No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

Building a Defense-in-Depth Culture to Combat Phishing

Fraudsters are exploiting your company’s biggest weakness — you

by Perry Carpenter
March 22, 2023
in Cybersecurity
castle pixel art

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack, particularly the human ones, as they’re the most vulnerable. KnowBe4’s Perry Carpenter talks about establishing a defense-in-depth strategy and how it starts with your culture.

Phishing has been around for decades, but it continues to be one of the most dangerous tools in a fraudster’s arsenal. It’s used to exploit what is often considered an organization’s most vulnerable entry point — its people. And because it works, we are seeing phishing attacks growing in both volume and severity. While traditional phishing attacks targeted victims indiscriminately, modern attacks are increasingly targeting specific individuals or groups.

Phishing attacks are not only a top vector for initial access, they are equally common in post-exploitation activities — the stuff attackers do once inside, such as stealing credentials or installing a remote-access Trojan. Today’s phishers don’t just phish via email, they phish via social media, phone, Whatsapp, SMS and Zoom, and they even leverage tools like ChatGPT to draft convincing phishing messages free from grammatical errors and spelling mistakes. What’s worse, phishers are advancing their social engineering capabilities at a time when organizations are still developing their hybrid work policies.

merge infosec compliance
Compliance

How to Turn Security and Compliance From a Tug of War Into the Dream Team

by George Gerchow
January 18, 2023

Perhaps once distinct teams within organizations, security and compliance functions today go hand-in-hand — or at least they should, writes Sumo Logic CSO George Gerchow. Data breaches continue to wreak havoc on today’s enterprise, with rising stakes of both cost and reputation.

Read more

What is defense-in-depth & why do you need it?

As technological defenses mature, there’s a high probability that threat actors will increase their attacks on employees. The reason is simple — it’s much easier to exploit human weaknesses (like impatience, burnout, biases, etc.) rather than break into, bypass or evade complex cybersecurity systems. To defend against or prevent sophisticated attacks that are aimed at hijacking human behavior, organizations need more than just technological controls — they need a defense-in-depth, anti-phishing strategy.

A defense-in-depth strategy is a multi-layered approach to security derived from how a medieval castle approaches security. In the same way that armies built layers of defenses in and around their castles, organizations must build layers of defense to better protect employees from getting phished. This includes three main elements:

Fostering a culture of security

Despite having robust cybersecurity infrastructure at their disposal, even some of the most security-savvy organizations are compromised by cyberattacks, because a majority of attacks exploit human-related causes. 

Organizations require employees to be front-line defenders against social engineering and phishing attacks that can evade technological controls. This can be achieved by promoting a culture of skepticism while using the internet and consistently educating employees on the latest threats and tactics. This includes conducting regular training exercises, tailored coaching based on job roles and security maturity, and simulated phishing exercises to build recognition skills. By incorporating cybersecurity into the core culture of the business, employees can effectively defend against these types of threats.

Clear and well-documented policies and procedures

It’s critical that organizations provide clear and well-documented instructions to employees so they understand their accountability toward security. Policies and procedures include an acceptable use policy (AUP), an anti-phishing policy and an incident response plan. An AUP must be reviewed and signed by each individual annually and should highlight the importance of security training.

Employees must be made aware that they will be subject to routine testing and phishing simulation exercises. If they do not participate or continue to fail these tests, then personalized counseling/coaching should be offered. The anti-phishing policy should cover do’s and don’ts and include security best practices, including the basics of complex usernames and passwords, as well as more advanced methods like validating the authenticity of wire transfer requests.

Organizations should have a detailed, well-practiced incident response plan to help respond and recover from cybersecurity incidents quickly and to build resilience over time. An IR plan must detail steps on what one should do in case of an incident, whom to contact (security teams, crisis management teams, cyber insurance providers, etc.), which teams to include (legal, HR, marketing, etc.), as well as guidance on whether to pay a ransom in case of ransomware attack.

Tools and technological controls

While policies provide the core foundation for phishing prevention, cutting-edge security systems serve as an important tool to combat security threats at scale. This includes technologies like next-generation firewalls, endpoint detection and response (EDR) and intrusion prevention systems that help block malware, web content filtering to prevent employees from carelessly browsing the internet and AI-based anti-spam technologies that can identify unusual requests and patterns and detect advanced forms of phishing. 

Phishing attacks don’t follow a specific pattern. Attackers employ a range of tools and evolve their scamming techniques continuously to avoid detection. Phishing attacks can be blocked effectively if there is active telemetry between users and technology. This is why a multi-layered strategy, comprising a healthy dose of cybersecurity culture as well as advanced technological controls is crucial to building phishing resilience.  


Tags: Cyber RiskCybercrime
Previous Post

Harnessing the Power of the Pause

Next Post

Corlytics, Solidatus Join Forces

Perry Carpenter

Perry Carpenter

Perry Carpenter is co-author of the recently published, “The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,” his second Wiley book publication on the subject. He is chief evangelist and security officer for KnowBe4.

Related Posts

moby dick illustration

Whaling: When Business Leaders Become Cyber Weapons

by Aileen Allkins
May 24, 2023

The threat of cyber crime is nothing new for the average business. But new tools like AI mean fraudsters have...

whats app signal gmail phone icons

Companies Are Cracking Down on Chat Apps, But It’s Still Too Hard to Find What They’re Looking For

by Stacey English
May 24, 2023

A hybrid communication environment has become the norm for most companies, from the use of messaging apps to communication systems....

social risk business

Social Selling Creates SEC Compliance, Security Demands for Financial Advisers

by Chris Lehman
May 10, 2023

Social selling gives financial advisers an effective way to connect with potential clients and build a rapport with them as...

chinese military exercise

China-Taiwan Conflict Threatens to Strain US Compliance Teams

by Mike Martinich-Sauter
April 26, 2023

Some observers expect tensions between China and Taiwan to result in war by 2025 — or sooner. As we learned...

Next Post
corlytics solidatus partnership

Corlytics, Solidatus Join Forces

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment Sanctions SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT