Successful phishing attacks - tricking your employees into clicking a link and then taking an action, such as providing information to a fake web page - is the primary vector for ransomware infections.
But it’s really not that simple.
Ransomware exploits weaknesses in training, but also in how you have architected and executed on your overall information technology and information security fabric.
Even if you removed phishing completely (which is hard), ransomware would still present a threat.
So when vendors tell you that the “solution” to phishing is to let them mount mock phishing attacks against your employees, take it with a grain of salt.
Sure, used prudently, phishing exercises and tests can give you data about the state of preparedness your company has to withstand a phishing campaign.
But it is important to remember that “readiness” here doesn’t just mean, “Will my people click the link?” It also means very important things such as:
- “Can my systems stop the link from reaching my people?” and,
- “If my people do click a link, how good are we at defending against what happens next?”
Another reason not to put too much stock in phishing testing is that, unless it’s done well, you’ll be teaching the wrong lessons. Some of the companies that conduct these drills will tell you that your fake phishing test should be as ruthlessly real as the real thing, or else it’s not worth much.
“Hackers,” they’ll tell you, “won’t pull any punches, so neither should you.”
Yes and no. The last thing you want to do is set up an adversarial relationship between your employees and your information security or information technology leadership and teams.
Make no mistake, you’re fomenting bad will when you, or some company you’ve hired, send out that oh-so-clever phishing test - the one about “Click here for information about this year’s Christmas bonus.”
Is that kind of thing a realistic phish? You betcha.
Might hackers actually try something like that? Less often than you’d think, but, sure.
The difference, though, is that the ransomware criminals don’t have to work with Bob in accounting and Alice in Dev after they mount such an offensive trick, one that plays on Bob’s and Alice’s desires and hopes, and crushes them like a grape.
The incentives here are mismatched. The companies selling We Phish Your Team are selling Gotchya! As a Service! Their incentive is to use every trick in the book to make your people click so the company can show you how bad it all is.
But as an organization, your incentive is different - and it’s a nuanced difference. You want to raise awareness, and lower the number of successful campaigns against you at the lowest cost overall.
For that, again and again we in the industry have learned that the best defenses against phishing are:
-
Awareness training Show your employees how to spot fakes, from a general sense of diligence, to mousing over links, to matching URLs in the sender address field. Do this regularly.
-
Empowerment Make sure your employees know that they can ask questions and get help for the asking - no one is going to say they’re asking a dumb question. By supporting employees with help to make the right decision about “To click or not to click”, you reduce the numbers who will make the wrong choice.
-
Good filtering and mail hygiene They can’t click it if it doesn’t reach their inbox.
-
Good Post-Click Detection - Thinking Past the Phish Should the worst happen, and an employee clicks on a fake link and gets infected, what’s going to happen?
- Is your organization ready to detect it?
- Have you got your backups in order, and your restoration procedures tested regularly?
- Are you properly logging outbound DNS requests and other critical breadcrumbs so your incident responders can figure out what’s going on and stop the bleeding quickly?
-
Hardware tokens it’s not a myth: Google reduced to zero the number of its employes successfully phished after deploying hardware tokens. Sure, your employee might click on a link to out1ook.com, but a hardware token won’t authenticate to the wrong site.
Paying attention to these issues, and working on the long game as opposed to the easy fix, is the best way to combat phishing.