How to block phishers when they come a knockin'

Just like throwing out a fishing line into the water, a phisher waits for just the slightest nibble before pouncing on a network.

Eyal Benishti, CEO of IronScales, says the way to cut off the phishers food supply is to first go to the core of the issue: employee awareness. The CEO notes that cybercriminals by nature are lazy. “If your organization is a tough nut to crack, they will move on to find more low-hanging fruit,” Benishti says.

According to the Verizon data breach investigation report published earlier this year, phishing remains a major data breach weapon of choice. Trend Micro added that ransomware is expected to be one of the biggest threats in 2016 and that a single ransom demand will go much higher, reaching seven figures.

Here are some recommendations Benishti has for enterprises:

1. Launch phishing simulations

Running phishing simulations followed by ad hoc, gamified training is a proven tool to increase awareness and reduce risk.

Repeat the process at least once every two months - changing behavior is a process. Training is important, but continuous assessment is even better to set the right mindset.

2. Use gamification as training methodology

Let’s admit it, people hate training. They are sick and tired of videos and training wizards with boring slides and bullets. Meanwhile, for the security managers, it’s not really measurable.

This is why interactive training or ‘gamification’ is much more engaging. Plus, people love to get high scores to collect awards, so why not?

Create fun and interactive games to deliver your messages!

3. Definitely include your senior management

They are main targets, especially for spear and whale phishing. Make no exceptions. Publicly promote their participation. It’s a good example for the rest of the company.

4. Use real-life examples

It’s best to hit your employees with emails they might actually receive. Change difficulty levels and start from the ground up. Don’t expect people to understand advanced phishing examples from day one. Teach them step by step on both phishing scenarios and training modules.

5. Enforce training, and follow employee progress

To make it effective, employees must understand this is serious. They need to be reminded if they ditched the training. It’s your job to make sure they like it. It’s all about the messaging. They need to understand that they have a critical role in protecting the company and its assets.

6. Encourage ongoing phishing reports

Make sure each and every employee knows how to report back to the security team about suspicious emails. Many people tend to believe that the technology on premise will automatically stop all malicious emails and attachments for them. Make sure they understand that they are an active line of defense.

Ever vigilant

Phishing is the No.1 vehicle used by cyber criminals to deliver malicious software to your organization. The level of sophistication is increasing dramatically so traditional defenses are lagging behind. Make sure people are aware of the risk and well trained to spot and report it as it happens.


IDG Insider


« Official Dota 2 forum hack leaks nearly 2 million user passwords


Google Chrome's plan to kill Flash kicks into high gear »
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail


Do you think your smartphone is making you a workaholic?