Maturing Your Phishing Program

Preventing damage and dollars lost from phishing requires a plan.

Rob Peterson shares 4 activities to help structure your enterprise phishing program.

With an unprecedented disruption to normal life and a rapid uptick in remote workers, we’re seeing a noticeable increase in phishing threats and attempts as bad actors play off COVID-19 fears. Over 91% of cyberattacks start with a phishing email and phishing accounts for more than 80% of reported security incidents.

Thankfully, preventing damage and dollars lost from phishing isn’t complicated, but it does require a plan. At a basic level, I recommend structuring an enterprise phishing program around 4 main activities: educate users, test users, implement controls, and create reporting mechanisms.

Educate Users

Within any organization, there exists a broad range of individuals representing varying levels of technological savvy – you can’t assume everyone is aware of what phishing looks like. As a first step, it’s helpful to educate employees of the risk phishing presents and share common tactics used by bad actors. Once a basic level of awareness exists, you can further inform the workforce of plans to prevent phishing and how they can help.

Test Users

Just like in school, after the lesson comes the test. By creating a mock phishing attempt, security professionals can boost employee awareness in a controlled environment while building a baseline metric for what percentage of the organization was successfully phished. Real-time phishing simulations have proven to “double employee awareness retention rates versus traditional cybersecurity training tactics.”

Critics cite employee distrust as a potential con of this practice, but, when done properly, employees are informed of the plan and purpose of the simulated attempt. The goal isn’t to trick anyone, but rather to strengthen their natural intuition and build the habit of alerting attempts.

Implement Controls

Many preventative and detective technological controls exist to help reduce the number of attempts that even make it in front of an employee. Here are a few worth considering:

• Anti-phishing software – These programs attempt to identify phishing content contained in emails/websites and block the content by providing a warning to the user. Microsoft O365 offers Advanced Threat Protection (ATP) as an add-on service or Proofpoint is a great out of the box option.
• Email server hardening & configuration – Properly configuring your email anti-spam policies can help prevent phishing messages from getting through. Review mailbox forwarding rules to prevent attackers from extracting data and ensure email attachments with executable files are quarantined and non-executable files are scanned for macros and scripts.
• Multi-factor authentication (MFA) – Enabling MFA for all of your users is a smart way to prevent compromised accounts. A phased roll-out, starting with the most sensitive users like executives and admins, is helpful to familiarize the organization before you require MFA for everyone.

Create Reporting Mechanisms

Giving employees the ability to report phishing attempts empowers them to proactively participate in enterprise security programs. There are easy-to-install reporting buttons that interact natively with common email platforms like Outlook and Gmail.

Conclusion

Phishing is the most common form of cybercrime, but enterprises can bolster their defenses by implementing a plan that educates users and tests their awareness of fake phishing attempts, creating technological controls, and automating a mechanism to share phishing attempts.