The best way to mitigate the threat from phishing is to train employees to be more resilient to phishing attacks, introduce processes to report suspicious communications, and take advantage of technology to fill gaps in employee awareness by preventing them from visiting phishing sites.
Unfortunately, few businesses have the time or resources to increase employee awareness training or respond to every report of a suspicious communication – leaving technology to do a lot of heavy lifting. Also unfortunately, the implementation of technologies such as email filters and web filters can give employees a false impression of security in the workplace.
According to the 2022 State of the Phish Report (1), 70% of respondents did not know that their organization´s security tools did not block all email threats – potentially explaining the high volume of data breaches, credential theft, and successful ransomware attacks attributable to phishing emails. Additionally, 63% did not know unsafe contacts might email them multiple times.
So, how is it possible to mitigate the threat from phishing when phishing emails avoid detection and when phishing websites have not yet been identified and added to a blacklist? One answer is to enforce the use of a business-wide password manager for all corporate accounts that hides passwords from employees and supports physical multi-factor authentication tools.
Enforcing the Use of a Business-Wide Password Manager
Despite the adoption of password managers tripling in the past two years (2), only 31% of businesses currently use a password manager to create, manage, and store passwords (3). The reasons for not adopting a password manager (4) indicate a lack of knowledge about how password managers work – especially vault-based password managers – and the ease with which they can be administered.
However, there are multiple benefits for businesses that enforce the use of a business-wide password manager:
- Each corporate account can be assigned a unique, complex password.
- Password policies can control the creation of new login credentials.
- Passwords can be shared securely across devices and operating systems.
- Items such as corporate credit card numbers can be shared securely.
- Calls to IT Help Desks for password resets are eliminated.
- Users can be provisioned and de-provisioned via directory services.
- Similarly, it is easy to apply role-based access controls and permissions.
- Weak, reused, and compromised passwords are automatically identified.
- Corporate password managers can be configured to generate event logs.
- Password managers can be integrated with other tools (i.e., SIEMs) for better security insights.
In the context of mitigating the threat from phishing, password managers autofill login credentials when an employee visits a website for which a password has been saved in – or shared through – the password manager. Employees should be told that, if the password manager fails to autofill the login credentials, the website they are visiting is a phishing website and to leave the website immediately.
Hidden Passwords Further Mitigate the Threat from Phishing
Most business password managers offer the option of hiding passwords. When this feature is activated, login credentials are autofilled as usual, but the employee cannot see what the password is – either in the login dialogue box or in their password vault. The hidden password only appears as a row of asterisks or dots that cannot be copied and pasted or forwarded to any other media.
Although not a security feature capable of preventing an insider threat (for reasons explained in this article), the fact that an employee cannot see a hidden password will mitigate the threat from phishing if they are directed to a fake website by a phishing email and don´t leave the site as directed due to the triggers that make phishing attacks successful, coupled with a sense of urgency.
Why Physical Multi-Factor Authentication Tools are Best
Despite being a key defense against credential theft and unauthorized account access, most businesses do not use multi-factor authentication. Indeed, 54% of respondents to the Yubico Security Behaviors Report (3) said that SMS and mobile authenticator apps disrupt workflows – which they do. However, there are other multi-factor authentication tools that do not.
Physical multi-factor authentication tools (or “keys”) plug into users´ devices and, when an authentication code is required, employees simply have to press a button on the tool to generate the required code. The process is immediate and overcomes the issue of employees being locked out of corporate accounts if they lose the device to which SMS and push notifications are sent.
Best Password Managers to Mitigate the Threat from Phishing
Password managers don´t prevent phishing attacks, but they add an extra layer of defense against a phishing email achieving its goal when the email evades detection by an email filter and the fake website to which employees are redirected has not yet been added to a web filter blacklist. Effectively, they fill gaps in employee awareness by preventing them from visiting phishing sites.
However, there are many types of password manager – some of which are more effective at mitigating the threat from phishing than others. Therefore, to best mitigate the threat from phishing and take advantage of the benefits of a password manager listed above, businesses should evaluate vault-based password managers such as Bitwarden that offer the option of hidden passwords and support physical multi-factor authentication tools.
Sources
- ProofPoint 2022 State of the Phish Report (registration required)
- Verizon 2021 Data Breach Investigations Report (registration required)
- Yubico – State of Password and Authentication Security Behaviors Report
- Security.org – Password Manager Annual Report