It is no secret that employees remain most companies’ biggest security vulnerability. It is also no secret that email continues to be the most common attack method that malicious actors use. Businesses deploy many sophisticated security solutions inside their environments, and the businesses employ a significant number of security analysts and other cyber defense professionals. However, none of it matters more than a well-trained staff supported by the right email security solution. I recently talked to IT leaders at U.S.-based businesses and non-profits about how they use anti-phishing solutions.
Phishing Campaigns
Phishing campaigns are email scams that are aimed at stealing as much personal information from victims as possible. Cybercriminals use phishing attempts to obtain sensitive information such as financial details, usernames, and passwords by disguising themselves as legitimate individuals or organizations via email. When asked about the practices his business has implemented in regard to anti-phishing solutions, Jack Smith, MCP at Initial.IT said,
”Basically, we incorporate into all of our Managed Service Plans ongoing anti-phishing campaigns and phishing educational campaigns. We run phishing campaigns without informing the client other than a two-week time frame. Once we have the results, we review with our client contact and determine the content and the timing of the Educational campaign that will follow. Prior to executing the Educational campaign, we email the client’s entire office explaining the email that they will be receiving, what the content is, and that this is part of their company’s Cyber awareness initiative, and they are expected to participate. This campaign runs for two weeks. Once the results are in, we review the results with our contact and then continue this process of alternating phishing and educational campaigns throughout the year.”
”We will also meet with their entire company in an informal fashion (lunch and learn style) to present current trends in phishing, ransomware, etc. as well as reviewing the results of the phishing and educational campaigns in a general fashion. We take care not to single out any one person and then we open the floor to General IT discussion. We bring at least 4 of our staff for this meeting, and it is included in their services plan so we get full participation. The key point that we focus on conveying to all of our clients is the role that every one of their employees plays in keeping the company cyber safe and that they are actually the first line of defense. We educate them any chance we get as to what to watch for when looking for suspicious emails or files, how to best handle these emails, and what to do should they inadvertently kick off a cyber event. Getting the end-user buy-in is critical to staying out in front of the cyberwar and maintaining our client’s security position in an ever-changing landscape”, added Smith.
Bryan Badger of Integral Networks said, ”We used to use Proof point and KnowB4. These days we utilize BullPhish from ID Agent specifically for phishing campaigns with our clients. But even testing our clients’ users and training them has proven to really only increase helpdesk tickets. We have been focusing on the backend to minimize these emails from even getting through by integrating ATP with all O365 mailboxes and 3rd party tools, like SCUD from our MSSP, Blokworx.”
Training and Testing Solutions for Phishing
Phishing awareness training educates employees on how to detect and report phishing attempts, protect themselves, and protect the organization from cybercriminals and other malicious actors who want to wreak havoc on your organization. Nick Martin of Mainstreet IT Solutions said:
“We use KnowBe4 for us and our customer base as a training and testing solution for phishing. KnowBe4 features quite a bit of automation, which is critical for us. With so many tasks in cybersecurity that need to be addressed, this is one area that can be fairly easy to automate. We create a quarterly training schedule and get everything in place for required training 4 times a year in different aspects of phishing attacks, social engineering, ransomware in emails, etc. Following this training, we have automated the process of sending test phishing emails to staff and customers.”
”This allows us to test our own employees and customers to see where weak spots are. Are there certain types of phishing emails that are getting people? Is it random? Is it a certain segment of users? There is a lot of data we can collect. And because KnowBe4 is so automated, users who fail this test get enrolled in relevant training material that shows how and why they failed at spotting these tests. Organizations cannot afford for users to take a day off, and that is why we continue to believe in a strict training and testing regimen to keep refining users’ abilities to have safe and secure practices when sending and receiving emails”, added Martin.
”Although there are numerous tools that can be implemented, phishing attempts are getting more and more sophisticated and therefore the last line of defense and THE most important tool is employee education. Employees need to understand how to be certain that an email is request is valid and therefore prevent from giving up valuable information to the hacker” said Ilan Sredni of Palindrome Consulting.
”There are several phishing tools available. They all are quite similar. They provide a short 2-3 minute instructional video for employees to watch. They have a 4-5 question quiz. Most of them are also paired with simulated phishing attacks. What we have found to be the difference is communication and follow-through. For example, Customer A has 10 employees. After running our simulation, three people click on the fake link. We follow up with the customer to advise them of these three people”, said Mike Shelah of Advantage Industries.
”We then provide secondary training for those people to help them better understand what they should look for. This same company, we run the results of the training. We identify that three people did not take the quiz. Same follow-through. Of the 10 people, two did not pass the quiz, same follow through. This communication and follow-through are critical to the customer’s success, because, these people are now the great cyber vulnerability to their company data. A consistently well-trained staff means, much better security and protection without a big investment in unnecessary tools”, added Shelah.
