We’ve seen a massive spike in highly convincing phishing emails that seem to be generated by AI. Some even involve deepfake audio. What technical controls or training modules are most effective right now to protect our employees from these sophisticated social engineering tactics?
3 answers
To combat AI-driven threats, your defense must also be AI-powered. Traditional secure email gateways (SEGs) often miss these because they lack "known-bad" signatures. You need Integrated Cloud Email Security (ICES) that uses Natural Language Processing (NLP) to detect anomalies in tone and intent. Beyond tools, shift from "awareness" to "behavioral" training. Instead of yearly videos, use frequent, realistic AI-generated simulations. Teach employees to verify "out-of-character" requests via a secondary, out-of-band communication channel like a direct phone call or a separate messaging app.
Those simulations are helpful, but how do you measure if the culture is actually shifting? Is there a specific metric you use to track the "human risk" beyond just click rates?
Use hardware security keys like YubiKeys. They are virtually immune to phishing because the authentication is bound to the physical device and the specific URL of the site.
Spot on, Gregory. Moving to FIDO2-compliant hardware keys is the gold standard for stopping credential theft, even if the user is totally fooled by a deepfake.
We look at the "Reporting Rate" as our primary metric. It’s not just about who clicked, but how many people used the "Report Phish" button. A high reporting rate indicates a vigilant culture where employees feel empowered to act as sensors. We also track the "Time to Report," aiming for minutes rather than hours to minimize the window of exposure.