How to
Jack Danahy
Jul 2016

Phishing Protection: 4 Ways to Prepare for User Mistakes

Photo by Carl Heyerdahl

Twenty years ago, hackers attempted to breach organizations by breaking holes (or finding them) in the network perimeter of organizations, or in exposed and critical servers. In response, security became focused on locking those things down. The result: a “hard, crunchy outside” that unfortunately still left internal users, systems, and networks unprotected.

Modern attackers have long since realized the easiest way to deliver their attack tools is to focus on the “soft, chewy, center” of the organization. And the very softest part is the ambulatory, 98.6 degree system: the user.

Why Employees Get Targeted (and Fall For) Phishing Scams

Users are susceptible to all manner of phishing cons, from free software to fake websites, from unsolicited photos to Nigerian fortunes. They unwittingly type their credentials into fraudulent screens. They click on malicious links that install system monitors, ransomware, backdoors, and bots.

It’s hard to blame them.

Social networks, particularly LinkedIn and Facebook, serve up all the information, contacts, and backstory necessary to make a forged message look real. When that message appears to come from a high-level executive, it’s very easy for any employee at an organization to be duped.

When the user interacts with these messages — getting hooked by the phishing attack — the attackers have everything they need to launch a much more substantial penetration. For these reasons, phishing has become the delivery vehicle for all manner of corruption.

The cost of these attacks is in the billions of dollars and mounting (the FBI estimates CEO fraud email scams alone have cost organizations more than $2.3 billion in the past three years), and their profitability continues to spawn new criminals and increasingly sophisticated new tools.

Preventing these losses starts and ends with supporting the users — protecting them from themselves, and, while they develop better habits, protecting the organization from their mistakes.

Employees Still Need Protection During and After Security Training

Like adopting any new skill, training users to recognize the warning signs of a phishing email — and to develop better security habits in general — takes time. Security awareness training providers like PhishMe, KnowBe4 and Wombat Security can help organizations gradually reduce the average phishing campaign’s success rate to single digits, but it takes months or even years of training to get there.

During that period, these users are still exposed. When complete, that remaining handful of recalcitrant or untrained employees will still make mistakes. As a result, while that long-term investment is playing out (and even afterwards) IT teams need to provide additional support to their users by adding new protection that can limit the damage when these mistakes happen. 

This protection can come via process changes or from additional tooling. Here are some examples:

1) Include a human-to-human confirmation for sensitive requests.

These can include wire transfers, loan requests, or public announcements. When this is impossible, mandate a two-factor scheme that will undisputedly identify the unique requester.

2) Provide a simple means for employees to report and submit suspicious emails.

Then actively spread the word and monitor these reports 24x7. Most attacks that target organizations will attempt to infect a large number of users in hopes of fooling only a few.

3) Rationalize user privileges and access, even on their local machines.

Few users require administrative access to their own system, and that access provides an easy avenue for attackers to take control. Limit privileges to the minimum users need to do their jobs.

4) Add a layer of endpoint security that stops the attacks that current solutions don’t.

Phishing attacks are used frequently by ransomware and malware authors, so that the user’s local machine becomes infected. When an especially well-constructed phishing message succeeds, your additional protection should be able to stop the payload that is delivered, even if it is brand new and unknown.

Here at Barkly, we've been working hard on an innovative new approach to providing exactly this type of additional endpoint protection. You can learn more about it and even try it out for free here.

Mistakes Happen: The Key is Being Ready

Taking these steps can help you blunt the sharp edge of the phishing trend and its resulting dangers. Weakness has motivated attackers to phish. We can teach our users to resist the lure, but we still have to be ready to cut the line if they do get hooked.

To learn more, see our new eBook, the Phishing Field Guide: How to Keep Users Off the Hook.

Jack Danahy

Jack Danahy

Jack is a 25-year-veteran in the security industry. Prior to co-founding Barkly he was the founder and CEO of two successful security companies: Qiave Technologies, acquired by Watchguard Technologies in 2000, and Ounce Labs, acquired by IBM in 2009.


Close the gaps in your security

See how Barkly’s Runtime Malware Defense blocks attacks other solutions miss.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.