Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
How Do I Make Getting Phished Less of a Crisis?How Do I Make Getting Phished Less of a Crisis?
Rather than fruitlessly trying to train the “human error” out of humans, focus on creating more humane systems for the inevitable aftermath of a phish.
August 30, 2021
Question: How do I make getting phished less of a crisis?
Kat Sweet, Security Awareness Program Manager, HubSpot: People will get phished. While many security teams go all-in on security awareness training as their sole phishing mitigation strategy, education can’t succeed in a vacuum – it must be backed up with resources and systemic shifts. Even assuming the existence of preventative measures, anyone can fall for a phish. We need to accept that fact and, one, foster a culture where it’s safe to report being phished, and two, implement safeguards to minimize the impact of a phish.
Normalize safe reporting: The sooner we know about a successful phish, the sooner we can mitigate it. In the absence of any prevention, detection, and response tooling, we still have our systems of interpersonal relationships and culture. A key piece of security reporting is psychological safety – as a security team, if we expect colleagues to trust us enough to report that they’ve been phished, we need to default to modeling that trust. Punitive, antagonistic security culture leads to under-reporting security concerns for fear of retribution. When colleagues reach out, we can thank them for letting us know and give them judgment-free, actionable steps for mitigation. Blamelessness is key.
Leverage usable technical controls: Safeguards to minimize the damage of a phish can take many forms, some of which we may already have in our environment. The goal is to keep a single error fairly contained and to do so in a way that still lets people do their jobs without security decision fatigue. If the threat is a malicious file, application allow-listing can automatically block unknown binaries from running. If credential phishing is a concern, single sign-on, usable multifactor authentication, and standard password managers are a powerful combination for ease of meeting password complexity guidelines and easily rotating compromised creds. Password managers can also serve as a good gut-check: a few password manager extensions autofill for known websites, making it easier to spot a rogue site.
"Just buy everyone Chromebooks" isn’t always a realistic tactic – though it certainly reduces the attack surface – but we can still run with its underlying strategy of removing complex security decisions from an individual’s purview and increasing secure defaults.
Above all: Rather than fruitlessly trying to train the “human error” out of humans, focus on creating more humane systems for the inevitable aftermath of a phish.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023