You’ve seen it in countless movies: someone walks into their apartment, usually in a big city like New York. They secure the chain; turn the doorknob lock; and twist the deadbolt (sometimes there’s even two). It’s all about layers of security. An intruder could probably snap just the chain guard on its own; they might be able to break the doorknob too; but more than likely, they won’t get past the deadbolt. It’s a concept called “Defense-in-Depth,” and when it comes to phishing security, this same strategy should be applied.
A Defense-in-Depth strategy is nothing new, but the concept gained its catchy name in 1987’s Principles of Programming Languages. The book describes the importance of managing risk with diverse defensive strategies so that if one layer of defense turns out to be inadequate, another layer will hopefully prevent a full breach. Because phishing is a multi-faceted problem, there is no one perfect solution. But, by following a solid Defense-in-Depth strategy, phishing email incidents can be made much less common.
Five Anti-Phishing Strategies For a Solid Defense-in-Depth Strategy
1. Awareness Training
Employee knowledge of phishing tactics may vary wildly from one person to the next. To be sure all employees are on the same page, it’s important to hold awareness training regularly (this will keep phishing top of mind, capture new employees entering the organization, and enable you to highlight new forms of phishing as it evolves). Awareness entails explaining the various types of phishing emails, what to look for, and what to do if a phish is suspected. Of course, busy employees getting dozens or even hundreds of emails a day won’t always spot the signs or heed the warnings, so while awareness is a good start point, it’s only the beginning and if used standalone still leaves you highly vulnerable.
Otherwise known as “phishing your own people,” this tactic involves sending simulated phishing emails containing attachments, embedded links, and requests for personal information to your own employees. These phishing simulations may be made to look like they’re coming from a stranger, or from someone the employee knows. If a recipient takes the bait, they will be presented with a screen explaining the situation and offering tips on how to avoid being "phished" in the future. In some instances, employees that repeatedly fall for simulated phishing attacks may be penalized or even terminated.
Despite all this, a “human firewall” will still be penetrable. “We can't expect users to remain vigilant all the time…” Kate R of the National Cyber Security Center points out. “Being aware of the threat from phishes whilst at your desk is hard enough. But phishing can happen anywhere and anytime, and people respond to emails on their phones and tablets, and outside core hours. Clicks happen.”
3. Multi-Factor Authentication
Also known as an MFA, multi-factor authentication is sort of “a Defense-in-Depth strategy within a Defense-in-Depth strategy.” There are three recognized MFA factors, and when it comes to phishing they involve:
- Something You Know. This may be passwords or PIN numbers.
Something You Have. This often involves entering a time-based PIN generated from the server that uniquely identifies the user to the service.
- Something You Are. This includes a fingerprint, facial recognition, and other biometrics.
While not all organizations have the capacity to perform all three, they should at least perform two-factor authentication (2FA), which involves choosing two of the three above.
4. Active Defense
In addition to passive solutions that rely on training and simulations, incorporate layers that take an active approach to protection by immediately red-flagging and locking malicious emails before they reach employees.. Explore different solutions and understand which ones use the most modern and sophisticated techniques to detect and lock phish before users have the chance to reply or click. Ideally, ensure that the solution you choose requires no hardware or complicated configuration, enabling it to be rolled out quickly and easily.
5. Endpoint Protection
This is a form of security that protects each individual endpoint, such as a workstation or mobile device, from which your network is accessed. It’s installed on each individual device to prevent, detect, and remove viruses and malware. It performs automated and on-demand scans, removes any malicious code detected, and displays the overall “health” of a computer.
Phishing scams continue to evolve, becoming more sophisticated and costing organizations millions of dollars every year. The best defense is to follow a Defense-in-Depth strategy. If you’re looking to add number four to your anti-phishing strategy—the active defense—contact the experts at Clearedin. We quickly harpoon dangerous phishing emails and red-flag malicious URLs so your users—and your organization—are protected.