Our cyber defenses are becoming stronger and stronger every year. Even the smallest companies can now deploy advanced anti-malware and intrusion detections tools that were, until recently, only within the reach of larger enterprises. Today, sandboxed behavior detection and machine-learning/artificial intelligence powered security services make it easy for organizations of any size to crack down on even the most sophisticated malware.
Users are still the weakest link
But as our network perimeter and endpoint security increases, attackers are pivoting to go after our weakest link, the users. Phishing, an extremely popular and effective social engineering attack, continues to threaten organizations of all types and sizes. In fact, according to the 2019 Verizon Data Breach Investigations Report, a third of cyber-attacks across all industries involved phishing.
These attacks can come in many different forms, from convincing an employee into opening a malicious attachment, to tricking them into visiting a bogus Microsoft Office 365 login page and willingly giving up their credentials, to simple extortion. In WatchGuard Threat Lab’s Q4 2018 Internet Security Report, we analyzed a rampant sextortion campaign that tried to trick victims into paying to keep their internet browsing habits away from their friends and families.
Phishing is popular because it’s effective. Thanks to social media, attackers can craft incredibly convincing spear phishing emails, tailored to individual departments or even specific employees. I’ve seen instances where a cybercriminal used stolen credentials to send a direct deposit change request to a victim’s HR department, from that victim’s own email account.
Thankfully, all organizations can take steps to reduce the risk of falling victim to a phishing attack. Here are several best practices that will help you keep your business, data and employees safe.
1. Train your employees
First, phishing awareness training for every employee should be a top priorities. This training has become commoditized in recent years. There are dozens of managed service providers and phishing training in-a-box companies that organizations can partner with to provide training materials and testing without needing to develop them from scratch.
Phishing awareness training is designed to teach your employees how to treat emails with suspicion, enabling them to spot the telltale signs of a phish and report it to IT staff.
2. Get a baseline
One important step that’s often overlooked is getting a phishing baseline from an anti-phishing company like Cofense. This shows how likely employees are to click a malicious link (the average click rate is 27%, which isn’t great) and lets IT departments see how effective their phishing awareness training is and measure how employees are improving over time.
Also, I’ve found it more useful lead your employees with the carrot, not the stick during phishing training. This ensures that employees aren’t afraid to come to IT in the event that they think they messed up and fell for a phish.
3. Don’t forget texting
Phishing awareness training should include the latest phishing delivery method: text messages. While text message phishing tends to go after user’s bank accounts, there is nothing to stop an attacker with knowledge of a company’s organizational structure from pretending to be the CFO in an “urgent” text to a finance employee.
The 2019 Verizon Data Breach Investigations Report points out a few reasons why text message phishing has the potential to be even more effective than emails. First, users tend to be distracted with other tasks like walking or talking while interacting with their mobile phones. This may cause them to miss indicators that the message is not legitimate.
Additionally, mobile apps are more streamlined than their desktop counterparts, which includes removing or hiding elements that might verify the validity of a link, like SSL certificates. Many phishing training companies now include text-based phishing awareness services too, that help teach users how to spot these more difficult-to-find red flags.
4. Implement anti-phishing technical controls
Unfortunately, phishing awareness training isn’t perfect. With proper training, click rates across an organization can get down to the single-digits, but will probably never reach 0%. Because of this, all organizations still need technical protections to pick up the slack when a user accidentally falls for that convincing phish.
Important tools and services for this are those that “neuter” phishing links with DNS firewalling. Some of these tools can even re-direct users to additional phishing training when they unknowingly click on a malicious link. Real-time training like this is a great way to educate users who might need more help without having to confront them after the fact. And while malicious attachments are less popular these days, organizations should still ensure they have a tool capable of analyzing emails and stripping out potentially malicious content.
Nothing can make an organization completely immune to cyber threats. But with a layered defense, including both technical cybersecurity tools and user training, users will have the best chance against modern threats like phishing.