No cybersecurity techniques can prevent phishing or other types of cyber attacks if the end user doesn’t know best how to spot and prevent phishing attacks. That’s why training is essential to any cyber security program. Anti-phishing best practices require a combination of technical controls, employee education and incident response.
Technical Controls to Protect End Users
Malicious emails will undoubtedly wind up in some users’ email inboxes. The fewer received, the less likely your users will be to fall victim. Use Zero Trust strategy to protect end users from credential theft and malware. Here are four best practices to use:
- Email content filtering. Installing an email content filtering system is the first step against spam and other malicious emails. By using a combination of methods to identify malicious emails, these filters block, quarantine or conversely, allow emails based on policy. They also protect against malicious URLs by rewriting, stripping links or working with web filtering tools to scan websites before allowing users to connect.
There are established vendors who offer on-premises and cloud-based email content filtering. There are also cloud-native API-enabled email security (CAPES) vendors who work with cloud email providers such as Microsoft to provide an extra layer of protection.
- Email authentication. Email authentication uses DMARC (domain-based authentication, reporting and conformance) so the security team can detect when incoming emails are using false “from” addresses. However DMARC only works when sender policy framework and DomainKeys Identified Mail are used. Trying to implement authentication so that legitimate email traffic isn’t affected can be a challenge for most internal teams. There are however vendors that can help.
- Provide security awareness training to all. No anti-phishing solutions will succeed without security awareness and training solutions mandated to staff. E-learning modules, assessments, workshops, promotionally themed content, user data segmentations and phishing simulation platforms are also necessary. They help users recognize phishing attempts and alert the security team so they can alert the rest of the organization instead of being solely the CISO’s responsibility. Vendors can help arrange these.
- Leverage threat intelligence. Anti-phishing and email security vendors collect data from phishing attempts, open source intelligence or other private feeds to inform users of types of impersonation attempts, new attack types, as well as the sender and domain reputation, and geolocation information about where possible attacks are originating from, and to flag emails from high-risk areas.
Train Your Staff to Recognize Phishing Attempts
As we said, malicious actors will undoubtedly attempt to infiltrate your data with sophisticated phishing. Some of those emails will inevitably pass through your technical controls and end up in users’ inboxes, making your users the last line of defense. Train them how to stand guard by following three best practices to keep your organization protected:
- Create e-learning modules. Your work staff needs to be trained to recognize phishing emails and how to handle them after they’re spotted. Create e-learning modules for security awareness and training solutions. These modules will not only teach users to report the email to the IT team so it can be identified as risky but also share the information with the rest of the workforce as an attack attempt. Deleting the email is simply not enough, Warnings to the rest of the workforce that similar attacks could be coming their way is essential. It’s also essential to update filtering technologies to stop future attacks. Keep in mind that this training should not be just a yearly procedure but ongoing and based on real-world attacks.
- Report phishing attempts. As stated above, deleting a phishing email is not enough. There should be a procedure set up to teach all employees the protocol to follow whenever the emails reach their inbox. Reporting the emails not only allows the security team to protect the organization, but also helps them learn which attack types are coming through, the language used and other details that can be used to update security awareness and training content. The information is also used to update detection technologies.
- Test and measure performance. Testing how well employees have retained their security awareness training by using simulated phishing emails gives the security team results that can be collected, tracked and reported back to them. The security team can then use those results to make improvements in their security awareness and training programs or to target riskier endpoint users with supplemental training as well as track the effectiveness of the program.
Plan for Technical and Human Failure
Even though you’ve made your employees aware and taken every technical precaution possible, someone will be successfully phished. It’s a given, especially with the sophistication these days of well-crafted malicious emails. It could happen by someone clicking on a malicious URL, opening a malware-infected file or going to a website that asks for their credentials. Despite technical controls to limit the impact of these actions, your team must also be ready to respond quickly to clean up the mess. Here are three best practices to limit the impact of a successful phishing attack:
- Use browser isolation technology (BIT). BIT technology isolates web sessions into a protected sandbox to make malicious sites harmless and prevent the delivery of malware to endpoints or the gathering of sensitive information from employees who click on phishing links.
- Enable multi factor authentication (MFA). Many phishing attempts try to gain the credentials of the user so the attacker can create another attack. Using MFA makes it much harder to capture those credentials. Google reported that it completely stopped credential-theft once it implanted hard tokens for MFA.
- Create, practice an incident response playbook. When all else fails, the quality of your incident response will make the difference between a disaster or a bad problem. The playbook will direct the actions of what happens after a successful phish. That playbook should be regularly practiced. Your managed service provider (MSP) can help with this if you don’t have an internal incident response team.
Craft a Layered Defense Strategy to Prevent Phishing Attacks
Technical controls alone won’t protect endpoint users. A combination of prioritized technical controls, endpoint user education and incident response offer the best protection.
- Customize the modules. Be aware that some users loathe security awareness and training solutions because they are boring or impersonal. Users need to be engaged with their anti-phishing educational content. If possible, use vendors that offer customizable learning platforms and learning modules that your own security team can edit to include examples which are relevant to your organization and relatable to your team.
- Invest in authentication capabilities. Phishing emails often appear to be from a legitimate sender using your own domain. DMARC protects against email spoofing, but it is complex. Your MSP should be able to help with this or choose a vendor who can so you’re not only reporting emails but also rejecting some based on authentication.
- Use a phishing takedown service. There are phishing takedown services that step in after a user has clicked on a malicious link. These services limit or block access to the website to which the phishing email directs users. These services can also hunt down malicious domains and work with hosting providers to remove them so users are never directed there in the first place.
- Take the shame out of your security policies. Shaming a user for being victimized by phishing attacks that would fool even the most senior security practitioners is simply not helpful. It often sometimes makes them more resistant to security policies and less likely to report phishing attempts or complete their training. Empathy is best. Frame security policies and security education in a positive light. That will shape security as a helpful business enabler rather than an exclusive, bitter group.
- Make it personal for your personnel. Phishing attacks are often thought to be singular, limited solely to the inbox of the recipient. They’re not. Cybercriminals often target that recipient’s personal email as well emails from corporate systems or networks, thereby introducing risks into your environment.
The risks of home online safety should be incorporated into training materials so users can share the knowledge with their family as well. Security education should be encouraged to protect users outside of the office and off your network.
Need help implementing best practices to prevent phishing attacks or do you have other cybersecurity or IT support needs for your business? Contact us or book a meeting for a no-obligation consultation.