1. ???????? ????????? ???????? ??? ?? ??? ???? ??????????? ???????? ??? ?????????? ?????? ???? ?????? ???????????.
- -Training should be comprehensive. User alerts about potentially dangerous online activity, as well as random phishing simulation emails, all play a role.
- -Regular training is required to educate users on what to look for and how to spot social engineering.
- -Avoid training that is one-size-fits-all. One-size-fits-all training, according to Gartner, falls short. To reach all types of people, content must be diverse. It should range in length from 20 minutes to one to two minutes for microlearning lessons. It should be interactive and may even include episode-based shows. Various styles, ranging from formal and corporate to edgy and humorous, should be used. Content customization should target specific types of users, such as those in IT,finance or other roles and for those with differing levels of knowledge.
2. ????????? ?????? ?? ?????? ????????? ??? ????? ???????? ?? ??????? — ???? ?????? ??? ?? ??????.
- -Before beginning security awareness training, baseline testing can be used to determine the percentage of users who are vulnerable to simulated attacks. Testing again after training determines the effectiveness of the educational campaign. According to Forrester Research, metrics such as completion rates and quiz performance do not accurately reflect real-world behavior.
- -In order to obtain an accurate measure of user awareness, simulations or campaigns should not be announced ahead of time. Alter the timing and style. If fake phishing emails are sent out every Monday morning at 10 a.m. and all look the same, the employee grapevine will go into overdrive. Workers will alert one another. Some will stand up in their cubicle and broadcast a phishing campaign email to the entire office. Timing should be unpredictable. Styles should also be updated. Try it for a week. Styles should also be updated. Try using a bank’s corporate logo one week and an IT alert about a security threat the next. Using realistic simulations of tailgaters and unauthorized lurkers, or placing tempting USBs at a facility, similar to using “secret shoppers,” can test in-person awareness. Forrester analyst Jinan Budge recommends that organizations “choose vendors that can help measure your employees’ human risk score” when working with a security awareness provider. Budge adds, “Once you know the risk profile of an individual or department, you can adjust your training and gain valuable insights about where to improve your security program.”
4. ?? ?????? ?? ???? ?? ?????? ???????? ??? ????????.
Employees should be able to easily report potential phishing emails and other scams to the help desk, IT, or security. These systems should also make IT’s job easier by categorizing and summarizing reports. A phishing alert button can be added to the company email program.
3. ?????? ? ????????? ??????? ?? ?????????
“If you create the right culture,” Grimes says, “you end up with a human firewall that guards the organization against attack.” Well-executed training and testing can help to create a culture of healthy skepticism, in which everyone is taught to recognize a social engineering attack.
5. ??????????? ?????????????? (???) ?? ?????????.
Social engineering is frequently used to dupe users into giving up their enterprise email and system access credentials. One method of preventing such first-stage attacks is to require multiple identity verification credentials. MFA may require users to receive a text message on their phone, enter a code in an authenticator app, or otherwise verify their identity in a variety of ways.
6. ???? ? ????? ?????? ?? ?????????????? ??? ?????????? ?????? ????????.
Once a malicious actor gains access to a network, the next step is frequently to compromise an administrative or privileged access account, which allows access to other accounts and significantly more sensitive information. As a result, it is critical that such accounts be provided only on a “as needed” basis and that abuse is closely monitored..
7. ?????? ???? ??? ?????? ???????? ????????? (????) ??? ??????????????.
Additional authentication technology, in addition to MFA, should be used to prevent initial credential breaches from escalating into larger network intrusions. UEBA can detect unusual locations, login times, and so on. When a new device is used to access an account, alerts should be sent and additional verification steps should be taken.
8. ?????? ????? ???????? ??? ??????? ????????? ????.
Secure email gateways, while not perfect, reduce the number of phishing attempts and malicious attachments that reach users.
9. ???? ??????????? ????????, ???????? ??????? ??? ???????? ???????.
Keeping up to date on releases, patches, and upgrades reduces both the number of malicious social engineering attempts that reach users and the damage that occurs when users fall for deception or otherwise make an erroneous click.
10. ???????, ??? ???? ??? ?? 100% ????????? ??????? ???? ??????????? ?? ?? ?????? ??? ????? ???? ??? ???, ???? ????? ?????, ??? ????? ??????????? ???? ??? ??????? ?????.
Short of that, security personnel can become so paranoid that they implement a cumbersome tangle of safeguards that stifle every process in the organization. The inefficient TSA checkpoints at every airport are a good example. The process has harmed the public’s perception of air travel. Similarly, a balance between security and productivity must be maintained in cybersecurity.