With phishing attacks increasing in volume and sophistication, IT departments have their work cut out blocking attacks. One survey of IT professionals by HP revealed that 69% experienced phishing attacks at least once a week. With that in mind, we are sharing some important best practices for preventing phishing attacks and make recommendations for solutions that can significantly reduce your exposure to and susceptibility to phishing threats.
The Threat of Phishing
Phishing is a type of social engineering that involves manipulating people into taking an action that they would not usually perform, and despite phishing being used in a majority of cyberattacks for gaining initial access to accounts and networks, the threat from phishing is often underestimated. One survey in 2018 by SlashNext on more than 300 IT security decision-makers found that 95% underestimated the seriousness of phishing and the majority of companies represented had not implemented defenses that were anywhere near to being good enough.
There is also false confidence in the ability of individuals to be able to identify phishing emails. A survey of 4,000 office professionals from the U.S., U.K., Japan, and Australia by Forrester found that 79% of participants said they could distinguish a phishing message from a genuine email, yet 48% of respondents said they had had their personal or financial data compromised, and almost half said they had clicked on a link from an unknown individual at work. 29% saying they had done so more than once. Insufficient defenses , the failure to follow best practices for preventing phishing attacks, and overconfidence in phishing detection ability is a bad combination.
The Most Important Best Practices for Preventing Phishing Attacks
Part of the reason why phishing defenses are insufficient is companies have failed to appreciate the increasing threat from phishing. The FBI reports that phishing attacks doubled in 2020, and the number of reported data breaches from phishing is continuing to increase. Tried and tested anti-phishing measures such as spam filters and security awareness training are no longer working as well as they should, as phishing tactics are evolving. Defenses also need to evolve and be augmented to block these increasingly sophisticated attacks.
Many businesses are reliant on the free spam filter and email security solution – Exchange Online Protection (EOP) – from Microsoft for protecting their Office 365 environments, or traditional spam filtering solutions, when these have been shown to be ineffective at blocking sophisticated phishing threats. Security awareness training is provided, but nowhere near frequently enough. The once-a-year training sessions that were enough a few years ago are no longer sufficient. The rapidly changing threat landscape and the sheer number of phishing threats now circulating mean that training needs to be provided much more regularly to be effective, and training needs to be conducted more intelligently.
To combat phishing, multiple overlapping layers of security are required. In addition to implementing an advanced email security solution and conducting regular training, other security measures need to be implemented and more comprehensive best practices for preventing phishing attacks should be followed.
Get Your Security Awareness Training Working Better
Security awareness training is vital during the onboarding of employees for ensuring everyone is aware of the cyber threats they are likely to encounter. New employees should be taught how to identify phishing emails, be schooled on cybersecurity best practices, trained on how to maintain good cyber hygiene, and be instructed on the organization’s policies concerning data and cybersecurity. Unfortunately, humans are not robots and over time may forget their training and pick up bad habits.
Many businesses address this by providing refresher training periodically, every one or two years. However, even this is not sufficient. Security awareness training needs to be an ongoing process, as cyber threat actors are constantly changing their tactics and techniques. If security awareness training does not maintain the same pace, employees are likely to be fooled time and time again.
Rather than treating security awareness training as a check box item that needs to be conducted each year, conduct training throughout the year in small chunks that are easily assimilated. With SafeTitan security awareness training, there is an extensive library of training content and fresh content is regularly added in response to the changing tactics, techniques, and procedures of threat actors. The content is engaging, fun, and has been written in a way to maximize knowledge retention.
Conduct Phishing Simulations
A recent ISACA phishing survey found that only 12% of IT professionals were able to identify the effectiveness of their phishing awareness training efforts. That is a worrying finding. With cybersecurity solutions, it is usually easy to see how effective they are at blocking threats by analyzing the logs. With security awareness training it can be more difficult.
The best way to determine how effective training has been is to create a benchmark against which security awareness can be measured. Phishing simulation platforms are commonly used by businesses to send fake but realistic phishing emails to employees. These solutions show how many employees have opened emails, clicked on hyperlinks, and have opened attachments. They provide a good indication of how susceptible employees are to phishing attacks. Not only can these simulations indicate how effective training has been, they can also highlight any specific types of phishing emails that are proving to be effective, which allows training content to be modified to improve education about those exact threats.
Even better is to use SafeTitan for phishing simulations – SafeTitan is the only security awareness training and phishing simulation platform that delivers training in real-time. When an employee fails a phishing simulation or engages in risky behaviors that the administrator wants to eradicate, relevant training is instantly provided at a time when it is most likely to be taken on board.
Implement a Web Filtering Solution
Email security solutions will block the majority of threats, but they need to be augmented with additional security measures. Despite web filters being one of the most important best practices for preventing phishing attacks, many businesses have yet to implement such as solution.
Cybercriminals are constantly changing their tactics, techniques, and procedures to bypass email security defenses, and some malicious emails will inevitably be delivered to inboxes where they can be opened and clicked. Employees can encounter many threats on the Internet, be redirected to malicious content through malvertising, and visit malicious websites through general web browsing. Search engine poisoning is often used to get malicious sites ranking highly for business-specific search terms and trick employees into installing malware.
With a web filter in place, phishing threats and malware-laced websites are blocked, and time-of-click protection is provided against malicious links in emails. When a user clicks a link in a phishing email, the web content will be assessed and no connection will be made if the content is malicious.
Set up Multi-factor Authentication
Best practices for preventing phishing attacks often focus on practices and security solutions for blocking phishing attacks and preventing credential theft, but if credentials are stolen in a phishing attack or are guessed using brute force tactics, they can be used to remotely access accounts. According to the 2022 Verizon Data Breach Investigations Report, the most common attack vector in ransomware attacks was stolen credentials from desktop sharing software and email accounts. With multi-factor authentication in place, the credentials alone are not enough to provide access. An additional factor is also required, which the attackers do not have. According to Microsoft, multi-factor authentication will block more than 99% of automated attacks on accounts using stolen credentials.
How TitanHQ Can Help
TitanHQ has developed a suite of cybersecurity solutions for preventing phishing attacks and improving overall cybersecurity. All of these cloud-delivered solutions are easy to use and work seamlessly with each other to help businesses significantly improve their security posture.
These multi-award-winning solutions tackle phishing from multiple angles. SpamTitan Email Security blocks email-based phishing attacks and malware delivery, including zero-day malware threats through behavioral analysis. WebTitan DNS Filter is a DNS-based web filtering solution for blocking the web-based component of phishing attacks, web-borne cyber threats, and for enforcing acceptable Internet usage policies. The solution is automatically updated with threat intelligence from a global network of more than 500 million endpoints, delivering protection against zero-minute threats.
The SafeTitan security awareness and phishing simulation platform includes an extensive library of training content including courses, quizzes, and videos for conducting effective security awareness training. The platform automates the provision of training and phishing simulations and delivers real-time intervention training in response to security errors by employees.
If you want to improve your defenses against phishing, start with implementing best practices for preventing phishing attacks, training your workforce, and blocking phishing threats with TitanHQ solutions. All products are available on a free trial to allow you to see for yourself how easy they are to implement and use, and how effective they are for defending against phishing attacks.
