Phishing is a big problem that’s getting even bigger as cybercriminals find new ways to hook employees. With threats coming from every direction – emails on company computers, text and voice messages on mobile devices and in personal communications channels, malicious typosquatting sites, phony marketing QR codes and more – it’s only a matter of time before someone trips up and opens or clicks on something they shouldn’t. When they do, and that phishing attack leads to a damaging data breach, who’s at fault?
The Phishing “Click This, Not That” Contradiction
In the physical world’s airports, train stations and other high-traffic areas, law enforcement posts signs warning people to watch out for suspicious behavior. While public vigilance is critical, citizens aren’t expected to identify shoplifters, challenge those who run red lights or stop unauthorized visitors from entering buildings.
Yet, in the digital world, workforce users (usually outside the IT security department) have become frontline phishing gatekeepers. And they’re flooded with contradictory guidance of “click this, not that.” Think of the HR executive whose job involves reviewing resumes that arrive daily through email, web applications and social media. Or the employee who receives regular emails, supposedly from IT, instructing them to click on links to review company policies and download required software updates. Is it reasonable to expect these people to assess every attachment and link, detecting the malicious from the legitimate with 100% accuracy, 100% of the time? And when a user does fall for a phishing attempt and realizes it too late, are they empowered to report it, or do they try to cover it up, embarrassed or afraid of potential consequences?
Phishing Awareness is Just the Start
Don’t get me wrong. Security is a team game everyone must play, and phishing education is critical. In fact, security leaders identify security awareness training as one of the top three most effective components of a defense-in-depth strategy to combat ransomware. A large body of research shows that regular phishing education can make a positive difference and promote the team game mentality. Teaching users about the real-world ramifications of risky behavior, such as forwarding personal emails to work accounts, can also help dispel the myth that security teams are like all-powerful seatbelts – there to protect people from harm, no matter how fast they’re driving. But phishing education isn’t enough on its own, and phishing prevention strategies that center on human responsibility are unlikely to succeed.
The UK National Cybersecurity Center (NCSC) recently published a post that piqued my interest, asking, “What would we do differently if we were actually encouraging users to click links without fear?” It’s a theoretical question, of course, but it forces an important perspective shift.
What Would It Take to Click Without Fear?
Cyberintruders are constantly innovating and will always find ways to get inside environments. This is one reason Zero Trust has gained such momentum. It’s built on the assumption that any identity or endpoint could be compromised. Because of this, security must start from an assume breach mindset, which recognizes that all users – whether they work in HR, marketing, finance, development or even the IT department – may get phished.
Instead of trying to control every click, the focus stays on controlling what’s actually controllable. For instance, by enforcing strong authentication everywhere, practicing good credential hygiene and consistently following the principle of least privilege (for both human and non-human identities) to help prevent credential theft. Or by implementing allow-listing and application control to help mitigate malicious downloads.
This security approach isn’t about placing blame; it’s about emphasizing awareness AND putting the right layered defenses in place to find and stop attackers quickly. To that end, the NCSC offers helpful defense-in-depth guidance aimed at preventing phishing email delivery, initial code execution and future harm that’s worth a read.
Enough with the Phishing Blame Game
Humans are biologically wired to blame. When bad things happen to us, we instinctively look for reasons beyond ourselves. Even as onlookers, we crave that “who done it” closure. It’s why major breach reports spark waves of speculation and why human error is a common corporate explanation. Yet while the phishing blame game may help us feel better, we’re missing (or ignoring) the more significant point. That is, fault refers to responsibility; responsibility is rooted in trust; and inherent trust – in anyone or anything – must be stripped entirely from the modern security equation.
Identity Security, centered on intelligent privilege controls, lays the foundation for Zero Trust by limiting access to those who need it and only granting the minimum privilege for the task in question. Read our whitepaper, “Zero Trust’s Evolution,” to learn how Identity Security can help today’s digital and cloud-based enterprises enable Zero Trust while achieving measurable risk reduction, operational efficiency and other bottom-line business outcomes.
David Higgins is a senior director in the CyberArk Field Technology Office