Phishing is a legitimate risk to companies of all sizes, whether the method used is an advanced spear phishing attack or a low quality bulk phishing attack, malicious actors will target individuals and organisations to extract sensitive information.

As a direct result of the global threat to businesses, a phishing simulation industry which is valued at over $100 billion annually now exists. With powerful players and a huge amount of money changing hands, it’s no wonder clever marketing strategies are convincing Information Security leadership teams that phishing simulation is the right approach to mitigating phishing attacks.

Unfortunately, throwing money at the problem and trying to simulate a phishing attack doesn’t solve any of your problems, it might actually make them worse. People will click links, people will look at attachments, it’s the responsibility of security professionals to ensure their people have all the information they need to make smart decisions, and that you have the technical capabilities in place to ensure any mistakes have minimal impact.

Security Culture

I write a lot about security culture, and that’s because it’s so important. As a security professional working in a modern technology focused company, it’s impossible to micromanage and gatekeep security while having successful outcomes. People are often perceived as the biggest threat, but people can be your strongest asset in the fight against threats to a business.

Introducing a mechanism that tricks your employees into making a mistake, and then punishing them for it, is a recipe for a toxic security culture. What do you think will happen in a scenario where an employee is accidentally duped by a legitimate phishing scam? Will they be inclined to report it, knowing they’ll be punished? Will they even know? Will you, the security team, even know?

We should be encouraging people to learn about security, making security as accessible as possible, by teaching people that they will be targeted and how they can report that to the correct people.

Clicking links and looking at files in emails is a part of legitimate business activity, for example it’s expected for hiring managers to look at the CV of potential candidates for a vacancy within the company.

If someone clicking a link in an email is a huge risk to your business, the problem is your security department, not the unsuspecting employee who clicked the link. Phishing simulation is often a bandaid to cover up the lax security controls that are in place.

Technical Controls

This is where having the right security professionals has the most impact, as they can introduce sufficient technical controls to reduce the perceived risk enough that the phishing simulation sales pitches become less desirable.

Here are some simple technical controls you can implement to protect against phishing attacks:

  • Email filtering - Proofpoint and Mimecast are two popular managed email filtering services. If you’re using the Microsoft Office suite then a more robust alternative might be Defender. These services allow suspicious emails to be filtered to a quarantined environment based on a number of security based filters.
  • Multi-Factor Authentication (MFA) - If a user’s credentials are compromised through a phishing attack MFA can prevent unauthorized access by requiring an extra factor during login. Use a strong second factor like an authenticator app or hardware token, email or SMS codes are not as secure.
  • URL scanning - The same vendors who provide email filtering usually have an option to replace the URLs within an email with a vendor specific service that scans the link you click on before redirecting you to the intended target. This greatly reduces the risk associated with clicking malicious links. Microsoft Defender for O365 provides a service called Safe Links, which integrates with email, Microsoft Teams, and Microsoft Office apps.
  • Browser extension - Extensions like Malwarebytes provide protection against a plethora of security threats while accessing the internet through your web browser, and it works on most modern browsers. Real-time protection can help prevent phishing attacks by blocking malicious websites and scam links.
  • DomainKeys Identified Mail (DKIM) - DKIM is a way to sign emails with asymmetric cryptography so the recipient can validate that an email came from a legitimate sender, helping to prevent spoofing.
  • Sender Policy Framework (SPF) - SPF allows you to list all the servers in which you will send emails from, a mail server can then validate an email came from a legitimate source to help prevent spoofing.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC) - DMARC is configured on your mail server to decide what happens when DKIM or SPF checks fail in relation to incoming emails. It’s a valuable tool in preventing spoofing.
  • Patching - By ensuring your system is up to date with security patches it can help to mitigate some phishing attacks which look to exploit vulnerabilities in out of date browsers and applications.
  • Advanced threat detection - In the case of a successful phishing attack, threat detection solutions can help discover anomalies and actions that are indicators of compromise. Automation can help to quarantine that user’s account and limit their access, reducing the blast radius of any successful phishing attack.
  • Principle of least privilege (PoLP) - Ensure people only have the minimum required level of access by default, provide a way for users to request additional privileges to carry out tasks in a just-in-time way. Leverage automation to balance security risk mitigation and prevent the introduction of unnecessary bottlenecks.
  • Privilege escalation monitoring - Audit any deviations from the minimal viable permissions defined by PoLP, monitor any changes, and alert on anomalies or potential suspicious activity. Consider introducing automation to isolate and restrict permissions where necessary, before findings can be verified by an analyst or engineer.
  • Reporting mechanism - Provide a simple user friendly mechanism for people to report suspicious communication, and encourage people to use it. Leverage automation to filter out false positives where possible.

Administrative Controls

It’s not enough to introduce technical controls, we also need to think about administrative controls and how we operate as a business. These changes will feed into fostering a security culture which will turn your people into assets in the fight against external threats to the business.

Here are some simple administrative controls you can implement to protect against phishing attacks:

  • Education - A well educated workforce in regards to security will mitigate more threats than any phishing simulation programme. Spend the money you budgeted for phishing simulation in levelling up your workforce, and I’m positive you will see a better return on investment.
  • Policy - As a security engineer policy documents can often be seen as the boring side of security, however, some simple well defined rules against sharing credentials or sensitive data via email may help to limit exposure.
  • Principle of least privilege (PoLP) - I mentioned PoLP under technical controls, but it’s also a change to ways of working. You can have all the tooling in the world, but we as individuals need to ensure we leverage them and adhere to the principle. As security professionals we should be leading by example.
  • Incident response plans - Ensure there are robust multi-layered incident response plans in place, with runbooks and well documented processes to follow.
  • Reporting process - When potential phishing emails are reported, make sure to have a well defined process for analysis and creating actions to remediate any issues and mitigate other or future occurrences.

Final Thoughts

The security controls listed above are not an exhaustive list, but they provide enough examples of areas you should be prioritising over phishing simulation.

It’s important to invest in your people, and when I mentioned security education I’m not referring to an annual compliance training video that can be skipped over, that’s simply another tick box exercise. Put in real time, effort, and resources into upskilling your workforce, make it accessible, fun, and rewarding.

Education likely won’t provide the same level of quantitative data for the metrics which executives like to see go up or down on a report, but your company will be better equipped to deal with phishing attacks in the real world.

Although I’ve targeted phishing simulation in a negative way throughout this post, my real intention is to try and recalibrate its priority in delivering a robust security programme. I believe there is still a time and a place for phishing simulation, but most businesses are simply not ready.

Once the business is in a position where there are robust defences in place, and there is an excellent security culture, it might make sense to introduce phishing simulation as another layer of defence with an opportunity to educate. When the stakes are low, phishing simulation becomes a much more powerful tool.

If your security posture is immature, I would avoid investing in phishing simulation, it should be near the bottom of your list of priorities.