Adopting A Layered Approach To Phishing
In 2019, cyber criminals are finding smarter and more integrated ways to target companies and individuals.
Findings contained in the Department for Digital, Culture, media & Sport’s Cyber Security Breaches Survey 2019 indicate that, a third (32%) of businesses and two in ten charities (22%) report having cyber security breaches or attacks in the last 12 months. And despite the technical advancements made, 80% of these businesses fell victim to a phishing attack.
In 2019, phishing remains one of the primary methods attackers use to target organisations. By studying their targets and employing new methods, hackers can still bypass security filters and prey on employees.
Whether it’s a CEO or junior executive, once a malicious email lands in someone’s inbox, even your most technically-savvy employee can be duped by social engineering.
Hackers often use psychological tricks to get users to act – preying on their desire to be helpful or to follow company procedure.
Adopting a multi-layered approach to stop phishing attacks
Traditionally, defending against a phishing attack often relied on an individual spotting a malicious email. Yet training alone can’t and won’t protect you from phishing. Stopping phishing attacks requires a layered approach which combines both employee education and technical controls. As such, widening your defences will improve your resilience against phishing attacks without disrupting the productivity of your users and will help you plan for incidents, and minimise the damage caused.
Guidance from the NCSC suggests a four-point-multi-layered approach.
Layer 1: Make it difficult for attackers to reach your users
You can reduce the likelihood of false emails landing in your inbox by implementing security solutions as your first line of defence. Filtering services usually send email to spam/junk folders, while blocking services ensures that they never reach your user. The rules determining blocking or filtering need to be fine-tuned for your organisation's needs. Further to this, employing anti-spoofing controls will make it harder for your email to be spoofed.
Layer 2: Help users identify and report suspected phishing emails
Educating your employees is vital to ensuring that phishing emails don’t dupe any unsuspecting stakeholders. Informing your users about the nature of the threat posed by phishing and explaining the common features of phishing mails are all important statements to get across. This can be further reinforced by undergoing phishing simulations.
Layer 3: Protect your organisation from the effects of undetected phishing emails
Malware is often hidden in phishing emails, or in websites that they link to. To counter-act this, ensuring that your business uses supported software and devices is vital; as is making sure your software and devices are kept up-to-date regularly with the latest patches.
Layer 4: Respond quickly to incidents
When it comes to cyber security attacks, it’s a case of when not if your company is targeted. Knowing about an incident sooner rather than later allows you to limit the harm it can cause. By having a structure in place whereby users know how to report incidents along with logging all attempted attacks, will provide visibility and will inform key stakeholders about the threats posted. Further to this, having an incident response plan will let prevent any further harm.
Are you looking to adopt a multi-layered approach to phishing?
Our Citadel Phishing-as-a-Service options enables companies to safeguard their IT infrastructure against cyber criminals. In particular, our service highlights include:
- Full managed phishing campaigns - tailored emails to designated employees simulating a phishing attack
- Monthly, Quarterly or Annual Phishing Service
- Flexible recipient / elastic on per user basis
- Tailored report detailing campaign results & recommendations
- Helps to steer cyber training decision making
- Supports business & security compliance
- Security Awareness Training provided as an additional service
Looking to learn more? Check out our simulated phishing as a service page.