By Derek Handova

Phishing and pretexting represent 93 percent of all data breaches that befall companies, according to the Verizon 2018 Data Breach Investigations Report. So how can MSSPs protect endpoints from phishing? As has been the case with ransomware, training and employee awareness seem to be among the top consensus answers about how MSSPs can protect endpoints from phishing.

Axiom’s Troy Wilkinson

“Cybersecurity risk training can turn one of business’ greatest weaknesses into one of its best defenses,” says Troy Wilkinson, CEO, Axiom Cyber Solutions, a provider of managed cybersecurity solutions to SMBs. “By taking time to inform employees – particularly in sensitive areas like human resources, customer service and finance departments – of the cybersecurity threats they may come across during the course of their work can help a company mitigate attacks.”

That’s because in every IT environment, the weakest link is the end user. It only takes one click on a phishing email to allow a malicious attacker into a corporate network.

“Therefore, it is incumbent on the organization to continually train their users on the dangers of whaling, spear phishing, and phishing at large,” said Jason Dion, lead instructor and owner of
Dion Training Solutions, an online training company. “While providing annual security awareness training is a good start, it is incomplete and is ineffective as a complete solution.”

Instead, organizations are utilizing services, such as Cofense and Phish Insight, to send phishing campaigns to their own users to determine the effectiveness of their previous security awareness training, Dion added.

“These services allow the company to determine if their users can identify a potential phishing email and determine the actual end-user risk associated with a phishing campaign against their organization,” said Dion.

Use Phishing Training Against Phishing

When it comes to training, how MSSPs can protect endpoints from phishing depends greatly on frequency. And if like some trainings, a mass phishing simulation is sent out simultaneously to everyone in the workplace, employees will have time to consult each other over Slack, email, or verbally to spread the word it’s just an exercise. So having the ability to target individuals – much like hackers do – is a very important option, according to phishing experts.

“Increasing teachable moments for employees is a main objective,” said John McCabe Sr., director of global MSSP at Cofense, a provider of collective defense against email-based cyberattacks. “Delivering phishing-scenario emails only when the end user shows activity in their mailbox increases the opportunity for them to engage with simulations. Adding another level of automation to phishing simulation programs creates innovative solutions with flexibility and efficiency for users to gain important resiliency to phishing.”

Phishing training also helps build a culture of security, heightening people’s awareness of …

… this particular exploit. It also decreases their susceptibility to social engineering, a necessary precondition for targeted spear-phishing attacks, in particular.

KnowBe4’s Erich Kron

“The ability to accurately identify targeted social engineering attacks is a skill that is largely untouchable by modern technology,” said Erich Kron, security awareness advocate, KnowBe4, a security awareness training and simulated phishing platform. “However, people are remarkably adept at spotting these attacks once they know what to look for. Without training and education, users may not be aware of the methods that attackers are using, which then reduces the ability for them to protect themselves.”

Importance of Phishing Reporting

While some IT departments within enterprises consider phishing too common to bother with a comprehensive reporting system, other security experts beg to differ. Having already stated the potential for a single click on a malicious email to compromise an entire enterprise network, it’s vital to have an infrastructure that takes the ways how MSSPs can protect endpoints from phishing as seriously as any widespread corporate awareness campaign against phishing.

“Providing services that allow end users to report phishing attacks and get feedback on their reports can go a long way toward building a strong internal security culture,” Kron said. “Reporting helps the MSSP to identify when an organization is a target of a phishing campaign so they can counter the attack. By understanding the attacks users fall for, you can train them to spot these threats as opposed to providing training that may not cover the vulnerability.”

With proper phishing reporting mechanisms in place, what some in cybersecurity have called the weakest link – humans – presents an opportunity to become the most intelligent part of the solution.

“Humans can identify and report false negatives and false positives,” said Adrien Gendre, chief solutions architect at Vade Secure, a predictive email defense. “Large ISPs do this well, and we’re seeing it take hold in the corporate market. The key is closing the loop so that feedback is not just a stopgap, but constantly improving the filter.”

Use Credentials Against Phishing

When it comes to how MSSPs can use credentials to protect endpoints from phishing, it should involve a multilayer defense with safety and security procedures handled at three levels — system, tool, and personal. IT administrators should implement modern email authentication with SPF, DKIM, and DMARC, according to Brian Brauchler, technical support manager, Onix, a cloud solutions provider, and Google Cloud and AWS partner. And at the user or personal level two-factor authentication should be implemented.

“For an organization facing phishing, these levels should equate to their IT policies and practices, specific email solution, and individual user knowledge — all three are important and provide redundancy in case one fails,” Brauchler said. “For user accounts, policies should require complex passwords and 2FA — two-factor authentication. The email solution should support these, and users will need assistance setting up and understanding their 2FA options.”

But MSSPs can’t depend on any single technology or strategy to keep their customers’ endpoints safe. Eventually, phishing attempts will get through a single layer of defense – even if it is something as formidable as 2FA – which reemphasizes the focus on training according to personnel and technology experts.

“There is no silver bullet in security so you can’t entirely protect your endpoints from phishing attacks,” said Brian Baird, director of security services, ProTech Systems Group. “If you think you can, you have a false sense of security. Passwords are going to fail – even at their most complex – and hackers can work around two-factor authentication. You must have a layered defense strategy, and you have to test and train your users so they can identify and avoid phishing emails.”