A human firewall could be the best defense against phishing attacks

human-wall-soccer-practice

Phishing is an international menace for enterprises, and one fundamental line of defense could be the very target of attacks – your people and the information they control. With the proper education and awareness, your employees can be a “human firewall” of sorts, serving as the first line of defense against phishing scams.

By many accounts, phishing is the most common gateway for cybercriminals to gain access to enterprise environments. The Online Trust Alliance reports that phishing attacks are behind more than 90 percent of data breaches.

Attackers are very sophisticated and know that employees are often the weakest link because of their lack of knowledge about phishing. To minimize risk and defend against malicious intruders, organizations must continually educate their employees on how to recognize and avoid phishing scams.

What are users falling for?

Security teams need to be keenly aware of what kind of phishing to look for. For one, organizations should compile and maintain a library of well-known e-mail subject lines used by attackers and common successful phishing approaches. This information should then be used to help educate employees as well as maintain automated protection mechanisms.

In the 2018 edition of its “State of the Phish Report”, Wombat Security provides excellent insights into what kind of phishing e-mails tend to be clicked on by unknowing end-users in simulations. The study found that the more personal an e-mail seems, the more likely it will garner a response. Overall, Wombat reports a 9 percent average click rate of phishing e-mail in its simulated attacks.

The most common successful attacks, according to Wombat, are e-mails that pretend to be things like online shopping security updates, a corporate voicemail and, ironically, updates on corporate e-mail improvements. Other simulated attacks that generated remarkably high click rates include ones that masquerade as a database password reset alert and another claiming to be an updated building evacuation plan.

It is essential for enterprises to educate their employees on how to spot common phishing attacks like these. Organizations would do well to take a human firewall approach that uses a combination of simulations, alerts, knowledge assessments, and employee training to strengthen resistance against future attacks. Here’s a four-step approach that focuses on the main security areas:

  • Diagnostics: Security experts routinely simulate phishing attacks at agreed-upon intervals to continually assess employee performance.
  • Training: Employees who are successfully phished during simulated attacks are immediately directed to a short, highly effective training module where they learn how to avoid future phishing attempts.
  • Reporting: Upon completion of each assessment, the security team generates performance reports that detail employees’ individual simulation and training progress and results.
  • Improvement: Teams compile and analyze data regularly to inform 12-month plans for strengthening defenses and protecting against phishing attacks.

This approach to phishing education is significantly more effective than traditional training because it follows a right-moment, in-context process. Also, educating staff after a compromise – simulated or real — is the best time to change behavior.

The benefits of deploying simulated attacks and right-moment training are numerous. Most notably, this approach has been proven to reduce the number of phishing incidents. Successfully deploying a human firewall minimizes the cost of responding to security breaches and helps prevent damage to your brand and reputation.

Phishing attacks are responsible for a massive number of losses in enterprises every year, but they don’t have to be. By assessing your defense posture, knowing what attacks work, then educating your employees with right-moment training, you can realize measurable changes in behaviors that will help stymie future phishing attacks.


Christophe-Menant-headshotChristophe Menant is DXC Technology’s Global Strategy Lead for Security Risk Management.

Marcus-Beyer-headshot-loresMarcus Beyer is advisory lead for Resilient Workforce in North and Central Europe at DXC Technology. He has supported companies in internal and external communication with a focus on tailor-made enterprise information security awareness campaigns.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: