Phishing – a hierarchy of measures for successful defense
Phishing is a popular tool for attackers. With parallels to occupational health and safety, this plague can be combated at various levels, comments Janis König.
![Creative,Code,Skull,Hologram,On,Modern,Computer,Background,,Cybercrime,And](https://heise.cloudimg.io/width/610/q85.png-lossy-85.webp-lossy-85.foil1/_www-heise-de_/imgs/18/4/6/1/4/2/1/0/shutterstock_1699494217-e1910b26216e5cba.jpeg)
(Image: Pixels Hunter/Shutterstock.com)
- Janis König
Matt Linton from Google recently published a very good article entitled "On Fire Drills and Phishing Tests", in which he compares today's phishing drills with earlier fire drills. But there is (fortunately!) more than just training for and against phishing. To categorize all possible countermeasures, we can refer to the hierarchy of measures from occupational safety. This divides the tools into the levels of prevention, reduction, technical measures, administrative measures, training and personal protective equipment.
Training alone is not enough
It is also known: The further down we go in this hierarchy, the more ineffective the tools become. In this context, it is depressing to note that the focus in many companies has become completely fixed on training. But let's go through the individual levels: In email-based phishing incidents, the complete avoidance of the source of danger would be to do away with (externally accessible) email. It's easy to dismiss this approach, but there are indeed some companies where I would question whether all employees really need their own public email address. Admittedly, the increased use of cloud services makes such a restriction increasingly difficult - externally accessible email addresses are required for everything - but not impossible. But as soon as customer contact becomes necessary, that's it - right?
Here, too, it is possible to reduce the remaining danger surface. We all know – and hate – them: customer contact forms. But from an anti-phishing point of view, these are great tools, as they severely limit the format of the data and contact transmitted, making it visible to everyone in the respective support team, and making it controllable. Obviously, even this method cannot cover all use cases, and a more interactive channel is often desired, especially in B2B contact. Microsoft Teams is slowly gaining acceptance here, even for B2B - even if there is obviously room for improvement, but it is also a way of limiting phishing.
Watch out, snake oil
We are now moving towards technical measures that can be distributed across a company infrastructure in a scalable manner: Password policies, mail scanners, blocking suspicious attachments - a veritable treasure trove for snake oil salesmen. Administrative measures could be structures within the organization that seek to reduce the impact of a phishing attack by having fixed processes for certain procedures that hopefully intercept at least some of the classics.
And finally: personal protective equipment, i.e. technical measures. However, these require correct operation (and therefore successful training) to be effective, such as flagging potentially dangerous content. These measures support training and can make it more effective, but should not actually be a critical pillar of our safety architecture.
And yet the focus is always on people. We can't change them, even if we try to help them. It is easy to start at the bottom of the hierarchy. But if we want to combat the risk, we should tackle the phishing problem more fundamentally.
(pst)