1. 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗮𝘄𝗮𝗿𝗲𝗻𝗲𝘀𝘀 𝘁𝗿𝗮𝗶𝗻𝗶𝗻𝗴 𝗺𝗮𝘆 𝗯𝗲 𝘁𝗵𝗲 𝗺𝗼𝘀𝘁 𝗳𝘂𝗻𝗱𝗮𝗺𝗲𝗻𝘁𝗮𝗹 𝗽𝗿𝗮𝗰𝘁𝗶𝗰𝗲 𝗳𝗼𝗿 𝗽𝗿𝗲𝘃𝗲𝗻𝘁𝗶𝗻𝗴 𝗱𝗮𝗺𝗮𝗴𝗲 𝗳𝗿𝗼𝗺 𝘀𝗼𝗰𝗶𝗮𝗹 𝗲𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴.
- -Training should be comprehensive. User alerts about potentially dangerous online activity, as well as random phishing simulation emails, all play a role.
- -Regular training is required to educate users on what to look for and how to spot social engineering.
- -Avoid training that is one-size-fits-all. One-size-fits-all training, according to Gartner, falls short. To reach all types of people, content must be diverse. It should range in length from 20 minutes to one to two minutes for microlearning lessons. It should be interactive and may even include episode-based shows. Various styles, ranging from formal and corporate to edgy and humorous, should be used. Content customization should target specific types of users, such as those in IT,finance or other roles and for those with differing levels of knowledge.
2. 𝐄𝐦𝐩𝐥𝐨𝐲𝐞𝐞𝐬 𝐬𝐡𝐨𝐮𝐥𝐝 𝐛𝐞 𝐭𝐞𝐬𝐭𝐞𝐝 𝐫𝐞𝐠𝐮𝐥𝐚𝐫𝐥𝐲 𝐟𝐨𝐫 𝐭𝐡𝐞𝐢𝐫 𝐫𝐞𝐬𝐩𝐨𝐧𝐬𝐞 𝐭𝐨 𝐭𝐡𝐫𝐞𝐚𝐭𝐬 — 𝐛𝐨𝐭𝐡 𝐨𝐧𝐥𝐢𝐧𝐞 𝐚𝐧𝐝 𝐢𝐧 𝐩𝐞𝐫𝐬𝐨𝐧.
- -Before beginning security awareness training, baseline testing can be used to determine the percentage of users who are vulnerable to simulated attacks. Testing again after training determines the effectiveness of the educational campaign. According to Forrester Research, metrics such as completion rates and quiz performance do not accurately reflect real-world behavior.
- -In order to obtain an accurate measure of user awareness, simulations or campaigns should not be announced ahead of time. Alter the timing and style. If fake phishing emails are sent out every Monday morning at 10 a.m. and all look the same, the employee grapevine will go into overdrive. Workers will alert one another. Some will stand up in their cubicle and broadcast a phishing campaign email to the entire office. Timing should be unpredictable. Styles should also be updated. Try it for a week. Styles should also be updated. Try using a bank’s corporate logo one week and an IT alert about a security threat the next. Using realistic simulations of tailgaters and unauthorized lurkers, or placing tempting USBs at a facility, similar to using “secret shoppers,” can test in-person awareness. Forrester analyst Jinan Budge recommends that organizations “choose vendors that can help measure your employees’ human risk score” when working with a security awareness provider. Budge adds, “Once you know the risk profile of an individual or department, you can adjust your training and gain valuable insights about where to improve your security program.”
4. 𝐈𝐭 𝐬𝐡𝐨𝐮𝐥𝐝 𝐛𝐞 𝐞𝐚𝐬𝐲 𝐭𝐨 𝐫𝐞𝐩𝐨𝐫𝐭 𝐚𝐭𝐭𝐞𝐦𝐩𝐭𝐬 𝐚𝐧𝐝 𝐛𝐫𝐞𝐚𝐜𝐡𝐞𝐬.
Employees should be able to easily report potential phishing emails and other scams to the help desk, IT, or security. These systems should also make IT’s job easier by categorizing and summarizing reports. A phishing alert button can be added to the company email program.
3. 𝐅𝐨𝐬𝐭𝐞𝐫 𝐚 𝐩𝐞𝐫𝐯𝐚𝐬𝐢𝐯𝐞 𝐜𝐮𝐥𝐭𝐮𝐫𝐞 𝐨𝐟 𝐚𝐰𝐚𝐫𝐞𝐧𝐞𝐬𝐬
“If you create the right culture,” Grimes says, “you end up with a human firewall that guards the organization against attack.” Well-executed training and testing can help to create a culture of healthy skepticism, in which everyone is taught to recognize a social engineering attack.
5. 𝐌𝐮𝐥𝐭𝐢𝐟𝐚𝐜𝐭𝐨𝐫 𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧 (𝐌𝐅𝐀) 𝐢𝐬 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭.