In-Person Training and Specialized Tools
When it comes to training and development, there is never a one-size-fits-all approach. Every organization will have its own requirements that will need to be addressed. When designing a training and education strategy, is it best to lean toward in-person training or specialized tools? When you set your sights on only one type of training initiative, you can miss the valuable benefits of each methodology. Many businesses and organizations prefer to take a blended approach.
”The only truly effective anti-phishing initiative is a combination of in-person training and a specialized tool to test and track the progress of those training sessions. We use KnowBe4 to test employees on a monthly basis after they have an in-person (or video conference call) training session. We found that our phishing “failures” dropped by 50% when we preceded the anti-phishing tool with a 30-minute training presentation”, said Matt Bullock of Accelera IT Solutions.
”We use KNowBe4 to create specialized templates using the logo and names from actual clients, who the employees are used to receiving messages from. With the proliferation of social engineering and the wealth of company information available on LinkedIn and other sites, our testing and training are completely centered around who the employees know and trust. Everyone is more likely to follow the request of a spam email if they think it’s coming from someone they know and trust. Ultimately, we teach all employees at all our clients to be suspicious of all emails and to always check, with a phone call, any requests for money or changing financial accounts. We can’t let “being too busy” be an excuse for giving away the keys to the company data”, added Bullock.
”We utilize a number of tools to protect our clients from phishing, including Sophos, Zix, and Knowbe4 as well as others. While this cuts down the noise, the threats continue to evolve and that is why end-user education and awareness training is always key” said Mark Hicks of Mathe.
Samantha “Sam” Motz of Motz Technologies LLC said, ”We use a three-prong approach when it comes to fighting back against phishing. Like all network security, it works best in layers. We provide user training, mail filtering, and finally expert analysis. We provide regular online training sessions that our clients can attend.”
”In these sessions, we review common ways to spot phishing E-mails, what to do if you fall victim to one, and how to get help if you are not sure if an E-mail is phishing or not. Our filtering platform of choice is Proofpoint. We find that it helps filter out a vast amount of junk and phishing emails while still being easy enough for end-users to understand and use. If something does slip past ProofPoint and clients are not sure if it’s phishing or not, they can forward the message to our helpdesk. We then review the message in detail to determine if it is phishing or legitimate”, added Motz.
Email Security Solutions
Email Security solutions are designed to defend systems against email threats such as phishing and ransomware.
Paul Bush, Principal Consultant of OneSource Technology, Inc. said the following:
We use a three-layered approach with our clients:
1 — Training — we have produced a short security training video that we provide to clients, many of them have worked it into their new hire onboarding process and have their employees review it annually and complete a quiz.
2 — Barracuda — all of our clients have their email filtered through our Barracuda appliances. The provides the first line of defense and allows us a central point to manage our clients’ email filtering.
3 — IRONSCALES — we use IRONSCALES anti-phishing protection for our clients with Office 365. This service looks at their mailbox and identifies first-time senders with a warning banner and also identifies spoofed senders with a warning banner. In addition to these visual warnings, the service also quarantines obvious phishing and spam emails.
Ashu Singhal of Orion Networks said, ”We have been using Barracuda Email Security solutions for protecting our clients for years now and have been quite happy with it. While we educate our end users with one-time training, nothing trains them better than seeing the daily quarantine box. Our clients are always impressed with how many phishing emails it catches, even the ones that try to be “quite” creative”.
”When they actually see Barracuda flagging a SPAM email of what they initially thought was a genuine one, that stays forever and makes them extra cautious next time they do a “click before read” behavior. Additionally, our engineers have come to love the ability to implement various configuration options and customizations it provides”, added Singhal.
”While we seem to be continuously hearing of other high profile security breaches in the news, email and the common employee’s lack of security awareness continue to be the biggest threats to an organization’s cybersecurity. Security is best deployed in layers. It is common to see threats breach any one layer. Having multiple layers of security helps ensure that a threat is stopped before reaching the last line of defense, the employee”, said Joe Cannata of Techsperts, LLC.
Cannata added, ”The same concept applies to email. Having multiple email security services deployed helps filter out any malicious items before they reach your employees. Inbound and outbound email filtering is the standard. In addition to that, standard layer of security, phishing simulation training is also important to help open the eyes of employees of what to be aware of during their day-to-day. Some of the names in email security that provide these services are Barracuda and IRONSCALES.”
Phishing emails continue to be one of the most common methods that cybercriminals use to gain access to networks, financial data, credentials, and more. These types of attacks continue to be carried out by cybercriminals because they view them as one of the easiest attacks that will allow them to wreak the type of havoc they want. Protecting against phishing threats will require an effective anti-phishing strategy. Developing and implementing anti-phishing strategies can help to reduce an organization’s exposure to phishing attacks and other cyberattacks.