Maksim Kabakou - Fotolia

Security Think Tank: Defend against phishing with training, technology and reporting

What are the most effective types of security controls and user training approaches to dealing with phishing?

At its heart, phishing is just another type of scam. Online tricksters target users via email and create ways to get them to reveal important information such as personal financial details or corporate network credentials.

Historically, the tactic was to send a large volume of email and rely on a few of the recipients to click a link in error. Though success rates of this tactic were very low, corporates and large email service providers responded by creating highly effective spam filters.

As a result, phishing attacks are becoming increasingly sophisticated and highly targeted. Some are even customised for high-value individuals in an organisation – also known as spear phishing – making them extremely difficult to detect and exponentially increasing their chances of success.

A practical method to combat phishing is the “three Ts” approach: training, technology and “tell us” (if it happens).


Information on phishing has traditionally been included in annual security awareness training in organisations. However, phishing tactics and threats are evolving so rapidly now that this is no longer enough. To be useful, information on phishing should be provided consistently to key user groups (executives and IT, for example) and become a part of regular ongoing corporate communications.

With the advent of whaling, where top executives are targeted, key leaders in an organisation should have customised training based on their public profiles, such as how much can be gleaned from their public online presence or news articles about them.

Training should be supplemented by tracking of key metrics. For example, by using tools that can be used to send simulated phishing emails and track analytics to determine the efficacy of training.


If a user were to click on a link in a phishing email in error, technology can play its part in keeping the organisation safe. It is essential to have a blacklist of known phishing websites published by trusted entities and preventive controls to stop users from accessing such websites.

Data leakage protection (DLP) tools can also be deployed to detect patterns in data leaving the organisation that could potentially be the result of a phishing attack. However, with the emergence of spear phishing, this is becoming increasingly difficult to detect as low-volume and bespoke sites are created to target specific users.

A potential answer may be found in artificial intelligence-based methods, known as heuristics. Although this technology is still in early development, it works, for example, by using page analysis techniques, such as comparing images between visited site and approved sites, to identify phishing websites instead of simply relying on URL blacklists.

Tell us

The third and most important element of dealing with phishing is giving users an easy way of letting the organisation know they have received such an email, or clicked on one. Incident response should be closely tied into this reporting process to ensure every individual is able to combat phishing effectively.

Phishing attacks the human element of information security. The “three Ts” approach proves effective because it uses technology to protect people, creates a security culture through training and awareness, and puts the right mechanisms in place to enable diverse people in an organisation to work together, as a team, with security experts to report and consequently defeat the threat.

Naina Bhattacharya is an associate director in the security strategy and transformation team at Deloitte UK.

Read more on Security policy and user awareness