Social engineering is frequently used to dupe users into giving up their enterprise email and system access credentials. One method of preventing such first-stage attacks is to require multiple identity verification credentials. MFA may require users to receive a text message on their phone, enter a code in an authenticator app, or otherwise verify their identity in a variety of ways.
6. 𝐊𝐞𝐞𝐩 𝐚 𝐭𝐢𝐠𝐡𝐭 𝐡𝐚𝐧𝐝𝐥𝐞 𝐨𝐧 𝐚𝐝𝐦𝐢𝐧𝐢𝐬𝐭𝐫𝐚𝐭𝐢𝐯𝐞 𝐚𝐧𝐝 𝐩𝐫𝐢𝐯𝐢𝐥𝐞𝐠𝐞𝐝 𝐚𝐜𝐜𝐞𝐬𝐬 𝐚𝐜𝐜𝐨𝐮𝐧𝐭𝐬.
Once a malicious actor gains access to a network, the next step is frequently to compromise an administrative or privileged access account, which allows access to other accounts and significantly more sensitive information. As a result, it is critical that such accounts be provided only on a “as needed” basis and that abuse is closely monitored..
7. 𝐃𝐞𝐩𝐥𝐨𝐲 𝐮𝐬𝐞𝐫 𝐚𝐧𝐝 𝐞𝐧𝐭𝐢𝐭𝐲 𝐛𝐞𝐡𝐚𝐯𝐢𝐨𝐫 𝐚𝐧𝐚𝐥𝐲𝐭𝐢𝐜𝐬 (𝐔𝐄𝐁𝐀) 𝐟𝐨𝐫 𝐚𝐮𝐭𝐡𝐞𝐧𝐭𝐢𝐜𝐚𝐭𝐢𝐨𝐧.
Additional authentication technology, in addition to MFA, should be used to prevent initial credential breaches from escalating into larger network intrusions. UEBA can detect unusual locations, login times, and so on. When a new device is used to access an account, alerts should be sent and additional verification steps should be taken.
8. 𝐒𝐞𝐜𝐮𝐫𝐞 𝐞𝐦𝐚𝐢𝐥 𝐠𝐚𝐭𝐞𝐰𝐚𝐲𝐬 𝐚𝐫𝐞 𝐚𝐧𝐨𝐭𝐡𝐞𝐫 𝐢𝐦𝐩𝐨𝐫𝐭𝐚𝐧𝐭 𝐭𝐨𝐨𝐥.
Secure email gateways, while not perfect, reduce the number of phishing attempts and malicious attachments that reach users.
9. 𝐊𝐞𝐞𝐩 𝐚𝐧𝐭𝐢𝐦𝐚𝐥𝐰𝐚𝐫𝐞 𝐫𝐞𝐥𝐞𝐚𝐬𝐞𝐬, 𝐬𝐨𝐟𝐭𝐰𝐚𝐫𝐞 𝐩𝐚𝐭𝐜𝐡𝐞𝐬 𝐚𝐧𝐝 𝐮𝐩𝐠𝐫𝐚𝐝𝐞𝐬 𝐜𝐮𝐫𝐫𝐞𝐧𝐭.
Keeping up to date on releases, patches, and upgrades reduces both the number of malicious social engineering attempts that reach users and the damage that occurs when users fall for deception or otherwise make an erroneous click.
10. 𝐅𝐢𝐧𝐚𝐥𝐥𝐲, 𝐭𝐡𝐞 𝐨𝐧𝐥𝐲 𝐰𝐚𝐲 𝐭𝐨 100% 𝐠𝐮𝐚𝐫𝐚𝐧𝐭𝐞𝐞 𝐟𝐫𝐞𝐞𝐝𝐨𝐦 𝐟𝐫𝐨𝐦 𝐜𝐲𝐛𝐞𝐫𝐚𝐭𝐭𝐚𝐜𝐤 𝐢𝐬 𝐭𝐨 𝐫𝐞𝐦𝐨𝐯𝐞 𝐚𝐥𝐥 𝐮𝐬𝐞𝐫𝐬 𝐟𝐫𝐨𝐦 𝐭𝐡𝐞 𝐰𝐞𝐛, 𝐬𝐭𝐨𝐩 𝐮𝐬𝐢𝐧𝐠 𝐞𝐦𝐚𝐢𝐥, 𝐚𝐧𝐝 𝐧𝐞𝐯𝐞𝐫 𝐜𝐨𝐦𝐦𝐮𝐧𝐢𝐜𝐚𝐭𝐞 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐨𝐮𝐭𝐬𝐢𝐝𝐞 𝐰𝐨𝐫𝐥𝐝.
Short of that, security personnel can become so paranoid that they implement a cumbersome tangle of safeguards that stifle every process in the organization. The inefficient TSA checkpoints at every airport are a good example. The process has harmed the public’s perception of air travel. Similarly, a balance between security and productivity must be maintained in cybersecurity.