FEATURE: PHISHING
Apu Pavithran, CEO & Founder, Hexnode
Why training campaigns aren’ t working anymore?
Every organisation on the planet today conducts awareness campaigns about what to look out for in a phishing email. But more often than not, these campaigns consist of a few general tips sent over a monthly email blast. Instead, awareness should be personalised for each organisation.
At Hexnode, for instance, our internal communication structure is transparent and clearly defined. Everyone knows the channels through which team communicates, what tools are used, and what to expect in terms of tone and style. So, if a junior associate suddenly receives an email from the CEO requesting money or crucial data, that immediately raises a red flag.
Transparency like this builds an environment where irregularities stand out, making phishing attempts easier to spot without relying solely on intuition.
NO MATTER HOW WELL- TRAINED YOUR TEAM IS, SOME PHISHING ATTEMPTS WILL ALWAYS SUCCEED.
Beyond teaching what to do, running simulations takes a realistic approach. They offer a far more practical way to educate employees. They replicate real-world attack scenarios. And they help people recognise suspicious patterns and understand how easily they can be deceived. In short, they provide employees with a taste of what’ s really out there.
However, the tricky part is what happens when someone clicks. Too often, organisations take a punitive approach, and employees who fail the phishing test are reprimanded or publicly called out. This not only discourages reporting but also creates a culture of fear.
Cybersecurity, at its core, depends on transparency and trust. Instead of punishing mistakes, leaders should use them as opportunities to reinforce awareness. Such positive reinforcement motivates them to report when they do identify suspicious emails. And over time, this encourages others to do the same, turning your most vulnerable layer into an early warning system.
Still, no matter how well-trained your team is, some phishing attempts will always succeed. Someone will click on a link or enter credentials into a fake login page. It’ s not a question of‘ if’, but‘ when’. The key in such a scenario is ensuring that one click doesn’ t spiral into a full-blown breach.
Clicking a phishing link need not result in a breach
In an ideal world, every phishing email would be blocked before it lands in an inbox. In reality, a few will always make it through. And even the most vigilant employee might, one day, make the wrong call. That’ s why it’ s critical to make sure that a single click doesn’ t lead to disaster.
This is where endpoint management and protection strategies make a real difference. Implementing multi-factor authentication( MFA) ensures that even if credentials are stolen, attackers can’ t access systems without the second authentication factor. This single control dramatically reduces the likelihood of a successful breach. Alongside MFA, enforcing strong password policies such as regular rotations and avoiding reuse adds another layer of friction for attackers.
Having a dedicated endpoint management system also ensures that devices across the organisation are consistently updated and patched. Many phishing attacks are designed not just to steal credentials but to exploit unpatched vulnerabilities once they gain a foothold. A properly managed endpoint environment closes these gaps, ensuring that even if malware is deployed, it can’ t take advantage of outdated software or unprotected configurations.
Complementing endpoint management with Extended Detection and Response( XDR) solutions further strengthens this safety net. XDR continuously monitors network activity and endpoint behaviour, detecting anomalies that could indicate a phishing-related breach. When something looks suspicious, it can instantly trigger alerts or automated responses.
And last but surely not least, implement a zero-trust architecture. Zero Trust operates on the principle of‘ never trust, always verify’, which directly counters the kind of implicit trust that phishing attacks rely on. Instead of assuming that a user or device is safe once inside the network, every access request, whether it’ s from an internal or external source, is continuously validated.
This means that even if a user’ s credentials are compromised through a phishing attack, the intruder still can’ t move laterally across systems or access sensitive data without further authentication and
38 INTELLIGENTCIO AFRICA www. intelligentcio. com