How not to be phished: An enterprise guide

Phishing mitigation is everything. It’s the end point, the touchpoint, the ultimate moment at which you’re training and security strategies have prevented an employee from making that terrible mistake of clicking on that link, of exposing the business to attack. Organisations have to invest into comprehensive in-depth phishing plans, leveraging policies, technical tools and awareness training best practices to ensure that they’re not vulnerable to attack. And this attack is absolutely guaranteed.

In 2020, phishing statistics were staggering. Proofpoint found that 75% of organisations experienced a phishing attack, Verizon revealed that 22% of data breaches were as a result of a successful phishing endeavour, and the FBI received a record number of phishing complaints and concerns. And KnowBe4 discovered 18, 000 vulnerabilities in 2020 alone – that’s around 50 vulnerabilities a day. These statistics underscore the absolute importance of building a secure and stable human firewall. A ring of trained employees who understand the risks, recognise the warning signs, and know the rules of security so they don’t tear open your business defences and reveal unexpected vulnerabilities.

There are around ten ways in which hackers and malware can break into the business environment: unpatched software, zero-day, social engineering, authentication attack, human error, insider attack, third-party compromise, physical attack such as theft, misconfiguration of systems, and eavesdropping or network sniffing. Out of all these attack vectors, the most common are social engineering and unpatched software. The former is responsible for the majority of data breaches since 2009, and is the one that requires the most planning to ensure that you prevent bad actors from entering your environment.

The first step is to create preventative controls and defences that prevent something from happening in the first place. This can be achieved by blending a layer of in-depth, best practice policies that include basic information such as: ‘Don’t leave your workstation open when you walk away’, or ‘’Never give your password to someone over email’. These are solid policies that help people to become more secure. 

An Acceptable Use policy is the first and most important step, this is the generalised security document that covers the basic security hygiene factors. It needs to be signed and reviewed by every employee when they join, and signed again annually thereafter. This should be bolstered by a phishing mitigation policy that drives consistent phishing training and management. There should be a simulated phishing test at least every month with possible consequences for people who fail the tests consistently. You need to expose every new employee to what phishing is, how to mitigate it and how to fight it. The phishing policy should cover the fact that there is regular testing of knowledge and phishing simulations, as well as clear definitions around what phishing and social engineering are.

The goal is to create a culture of acceptance. A culture where suspected phishing attacks are reported and where people are encouraged to play a role in building this human firewall. People need to know that they are part of the solution, not penalised for being part of the problem. Yes, there should be consequences for consistent failure to recognise a phish, but only from the perspective of increased training and, for those that don’t take it seriously, conversations with management to reinforce the message.

Then you need to invest into your technical defences, the firewalls and security configurations and anti-virus software and phish filtering tools. These defences that prevent the risks from reaching the desktop in the first place. However, even with robust technical defences and rigorous policies in place, there are always going to risks that slide on by. This puts training in the spotlight. You need to train your employees, business leaders, and C-Suite to ensure that they are capable of detecting the risks, and not falling foul of the intelligent webs of deception. This includes everything from emails to SMS messages to phone calls. These are all socially engineered to trigger people into making the wrong decisions and revealing critical information that can put the business, and them, at risk.

This human firewall, the technical defences, the use of intelligent tools such as multi-factor authentication, phishing simulations, and training engagement – these all come together to form a robust defence against the phishing phenomenon. There is no one fool proof route to securing the business from this insidious attack vector, but with these measures in place, the enterprise is far more prepared for what may lie ahead.