Page 14 - Cyber Defense eMagazine - September 2017
P. 14
Even highly sophisticated attackers, such as state sponsored actors, routinely use non-
technological phishing campaigns to gain an initial foothold inside target networks, usually by
stealing user login credentials.
Above is a real BEC (business email compromise) phishing lure - These are also known as
CEO scams
Phishing Defense
How, then, can we effectively change the security behaviors of users, particularly when they’re
performing a standard office task such as checking their email.
The answer is simple, but not obvious: Phish them yourself.
Think about it. If you wanted to get better at bird spotting, you’d buy some books, look at the
pictures, and then… Go out and start trying to identify birds.
Naturally, if you want your users to get better at identifying phishing emails, the process is much
the same. The stakes are much higher than they would be for a casual hobby, yes, but
nonetheless practice remains the only reliable way of getting better at anything.
Now of course, you’ll need to provide some training first. You’ll need to explain to your users
what the program is designed to achieve, why phishing is such a big deal, and what you expect
from them. Not only that, you’ll need to do all this in a way that gets your users-side; after all,
the success or failure of your program is largely in their hands.
Once all of that is out the way, though, it’s time to start systematically developing realistic
phishing simulations, and sending them to your employees on a regular basis.
14 Cyber Defense eMagazine – September 2017 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide.
