A melhor solução para mitigação dos riscos oriundos de novos modelos de ataques é a conscientização constante pautada no mercado que possibilita inserir demandas novas de mercado para conscientização constante e permanente

Combating phishing requires a proactive, multi-layered approach. I prioritize regular, hands-on training to keep the team informed about evolving phishing tactics, including simulated phishing exercises to test readiness. Implementing multi-factor authentication (MFA) adds a crucial security layer, reducing risk even if credentials are compromised. Encouraging a culture of vigilance, where employees feel empowered to report suspicious activity without fear, ensures swift action and collective defense against threats.

Regularly update phishing awareness training to include the latest tactics, such as deepfakes, spear-phishing, and business email compromise (BEC). Teach employees to recognize red flags, such as unexpected attachments, urgent requests, or suspicious URLs. Conduct simulated phishing exercises to gauge employee readiness and identify vulnerabilities. Create leaderboards or rewards for employees who consistently detect phishing attempts, fostering engagement. Remind employees never to share sensitive information over email without verification. Train staff to verify requests for financial transactions or sensitive data through secondary channels.

Como a segurança se implementa em camadas, vejo iniciativas que podem ser adotadas a nível preventivo, detectivo e reativo. O preventivo é prioritário, envolvendo ações educacionais que compreendam phishing, proporcionando avaliações de conhecimento para medir maturidade e risco. Quanto mais realistas as avaliações, melhor. Nesse contexto, as simulações de phishing são uma prática interessante. Ainda no preventivo a proteção de endpoints e a limitação de acessos ao mínimo necessário mitigam riscos. Pelo lado detectivo, importante monitorar tanto as ações de colaboradores, via tecnologias de DPL, XDR, etc, como as ameaças web. De forma reativa, atuar no takedown de domínios e perfis fake em redes sociais, neutralizando a ação do ofensor.

The weakest point of a network in a company is it's users. Don't think because a user is an IT person that they know right from wrong. I've had to point out phishing emails to people who have had plenty of IT security training. Plan phishing tests, security trainings, and keep users informed of new tactics. Overall, be sure to stress the importance of security and verifying senders, and most importantly, DONT CLICK LINKS AND OPEN ATTACHMENTS FROM PEOPLE YOU DONT KNOW. I don't even open links from people I know, I go directly to the site myself after verifying it (if it's suspicious looking). (I provide answers for normal people to read)

The combination of up-to-date training, regular simulations and the use of multi-factor authentication (MFA) really strengthens defences. I would also emphasise the importance of creating a culture of trust, where employees feel comfortable reporting possible threats without fear, ‘this increases collective responsiveness’. An interesting point is the inclusion of new challenges, such as deepfakes and BEC, in awareness training, which broadens the teams' view of more sophisticated dangers. Gamified simulations can also be more engaging and bring practical results.

Here are some effective strategies: Continuous training and simulations: Conduct regular training sessions and realistic phishing simulations to help your team identify and respond effectively to malicious attempts. Implement MFA: Strengthen security by implementing multi-factor authentication, reducing risks if credentials are compromised. Foster a security-first culture: Encourage open communication where employees feel comfortable reporting and discussing suspicious emails or messages. Active monitoring and incident response: Use monitoring tools to detect threats in real-time and ensure clear, well-documented incident response procedures are widely known.