Stu Sjouwerman is the founder and CEO of KnowBe4 Inc., a security awareness training and simulated phishing platform.
IBM just released its 2023 threat intelligence report, and the results aren’t surprising. As a form of social engineering, phishing continues to be the number one method attackers use to gain access to a victim’s environment. No matter how bleeding edge your technical defenses are, you’re always going to have some amount of social engineering bypass those controls. When this happens, the state of an entire organization’s security posture will hang by a single user decision—whether to delete the phish and report it or allow it to enter through the front door.
We are not saying that organizations should underestimate the effectiveness of technical controls. Technical controls help a great deal, but there are other elements along with technical controls that together form the trifecta of a superior anti-phishing defense—that is user awareness training, policies and procedures. While regular security training helps employees develop muscle memory to recognize and report cyberattacks, security policies and procedures help lay down the core foundation of security governance, i.e., the ground rules and the code of conduct every employee, partner and vendor must abide by.
Why You Need An Anti-Phishing Policy
Most organizations have an acceptable use policy (AUP) that employees and contractors sign when they join. An AUP is a holistic security policy that educates users and third parties on what is permitted and not permitted when it comes to the organization’s IT devices, networks, services and data, including personal responsibilities.
That said, AUPs have limited guidance and wording around social engineering and phishing, which is usually the biggest security risk organizations face. Security teams must ensure AUP covers general phishing topics and links to a more detailed document on social engineering—in other words, your anti-phishing policy. An anti-phishing policy should include detailed examples of the latest phishing and social engineering trends, what they look like and how stakeholders should recognize and treat suspicious activities. Key items that should comprise an anti-phishing policy include:
1. Special Definitions
Define terms and topics like social engineering, phishing, vishing, ransomware, business email compromise (BEC), CEO fraud, etc., with industry examples. Do not assume that all employees have an equal level of security awareness, competence and maturity.
2. Financial And Reputational Risks To The Business
Once you have these terms defined, try to outline the business risks that are associated with these definitions and the serious fallout from a successful cyberattack, which may include business disruption, financial harm, breach of contracts, government fines and penalties, loss of intellectual property, extortion via ransomware scams, attacks against employee privacy and customer data, litigation costs, loss of reputation, loss of customer confidence and more.
3. How Phishing Works
Educate stakeholders that phishing and social engineering wear various disguises. While email is the most common delivery mechanism, phishing can also arrive via social media, texting, phone calls and in person. Someone can claim they are from a company like Microsoft or a government entity such as the IRS or law enforcement. Someone can claim to be a coworker, even the CEO, creating a believable scenario to win trust.
4. The Red Flags Of Social Engineering
Train employees to be vigilant and recognize common signs of social engineering. Red flags include weird email addresses or domain names, strange, unusual or unexpected emails, attachments with odd file types, and suspicious-looking hyperlinks. Explain how no self-respecting IT help desk would ever call requesting your user credentials.
5. What To Do When A Phish Is Detected
Provide clear guidelines on what employees should do when identifying a suspicious file, URL, attachment or email. Instruct not to open the email, click the URL or download the attachment; instead, forward it and report it to the security team. If users receive a request involving banking details or a financial transaction from a higher authority via email or SMS, ask to validate the authenticity of the request with the sender (via an alternate method like a phone call) instead of blindly executing the instruction.
6. Mandatory Training And Testing
Inform employees that the organization will be conducting mandatory security training. Each employee should receive phishing tests at least once a month to gauge susceptibility to phishing attempts. Explain the consequences of repeatedly failing these tests; this might include receiving more rigorous training and personal coaching. Phishing results might be considered in annual reviews or require other HR actions.
7. Anti-Phishing Best Practices
List general phishing guidelines and best practices that every employee must follow. For example:
•Hover over the URL before you click
•Avoid responding thoughtlessly to unknown senders
•Do not install unauthorized software and do not share credentials with anyone
•Use long, complex passwords and a password manager
•Use social media responsibly
•Deploy multi-factor authentication
Conclusion
The end goal of promoting an anti-phishing policy is not just to raise awareness or mitigate social engineering attacks but to establish a resilient culture of cybersecurity—a culture where employees feel responsible and accountable for following security best practices and, through their own actions, build an additional layer of defense as human firewalls. This can provide an early warning and detection system, helping the organization defend itself against some of the most advanced forms of cyber threats.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
Read the full article here