Users are central to most phishing attacks, someone who, usually inadvertently, gives an attacker a foothold to exploit: users therefore play a critical role in organisation security. Security policy and technologies must enable users to work effectively whilst contributing to a secure environment. A regular, concise and engaging awareness programme increases organisational cyber security knowledge and engenders a security conscious culture.
Unsurprisingly, cyber criminals’ most common user exploitation method is social engineering, delivered by email, which attempts to lure users into performing an action – opening an attachment containing malicious code (file-based), or clicking a link to a malicious website (file-less). In our cloud-based world of frictionless experiences, it feels entirely natural to users – (particularly younger generations who are often more susceptible) – to click on links directing them to web browsers, then enter their credentials: file-less attacks are therefore increasingly difficult to defend against. Highlighting attackers’ latest techniques using realistic examples, providing tips for identifying suspicious emails and teaching users correct reporting procedures are the most effective countermeasures to social engineering.
Simulated phishing attacks support this strategy by regularly delivering ‘fake’ emails to a sample of users. Not only does this provide detailed reporting into susceptibility based on ‘successful’ attack types, by individual user or department, it also;
- provides the immediate opportunity to deliver education (eg. explainer video) to exploited users while they are highly receptive
- enables future education & awareness material and delivery to focus on highest risk threats
- allows anonymised data across all customers to provide benchmarking and isolate trends affecting different organisation types or industries
Supplementing this approach by deploying two-factor authentication – combining something users have (device) with something they know (password) – further mitigates the risk of passwords compromised through credential-harvesting attacks and raises the risk perception of ‘standard login’ applications amongst users.
Learn more about Littlefish’s User Education & Awareness Services.
About Katy Hinchcliffe
Littlefish Head of Cyber Security Katy Hinchcliffe, is a highly regarded cyber security leader. With over a decade’s experience delivering a broad range of cyber security services to enterprise clients for global IT outsourcer Capgemini, notably managing the prevent, detect and respond functions on behalf of Rolls-Royce, Katy is now responsible for developing Littlefish’s Cyber Security practice.