Phishing Your Team Isn't The Answer

Successful phishing attacks - tricking your employees into clicking a link and then taking an action, such as providing information to a fake web page - is the primary vector for ransomware infections. But it’s really not that simple. Ransomware exploits weaknesses in training, but also in how you have architected and executed on your overall information technology and information security fabric. Even if you removed phishing completely (which is hard), ransomware would still present a threat.

So when vendors tell you that the “solution” to phishing is to let them mount mock phuishing attacks against your employees, take it with a grain of salt. Sure, used prudently, phishing exercises and tests can give you data about the state of preparedness your company has to withstand a phishing campaign. But it is important to remember that readiness here doesn’t just mean “Will my people click the link?” It also means very important things such as, “Can my systems stop the link from reaching my people?” and “If my people do click a link, how good are we at defending against what happens next?”

Another reason not to put too much stock in phishing testing is that unless it’s done well, you’ll be teaching the wrong lessons. The companies that conduct these drills will tell you that your fake phishing test should be as ruthlessly real as the real thing, or else it’s not worth much. “Hackers,” they’ll tell you, “won’t pull any punches, so neither should you.”

Yes and no. The last thing you want to do is set up an adversarial relationship between your employees and your information security or information technology leadership and teams. And that’s what you do when those teams and leaders send out that clever phishing test - the one about “Click here for information about this year’s Christmas bonus.”

Is that kind of thing a realistic phish? You betcha. Might hackers actually try something like that? Less often than you’d think, but, sure.

The difference, though, is that the ransomware criminals don’t have to work with Bob in accounting after they mount such an offensive trick, one that plays on Bob’s desires and hopes, and crushes them like a grape.

The best defenses against phishing are, we learn again and again:

  • Awareness training Show your employees how to spot fakes, from a general sense of diligence, to mousing over links, to matching URLs in the sender address field. Do this regularly.

  • Empowerment Make sure your employees know that they can ask questions and get help for the asking - no one is going to say they’re asking a dumb question. By supporting employees with help to make the right decision about “To click or not to click”, you reduce the numbers who will make the wrong choice.

  • Good filtering and mail hygiene They can’t click it if it doesn’t reach their inbox.

  • Hardware tokens it’s not a myth: Google reduced to zero the number of its employes successfully phished after deploying hardware tokens. Sure, your employee might click on a link to out1ook.com, but a hardware token won’t authenticate to the wrong site.

  • Thinking past the phish Should the worst happen, and an employee clicks on a fake link and gets infected, what’s going to happen? Is your organization ready to detect it? Have you got your backups in order, and your restoration procedures tested regularly? Are you properly logging outbound DNS requests and other critical breadcrumbs so your incident responders can figure out what’s going on and stop the bleeding quickly?

Paying attention to these issues, and working on the long game as opposed to the easy fix, is the best way to combat phishing.