By Emily Wang
We can see how modifying habits can help to combat phishing attacks from the part 1 of this trilogy: “From awareness to habits”. However, it is unrealistic to expect no-one to click on a malicious link by only changing people’s email behaviour. In fact, some argue that a “Zero Click” goal is harmful (Spitzner, 2017). It doesn’t matter how much training is provided; people will make mistakes.
This is evident from many of our phishing simulation reports, where a few people would ignore the education page after they fell for a simulated phishing email. They realised their mistake as soon as they clicked on the link and would immediately close whatever popped up as a reflex act. This doesn’t in itself show that awareness training is futile; like many other defensive tools, awareness training should be used to reduce risk even though it is not possible to completely eradicate it.
The three pillars
Let us not forget about the three pillars of cybersecurity, namely people, process and technology. Using them together is like building a 3-legged stool. If any of the legs are too short, it will cause an imbalance.
Google recently announced that none of their 85,000+ employees have been phished since early 2017 (Krebs, 2018). What is their secret? Google requires all staff to use security keys to log in. This security key is an inexpensive USB-based device that adds to the two-factor authentication. That is, the user logs in with something they know (their password) and something they have (their security key). This is called “2-factor authentication”. It is a perfect example for aiding a person with technology and process measures, or as the security experts like to call it – defence in depth.
A multi-layered approach
The guidance splits the mitigations into four layers:
- Layer 1: Make it difficult for attackers to reach your users
- Layer 2: Help users identify and report suspected phishing emails
- Layer 3: Protect your organisation from the effects of undetected phishing emails
- Layer 4: Respond quickly to incidents
Take layer 1 as an example, here is how we can defend ourselves from all three angles:
Many controls can be placed into your organisation at different layers. To holistically implement counter-measurements, we need to consider your organisation’s constraint and what is suitable for your employees. At Datacom, we look at how to help customers reduce risks from all six areas. Importantly though:
Don’t wait until it’s too late and don’t rely on just one defence mechanism.
Krebs, B. (2018). Google: Security Keys Neutralized Employee Phishing. Retrieved from https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/
National Cyber Security Centre. (2018). Phishing attacks: defending your organisation. Retrieved from https://www.ncsc.gov.uk/phishing
Spitzner, L. (2017). Why a Phishing Click Rate of 0% is Bad | SANS Security Awareness. Retrieved November 18, 2018, from https://www.sans.org/security-awareness-training/blog/why-phishing-click-rate-0-bad