How companies can combat phishing and social engineering

1. Phishing policies and documentation

Policies and documentation are one of the fundamental pillars of user training. The idea is to communicate clearly and transparently, without ambiguity, what is expected of users in terms of cybersecurity. For example, every company should have an Acceptable Use Policy (AUP) that every employee signs and accepts (annually). The same goes for channel partners and suppliers. The AUP must specify recommended security approaches, such as using strong passwords, regularly updating systems, avoiding using unauthorized software, being cautious when posting on social media, etc., and must include a section on phishing and social engineering risks (e.g. ransomware, BEC scams, deepfakes, etc.).

2. Technological defences

It is always better to prevent a scam from reaching the end user than to confront the user with the scam. Although technological defenses are not particularly helpful in detecting advanced and targeted phishing attacks, tools such as secure web gateways can prevent users from accessing risky websites. Phishing-resistant multi-factor authentication can prevent hackers from penetrating the victim's environment even if credentials are compromised. Endpoint detection and response tools can detect lateral movement and malicious activity on endpoints. Advanced anti-phishing solutions can leverage AI to detect mass phishing attacks as well as targeted spear phishing attacks. Advanced tools such as a sandboxing client can detonate suspicious attachments or URLs in a secure environment before they reach the end user. To prevent fraudsters from pretending to be from a trusted brand domain, every organization should enable these three global phishing protection standards: Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC).

3. User awareness training

There is enough evidence to show that regular training improves employee security awareness, encourages healthy security behaviors, and reduces employee vulnerability to phishing attacks. Companies can train employees upon hiring, send them regular newsletters and training videos as reminders, or gamify it by organizing a “spot the phishing contest.” You can offer perks like free parking or movie tickets to encourage participation. Conducting monthly phishing simulation exercises is also a must—if users repeatedly fail these tests, they should receive more interpersonal coaching. Offer different levels of training depending on the season or event. For example, warn people about dubious, holiday-themed phishing lures around Christmas; alert users to possible tax-related schemes and IRS calls around tax season. Conduct different types of training for different groups or roles. For example, train the finance team specifically on BEC fraud and instruct them to verify sources first before transferring funds and to avoid purchasing unauthorized gift cards.

4. Simplified processes and communication

Cybersecurity doesn't come naturally to everyone. Employees have different levels of skill, enthusiasm, and maturity when it comes to security. In addition, security can compete with existing job requirements. Try to simplify cybersecurity policies and tools so processes don't slow them down but give them more freedom to act. Provide users with a good password manager so they don't have to remember or create complex passwords. Provide a phishing alert button as a browser extension so phishing attacks can be conveniently reported and quarantined. Design cybersecurity policies and protocols in a language that everyone understands, not just security people. Make training simpler, more personal, intuitive, and engaging. Experiment with different tools and formats instead of subjecting employees to “death by PowerPoint.” Conduct short training sessions that are easier to attend and complete.

Combating social engineering is an ongoing process that requires adjusting controls, protocols, and policies to raise user awareness; educating employees on new AI-powered cyber threats; investing in training and tools needed to better assess suspicious communications. By following these best practices, organizations will not only reduce phishing and social engineering attacks, but also build a stronger last line of defense.

Erich Kron is a seasoned information security professional with experience in the medical, aerospace, manufacturing and defense industries for 25 years and Security Awareness Advocate for KnowBe4. He is an author and regular contributor to cybersecurity industry publications. He was the Security Manager for the U.S. Army's 2nd Regional Cyber ​​Center-Western Hemisphere and holds CISSP, CISSP-ISSAP, SACP and many other certifications. Erich has worked with information security

This article was originally published by KnowBe4 and reprinted here with permission.