Cybersecurity Awareness Month 2022 prioritizes education for improving phishing recognition and reporting. Security leaders agree, ranking employee training as the second-most effective defense-in-depth layer for ransomware protection. Overall security awareness is up, but cyberattackers keep phishing. The question is, why do people keep biting?
Inherent Trust Gives Phishing Attackers a Leg Up
Psychological studies on everything from brain chemistry to infant behavior to Ponzi schemes suggest we can’t help ourselves: Humans are hardwired to trust.
Since the beginning of time, criminals have studied human behavior to exploit trust (remember the Trojan Horse in history class?). Only their methods have changed, and they keep getting better with technology’s help. Today, as users work from anywhere, toggling frequently between corporate and personal devices, these factors work in attackers’ favor:
- Easier social engineering. Employees are conducting more of their personal lives online, making it easy for attackers to conduct reconnaissance and connect with them on social networks. When someone has access to a valuable corporate asset, an attacker may spend months building a relationship with them before sending a phishing email containing malicious code.
- More identities to exploit. The expanded use of SaaS tools is generating new identities that end up inadequately secured and monitored. With some tools, every time a new team is set up, an email account is created for the team to use. An attacker can compromise this account or generate a fake account to send messages to the team.
- New ways to deceive. With so many new digital tools in the mix, workers may be less likely to question out-of-the-ordinary requests or changes in workflow.
Part of our job as defenders is arming workforce users with the knowledge and skills to thwart phishing attempts. Another is thinking like an attacker, recognizing that someone will slip up, think a phony call is legit, get fatigued by too many MFA prompts or be tricked by some novel phishing tactic.
Eight Ways to Fight Phishing and Move Closer to Zero Trust
People will always have trust issues. This may be why 88% of security leaders agree that Zero Trust is the way. This approach centers on assessing every request to access a corporate resource — data, applications and infrastructure — before granting access and then tightly limiting access for verified users and devices.
Part of viewing cybersecurity through a Zero Trust lens involves taking proactive steps to make your access systems more phishing-resistant, help end users recognize phishing attempts and reduce potential damage by deploying mechanisms to minimize impact if users are lured into taking the bait.
- Set up phishing-resistant multifactor authentication (MFA) mechanisms such as FIDO, QR codes or physical tokens.
- Implement foundational Zero Trust policies like requiring users to register phishing-resistant authenticators, using step-up authentication prompts when sensitive apps are launched or sensitive information is changed, mandating MFA for personal profile modifications and setting up automatic alerts that flag risky user behavior.
- Segment your network. This way, when phishing is successful, the attacker’s movement inside the network will be restricted and access to sensitive resources will be blocked.
- Secure your devices. Endpoint security hygiene is imperative, as devices are more exposed to phishing and malware in perimeter-less environments. One major operational challenge to overcome will be maintaining a full, up-to-date inventory of users and devices.
- Revisit your BYOD policies. The difficulties of verifying devices can be compounded by unmanaged devices. Shipping hardened corporate laptops to remote workers is not always feasible. And workers may still connect to Internet-facing corporate applications from a personal device. Consider implementing minimum standards for strengthening hybrid workers’ home networks, such as changing default router credentials and using strong WiFi passwords.
- Conduct periodic phishing exercises. Returning to psychology, a well-known cognitive bias known as the Dunning-Kruger Effect highlights people’s tendency to overestimate their own capabilities. Live-test scenarios and Red Team exercises can help challenge thinking, uncover blind spots and strengthen security defenses.
- Foster greater collaboration across various business functions and IT security teams to improve identity governance and lifecycle management practices such as deprovisioning accounts when users exit their roles, conducting “know your employees” assessments, training third-party users and continuously monitoring access.
- Lean on expert guidance across people, process and technology. This is where the domain knowledge and experience of your cybersecurity provider matters. With access to educational resources and an expert team that understands your business goals, your security organization can improve outcomes in areas such as access reviews and collections monitoring, virus scan performance testing, penetration testing, resolving stalled workflows and processes, and delivering the right reports for the right stakeholders.
Assuming people will trust too much is woven into Zero Trust’s “trust nothing, verify everything” philosophy. Identity Security offers a set of technologies that can help your organization enable Zero Trust more efficiently. As your team prioritizes phishing prevention this Cybersecurity Awareness Month, the Identity Defined Security Alliance provides a useful framework to help you #BeIdentitySmart and understand the technology components — from devices to network, applications and storage — that require protection at the identity level.