Post by account_disabled on Sept 16, 2023 10:28:03 GMT
Most companies whose anti-phishing strategies fail do not have a holistic defense-in-depth strategy. “You can focus on a specific technology, like email phishing prevention, multi-factor authentication, data encryption, and endpoint/mobile security, and not look at other technologies that mitigate risk along the cyber kill chain, like detecting compromised IDs,” Hani said. “He said.
If you only rely on anti-phishing Phone Number List programs without implementing a holistic defense-in-depth strategy, even one successful attack will collapse the entire system.
Brian Willett, CISO at printer manufacturer Lexmark, said the practice of relying solely on email-based defense approaches or user training is also problematic. “This is because it is easy for users to make mistakes, and even one mistake can result in a successful attack,” he warned.
Willett emphasized that the best way to defend against phishing attacks is a layered defense approach. This includes establishing a robust vulnerability management program by ensuring an appropriate Endpoint Detection and Response (EDR) system on all workstations, supporting multi-factor authentication for all user and administrator accounts, as well as segmentation across the LAN/WAN to identify infected systems. This includes limiting the spread.
“By paying attention to these considerations and implementing multiple defenses, companies can better prevent phishing attacks,” Ouellette said. “We must use a comprehensive, layered defense approach, assuming that attackers will eventually succeed,” he added.
Negligence in employee training
Assuming you're implementing a holistic defense-in-depth strategy, it's very important to educate your employees on how to recognize fraudulent emails, including training them not to click on links or open attachments in emails from unknown senders.
“An authentic voice is the most important factor in recognizing fraudulent emails,” said Jim Russell, CIO at Manhattanville College. Anyone trying to communicate quickly in email is kind of a security gap. But fortunately, most people write complete sentences. This part is missing or 'Hello Lauren?' “If the same general greeting is missing, the email is insincere,” he said. Manhattan University employees were trained to forward suspicious emails to members of Russell's team.
Kevin Cross, CISO at Dell Technologies, also said that a successful anti-phishing strategy starts with training employees on how to identify and report phishing emails. This approach is very different from the common “don’t click” strategy used by many companies.
Cross calls a 0% click-through rate a ridiculous and unrealistic goal. “Instead, training employees how to report suspicious emails will allow security teams to quickly assess potential threats and mitigate the impact on others who are targeted by similar attacks.” You can. “Companies can build tools into their email platforms to make it easy for employees to report suspicious emails.”
But Jacob Ansari, director of the U.S. PCI cybersecurity practice at consulting firm Mazars, said this type of training is not enough. “User behavior is the tip of the iceberg,” Ansari said. Anti-phishing training that targets user behavior has limited effectiveness. He explained that phishing schemes are only effective if you can distinguish them from legitimate business activities.
Anti-phishing efforts centered around training quickly fail when employees are expected to engage in the kinds of activities that resemble phishing schemes. “The value of anti-phishing training is there, for example, when common activities require a user to click on a link sent by a third-party sender to check background information or to apply for benefits by entering personal information into a web form hosted elsewhere,” Ansari said. “is diluted,” he emphasized.
In addition to user training, Ansari advises companies to minimize the use of linking links in emails and reorganize business processes to ensure that third-party interactions with employees follow standards for secure communications so that common processes don't look like phishing schemes. “All parts of the business – human resources, marketing, finance – need to be involved in a responsible way,” he continued.
If you only rely on anti-phishing Phone Number List programs without implementing a holistic defense-in-depth strategy, even one successful attack will collapse the entire system.
Brian Willett, CISO at printer manufacturer Lexmark, said the practice of relying solely on email-based defense approaches or user training is also problematic. “This is because it is easy for users to make mistakes, and even one mistake can result in a successful attack,” he warned.
Willett emphasized that the best way to defend against phishing attacks is a layered defense approach. This includes establishing a robust vulnerability management program by ensuring an appropriate Endpoint Detection and Response (EDR) system on all workstations, supporting multi-factor authentication for all user and administrator accounts, as well as segmentation across the LAN/WAN to identify infected systems. This includes limiting the spread.
“By paying attention to these considerations and implementing multiple defenses, companies can better prevent phishing attacks,” Ouellette said. “We must use a comprehensive, layered defense approach, assuming that attackers will eventually succeed,” he added.
Negligence in employee training
Assuming you're implementing a holistic defense-in-depth strategy, it's very important to educate your employees on how to recognize fraudulent emails, including training them not to click on links or open attachments in emails from unknown senders.
“An authentic voice is the most important factor in recognizing fraudulent emails,” said Jim Russell, CIO at Manhattanville College. Anyone trying to communicate quickly in email is kind of a security gap. But fortunately, most people write complete sentences. This part is missing or 'Hello Lauren?' “If the same general greeting is missing, the email is insincere,” he said. Manhattan University employees were trained to forward suspicious emails to members of Russell's team.
Kevin Cross, CISO at Dell Technologies, also said that a successful anti-phishing strategy starts with training employees on how to identify and report phishing emails. This approach is very different from the common “don’t click” strategy used by many companies.
Cross calls a 0% click-through rate a ridiculous and unrealistic goal. “Instead, training employees how to report suspicious emails will allow security teams to quickly assess potential threats and mitigate the impact on others who are targeted by similar attacks.” You can. “Companies can build tools into their email platforms to make it easy for employees to report suspicious emails.”
But Jacob Ansari, director of the U.S. PCI cybersecurity practice at consulting firm Mazars, said this type of training is not enough. “User behavior is the tip of the iceberg,” Ansari said. Anti-phishing training that targets user behavior has limited effectiveness. He explained that phishing schemes are only effective if you can distinguish them from legitimate business activities.
Anti-phishing efforts centered around training quickly fail when employees are expected to engage in the kinds of activities that resemble phishing schemes. “The value of anti-phishing training is there, for example, when common activities require a user to click on a link sent by a third-party sender to check background information or to apply for benefits by entering personal information into a web form hosted elsewhere,” Ansari said. “is diluted,” he emphasized.
In addition to user training, Ansari advises companies to minimize the use of linking links in emails and reorganize business processes to ensure that third-party interactions with employees follow standards for secure communications so that common processes don't look like phishing schemes. “All parts of the business – human resources, marketing, finance – need to be involved in a responsible way,” he continued.