3 Ways your Phishing Defense Can Be like the Marines

Want to stay in front of breaches? Train like the Marines.

Too often in cybersecurity, people focus on mitigating breaches after they occur—and long after phishing emails deliver malicious payloads. To lower the threat, many companies now train employees by sending them simulated phishes, so they can learn to recognize and report suspicious messages. It's the kind of proactive thinking the Marines call "left of bang." In the security world, it’s more like left of breach.

The Marines Combat Hunter training works on this premise: by understanding what "normal" looks like, you’re much more likely to recognize activities and behaviors that are out of place. That recognition, even if based on “gut feel,” becomes the trigger for acting.

This approach relies heavily on front-line human assets, not just technology, to detect attacks in progress. Most important, it lets you get ahead of trouble before it blows up. Here are three best practices to apply this thinking to your phishing defense.

Best Practice 1: Baseline your company’s weaknesses
That's what the bad guys do. Threat actors begin by identifying your weak spots so they can exploit them. It’s time to think like they do. Do a thorough analysis of your security environment, business operations, active threats and employee engagement. All of this will inform your phishing simulations.

Best Practice 2: Design phishing simulations that look like the threats you face
Now you’re ready to phish your employees. Your checklist has yielded the baseline information to simulate phishes. Again, be sure to incorporate what you know about active phishing threats. By understanding current or trending threats, you’ll develop simulations that mirror real attacks and get results that show your risk exposure.

After announcing the training program so employees know what to expect (including the message that simulations are meant to educate, not berate), start sending mock phishes ranging from basic to more advanced. Over 12 months, you might for example send an innocent looking e-greeting card, an invoice attachment that really isn’t, a social media invitation to disaster and a request for funds—the latter seemingly from a trusted source but in fact a form of social engineering known as business email compromise (BEC).

It’s really, really important to deliver simulations to everyone. The C-level gets phished all the time. So do human resources and finance. And oh yes, IT. You’ll also want to run follow-up simulations based on what you’ve learned from the first few rounds.

Best Practice 3: Train everyone to report phishing
Recognizing a phish is good. Reporting it is better. When you train your people, all of them, to report suspected phishing you transform them into human sensors. Your human intelligence helps to shorten meantime both to detection and response. To that end, many organizations have installed simple reporting plugins to their email toolbars. With one click, employees can send potential phishes to the security team for quick analysis and, if needed, incident response.

These are the sort of things that helps to keep your business left of breach—taking proactive steps instead of playing chronic defense. To mitigate better, mitigate less. Choose your battles, like the Marines.

Lex has over 30 years of experience in information technology with a strong focus on strategic planning and program delivery. He is responsible for PhishMe Professional Services delivery strategy and provides hands-on program consulting, as well as customized results analysis and recommendations for clients seeking to reduce their organizations’ susceptibility to phishing attacks. Prior to PhishMe, Lex’s professional career included consulting and management of product and service delivery teams for small businesses, global Fortune 20 organizations and Government Agencies.

Lex is a Certified Counter Intelligence Threat Analyst (CCTA), holds an Electronic Engineering Degree, has numerous technical and behavioral science certificates as well as continuing professional development credits in IT security and ethical hacking. Additionally, Lex is a frequent speaker on personal responsibility and ethics in information security, and has published multiple books and papers on topics from security awareness to social engineering.