., and must dedicate a section on phishing and social engineering risks (i.e., ransomware, BEC scams, deepfakes, etc.).

2. Technological defenses

Preventing a scam from reaching the end user is always better than having the user confront the scam. Although technological defenses aren’t particularly helpful at detecting advanced and targeted phishing attacks, tools such as secure web gateways can prevent users from accessing risky websites. Phishing-resistant multi-factor authentication can prevent hackers from breaching the victim environment even when credentials are compromised. Endpoint detection and response tools can detect lateral movement and malicious activities at endpoints. Advanced anti-phishing solutions can leverage AI to detect mass phishing attacks as well as targeted spear-phishing attacks. Advanced tools like a sandboxing client can detonate suspicious attachments or URLs in a safe environment before it reaches the end user. To prevent scammers from pretending to originate from a trusted brand domain, every organization should enable these three global phishing protection standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC).

3. User awareness training

There’s enough evidence to suggest that regular training improves security instincts in employees, promotes healthy security behavior and reduces employee susceptibility to phishing attacks. Organizations can train people when they hire them; they can send them newsletters and training videos as regular reminders; they can gamify things by organizing a “spot the phish” contest. They can offer perks like free parking or movie tickets to incentivize participation. Running monthly phishing simulation exercises is also a must – if users fail these tests repeatedly then they should receive more interpersonal coaching. Offer different levels of training depending on times of the year or event. For example, around Christmas, warn people about dubious holiday-themed phishing lures; around tax season, alert users about potential tax-related schemes and IRS phone calls. Conduct different types of training for different groups or per role. For instance, train the finance team specifically about BEC scams and instruct them to verify sources first before transferring funds and avoid buying unauthorized gift cards.

4. Simplified processes and communication

Cybersecurity does not come naturally to everyone. Employees have varied levels of security competency, enthusiasm, and maturity. Moreover, security can compete with existing work demands. Try to simplify cybersecurity policies and tools so that processes don’t slow them down but instead empower them. Offer users a good password manager so they will not have to remember or create complex passwords. Provide a phish alert button as a browser extension for conveniently reporting and quarantining a phishing attack. Draft cybersecurity policies and protocols in a language everyone can understand, not just security folks. Make training simpler, personalized, intuitive and engaging. Experiment with different tools and formats instead of subjecting employees to “death by PowerPoint.” Run bite-sized training sessions that are easier to attend and complete.

Fighting social engineering is a continuous process of adapting controls, protocols and user awareness policies; educating employees about new AI-powered cyber threats; investing in training and tools needed to pass better judgement on suspicious communications. If organizations follow these best practices, they will not only reduce phishing and social engineering attacks but also build a stronger last line of defense.

A 25-year veteran information security professional with experience in the medical, aerospace, manufacturing and defense fields, Erich Kron is Security Awareness Advocate for KnowBe4. Author, and regular contributor to cybersecurity industry publications, he was a security manager for the U.S. Army’s 2nd Regional Cyber Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security

This article was originally published by KnowBe4, and has been reprinted here with permission.

Related: