Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing



Fighting PhishingI have created a comprehensive webinar, based on my recent book, “Fighting Phishing: Everything You Can Do to Fight Social Engineering and Phishing”. It contains everything that KnowBe4 and I know to defeat scammers.

The evidence is clear – there is nothing most people and organizations can do to vastly lower cybersecurity risk than to mitigate social engineering attacks. Social engineering is involved in 70% to 90% of all successful attacks. No other root cause of initial breach comes close (unpatched software and firmware is involved in 33% of attacks and everything else is in single digits).

For example, Barracuda Networks reported that spear phishing accounted for 66% of all successful compromises. Seventy-nine percent of all successful credential thefts came through phishing. Avast recently stated that 90% of all cyber attacks involve social engineering. Reports may differ over the exact percentage, but they all agree that social engineering is the number one threat.

Every person and organization should create their best possible defense-in-depth plan to fight social engineering. It needs to be a combination of policies, technical defenses and education (see graphic representative below):

Those policies, technical defenses and education should focus on preventing hackers and malware from compromising the environment, followed by early warning detection if something malicious gets past your preventative controls, and lowest cost, quick recovery if something malicious is detected. This “3x3” controls model should be applied to fighting social engineering attacks.

For more information on the 3x3 controls model, see here.

The rest of this post is quickly summarizing the policies, technical controls, education and other tips and tricks you should consider to mitigate the threat of social engineering.

Policies

Policies are the official organizational rules or procedures everyone should follow for a particular situation. Although they are     educational in nature, they also direct the tools and processes in support of the policies. Here are the policies every organization should have to mitigate social engineering:

Acceptable Use Policy

Every organization should have an Acceptable Use Policy (AUP) created to cover the allowed and supported procedures and actions. Every employee and contractor with access to the corporate environment and confidential data must review     and sign     this AUP when hired, and then annually thereafter. It is a broad ranging policy covering physical, technical and human practices to support the organization’s IT security policy. As examples, related policies might include:

  • Lock your desktop screen when not in direct control of your device
  • Do not use the same password at work as you do anywhere else
  • Do not give out your password to anyone requesting it, including anyone claiming to be from IT or through email
  • Do not leave corporate equipment or confidential documents unmonitored anywhere, including on your desktop or in a locked vehicle

IT Security Policy

This document includes all required IT security controls and processes the company follows to best ensure IT cybersecurity. IT Security Policy may involve policies, but also can include specific software and tools which must be used and required processes and approvals. IT Security Policy should be reviewed and signed whenever a new employee or contractor is hired, and any updates reviewed and approved when they occur.

Anti-Social Engineering Policies

Since social engineering is involved in most hacker and malware attacks, every organization should have specific policies and education which define, address and mitigate social engineering attacks. Every employee and contractor should be made aware of the seriousness in which the organization takes social engineering attacks and educated to recognize, mitigate and report them. This should be covered early on before employees or contracts have access to the IT environment or confidential data.

Consequences

Consequences for not following policies or failing real or simulated phishing tests should be written down and communicated to employees. Oftentimes, consequences are tied to HR policy and employee annual reviews. Consequences for failing simulated phishing tests in a given period of time should also be defined. For example:

  • First simulated phishing failure = more security awareness training
  • Second simulated phishing failure = more security awareness training, longer
  • Third simulated phishing failure = more training, plus meeting with supervisor to suggest corrective action
  • Fourth simulated phishing failure = more training, plus meeting with training supervisor to come up with mediation plan, recording on employee’s official record
  • Fifth simulated phishing failure = more training, locked down computer devices, recording on employee's official record
  • Sixth and more simulated phishing failure = more training, meeting between employee, supervisor and HR to determine next appropriate action

To be clear, KnowBe4 believes the best results for improving employee performance and decreasing cybersecurity risk is more positive reinforcement when possible and using negative consequences as a last resort.

Technical Controls

Technical controls are the IT software, firmware and hardware used to prevent malicious hackers and malware from reaching an end user in the first place. Technical controls include:

  • Malware Detection and Mitigation
    • Antivirus
    • Endpoint Detection & Response
  • Intrusion Detection
  • Virtual Private Networks (VPNs)
  • Firewalls
  • Email and Browser Protections (e.g., content filtering, dangerous file blocking, not automatically loading active content, etc.)
  • Content Filtering (including anti-spam and anti-phishing)
  • Phishing-Resistant Multi-factor Authentication (MFA)
  • Password Managers (they prevent phishing for passwords)
  • Email File Attachment/URL “Sandboxing” products
  • URL Blocklists/Reputation Services
  • Global Phishing Protection Standards
    • Sender Policy Framework (SPF)
    • Domain Keys Identified Mail (DKIM)
    • Domain-based Message Authentication, Reporting and Conformance (DMARC)
  • Separate systems for work systems and email/Internet

Anything you can do to prevent end users from being exposed to social engineering attacks can only help to reduce your security risk.

 Education

You need to educate your co-workers on how to recognize, mitigate     and report potential social engineering attacks. You should give longer and broader anti-social engineering training (perhaps 30-60 minutes’ worth) when hired, and annually thereafter, and then shorter instances (e.g., 2-5 minutes) each month along with monthly to weekly simulated phishing tests. If someone fails a simulated phishing test, they should be given more training. KnowBe4 customers who follow this approach significantly reduce the percentage of employees who will click on a real or simulated phishing test (what we call the “Phish-proneTM Percentage”). See representative graphic below.

You need to educate like you were a marketer pushing television advertising, which is to say your security awareness training should be frequent, redundant and entertaining. It should be a combination of media types and channels. Perhaps use videos, posters, games and quizzes. When doing video content, change the type of videos you use. One size does not fit all. Different people learn differently. By varying the content and content type, you will communicate more effectively across a broad range of people.

You can find a white paper on creating a security awareness training program here.

Other Tips and Tricks

Some other tips and tricks you can try:

  • Create a “champions” program where people who perform well in detecting phishing and simulated phishing tests and want to help others can be designated as “champions” and be used to promote security awareness training in person
  • Hold an annual security awareness training conference every year (perhaps in October for Cybersecurity Awareness Month), with food, education and prizes
  • Mix up simulated phishing tests and randomize who gets what test when
  • Give prizes or parties for people who do really well at spotting real or simulated phishing
  • Have the CEO communicate about the importance of everyone becoming a human firewall

This was a very quick recap of the policies, technical controls, education and other tips and tricks you should consider to mitigate the threat of social engineering. If you want more details or to watch a webinar on everything you can do to mitigate phishing, click here:

Register by June 12th @ 2:00 PM ET!

Watch On-Demand Now

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/fight-social-engineering-and-phishing?partnerref=blog

And you can download a free eBook covering these topics in more detail here: https://info.knowbe4.com/comprehensive-anti-phishing-guide.




Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews