While technology can help automate defence against phishing, there is one element that needs continual attention; humans.  Definitely the largest and hardest to manage part of the attack surface, people confound algorithms and frustrate security teams with their unique unpredictability.  This weakness is preyed on by attackers.

Creating the right conditions to help people address phishing is important and security teams should think of it as another countermeasure in a layered defence strategy.

Five tips for employers looking address the human issue with phishing:

  1. Create a culture of security.
    First, this means ensuring everyone from full-time employees to consultants knows cyber and data security are a priority.  Cyber risk is not something that should be contained to the IT team.  Only by giving people personal ownership, will you instil the kind of cyber aware mindset crucial to making a real difference with phishing.Ensure this message is given credibility with concise and continual communications from senior management.  The appropriate forum will be specific to each company but, for example, it could be by dedicating a regular ‘all-hands’ meeting to security, laying out the company vision and providing tangible next steps.  It is also important to ensure this is a two-way communication by taking on board employee opinions to increase buy-in and collaboration.
  2. Teach employees to question the content of emails.
    If the first step has been done correctly, instilling a culture of scepticism around email content is the natural outcome.  Reminders at the bottom of emails, or in subject headers, is a practical way of doing this – alongside an iterative employee education strategy.This will curtail the innate human response to interact with targeted messages, which can be further improved by teaching employees the list of common ‘tells’ for phishing emails, factors such as:
    – Bad grammar and spelling
    – Missing qualifying information, such as ‘unsubscribe’ links and physical addresses
    – Poor design (bad logos / inconsistencies in font sizes / colours etc)
    – Clickbait content, i.e. overblown warnings, too good to be true offers etc
    – Impersonal greetings and mismatching domains
  3. Highlight the downside of sharing too much detail on social media.
    As much as they might like to, security teams cannot completely lock down social media. However, as part of giving people ownership of their own risk, they must be made aware of their responsibility to not overshare work information which can be used by cybercriminals to build targeted phishing attacks.In reality, this is difficult, as attackers can use everything from favourite sports teams to names of family members to get their quarry to click on links. However, best practice should be communicated and reinforced where possible. This will help effect a mindset shift around being careful with specific details, such as suppliers or explicitly calling out senior executives and finance teams online.
  4. Be positive!
    Too often the narrative surrounding cybersecurity is one of fear and risk, this will discourage engagement.  Instead, celebrate employee successes where they occur.  If people or departments proactively take ownership of their risk and implement processes or have real-world ‘wins’ these should be called out.  Maybe think about building a rewards programme.  In addition, the IT/security team should operate an open-door policy with phishing. All too often they are seen as cynical ‘gatekeepers’ – who are hard to approach. In reality, however, it is beneficial in the long run to encourage people to come forward with potentially suspicious emails.
  5. Continually remind and refresh.  
    Like software, people need patching.  New phishing techniques emerge and employees need to be abreast of these in order to keep safe. Take for example the glut of recent COVID-19 phishing scams. The best-secured people are those who know what to look out for and are continually reminded of this fact.

What does this all mean?

Employee awareness is a single, yet very important, part of a wider layered phishing defence strategy.  In the ideal world, users become so ingrained with this training they begin to apply it at home. This has the dual effect of reducing personal risk at the same time as minimising the business threat from attacks that start on personal channels before moving sideways onto corporate networks.

As with any aspect of cybersecurity, a raft of interlocking countermeasures is the best technical protection against threats.  This means ensuring your email solution covers the full spectrum of possible phishing attack vectors – acting as a front-line filter with employee awareness as a secondary layer.  Anti-phishing technologies can prevent the vast majority of messages getting anywhere near employees with features such as AV, originating server analysis, algorithmic insight into content, executive monitoring and in-built threat feeds.

Phishing is a unique cyber threat as the vulnerability being exploited is human.  Whilst there is no panacea, success lies in providing the conditions for people to take ownership of the problem themselves and combining this with strong technological solutions. For more information and case studies on how to do this, visit Defence365.