Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack, particularly the human ones, as they’re the most vulnerable. KnowBe4’s Perry Carpenter talks about establishing a defense-in-depth strategy and how it starts with your culture.
Phishing has been around for decades, but it continues to be one of the most dangerous tools in a fraudster’s arsenal. It’s used to exploit what is often considered an organization’s most vulnerable entry point — its people. And because it works, we are seeing phishing attacks growing in both volume and severity. While traditional phishing attacks targeted victims indiscriminately, modern attacks are increasingly targeting specific individuals or groups.
Phishing attacks are not only a top vector for initial access, they are equally common in post-exploitation activities — the stuff attackers do once inside, such as stealing credentials or installing a remote-access Trojan. Today’s phishers don’t just phish via email, they phish via social media, phone, Whatsapp, SMS and Zoom, and they even leverage tools like ChatGPT to draft convincing phishing messages free from grammatical errors and spelling mistakes. What’s worse, phishers are advancing their social engineering capabilities at a time when organizations are still developing their hybrid work policies.
Perhaps once distinct teams within organizations, security and compliance functions today go hand-in-hand — or at least they should, writes Sumo Logic CSO George Gerchow. Data breaches continue to wreak havoc on today’s enterprise, with rising stakes of both cost and reputation.Read more
What is defense-in-depth & why do you need it?
As technological defenses mature, there’s a high probability that threat actors will increase their attacks on employees. The reason is simple — it’s much easier to exploit human weaknesses (like impatience, burnout, biases, etc.) rather than break into, bypass or evade complex cybersecurity systems. To defend against or prevent sophisticated attacks that are aimed at hijacking human behavior, organizations need more than just technological controls — they need a defense-in-depth, anti-phishing strategy.
A defense-in-depth strategy is a multi-layered approach to security derived from how a medieval castle approaches security. In the same way that armies built layers of defenses in and around their castles, organizations must build layers of defense to better protect employees from getting phished. This includes three main elements:
Fostering a culture of security
Despite having robust cybersecurity infrastructure at their disposal, even some of the most security-savvy organizations are compromised by cyberattacks, because a majority of attacks exploit human-related causes.
Organizations require employees to be front-line defenders against social engineering and phishing attacks that can evade technological controls. This can be achieved by promoting a culture of skepticism while using the internet and consistently educating employees on the latest threats and tactics. This includes conducting regular training exercises, tailored coaching based on job roles and security maturity, and simulated phishing exercises to build recognition skills. By incorporating cybersecurity into the core culture of the business, employees can effectively defend against these types of threats.
Clear and well-documented policies and procedures
It’s critical that organizations provide clear and well-documented instructions to employees so they understand their accountability toward security. Policies and procedures include an acceptable use policy (AUP), an anti-phishing policy and an incident response plan. An AUP must be reviewed and signed by each individual annually and should highlight the importance of security training.
Employees must be made aware that they will be subject to routine testing and phishing simulation exercises. If they do not participate or continue to fail these tests, then personalized counseling/coaching should be offered. The anti-phishing policy should cover do’s and don’ts and include security best practices, including the basics of complex usernames and passwords, as well as more advanced methods like validating the authenticity of wire transfer requests.
Organizations should have a detailed, well-practiced incident response plan to help respond and recover from cybersecurity incidents quickly and to build resilience over time. An IR plan must detail steps on what one should do in case of an incident, whom to contact (security teams, crisis management teams, cyber insurance providers, etc.), which teams to include (legal, HR, marketing, etc.), as well as guidance on whether to pay a ransom in case of ransomware attack.
Tools and technological controls
While policies provide the core foundation for phishing prevention, cutting-edge security systems serve as an important tool to combat security threats at scale. This includes technologies like next-generation firewalls, endpoint detection and response (EDR) and intrusion prevention systems that help block malware, web content filtering to prevent employees from carelessly browsing the internet and AI-based anti-spam technologies that can identify unusual requests and patterns and detect advanced forms of phishing.
Phishing attacks don’t follow a specific pattern. Attackers employ a range of tools and evolve their scamming techniques continuously to avoid detection. Phishing attacks can be blocked effectively if there is active telemetry between users and technology. This is why a multi-layered strategy, comprising a healthy dose of cybersecurity culture as well as advanced technological controls is crucial to building phishing resilience.