Question: How do I make getting phished less of a crisis?
Kat Sweet, Security Awareness Program Manager, HubSpot: People will get phished. While many security teams go all-in on security awareness training as their sole phishing mitigation strategy, education can’t succeed in a vacuum – it must be backed up with resources and systemic shifts. Even assuming the existence of preventative measures, anyone can fall for a phish. We need to accept that fact and, one, foster a culture where it’s safe to report being phished, and two, implement safeguards to minimize the impact of a phish.
Normalize safe reporting: The sooner we know about a successful phish, the sooner we can mitigate it. In the absence of any prevention, detection, and response tooling, we still have our systems of interpersonal relationships and culture. A key piece of security reporting is psychological safety – as a security team, if we expect colleagues to trust us enough to report that they’ve been phished, we need to default to modeling that trust. Punitive, antagonistic security culture leads to under-reporting security concerns for fear of retribution. When colleagues reach out, we can thank them for letting us know and give them judgment-free, actionable steps for mitigation. Blamelessness is key.
Leverage usable technical controls: Safeguards to minimize the damage of a phish can take many forms, some of which we may already have in our environment. The goal is to keep a single error fairly contained and to do so in a way that still lets people do their jobs without security decision fatigue. If the threat is a malicious file, application allow-listing can automatically block unknown binaries from running. If credential phishing is a concern, single sign-on, usable multifactor authentication, and standard password managers are a powerful combination for ease of meeting password complexity guidelines and easily rotating compromised creds. Password managers can also serve as a good gut-check: a few password manager extensions autofill for known websites, making it easier to spot a rogue site.
"Just buy everyone Chromebooks" isn’t always a realistic tactic – though it certainly reduces the attack surface – but we can still run with its underlying strategy of removing complex security decisions from an individual’s purview and increasing secure defaults.
Above all: Rather than fruitlessly trying to train the “human error” out of humans, focus on creating more humane systems for the inevitable aftermath of a phish.