By CeSViTer August 7, 2025
Roger A. Grimes (KnowBe4’s Data-Driven Defense Evangelist) wrote an excellent Comprehensive Anti-Phishing Guide to help IT personnel combat increasing threats from phishing.
Among the important points Roger Grimes made were:
Training: We have to accept that there will always be to some degree phishing and social engineering activity that will bypass even the best or our defenses. Consequently, it is important to train employees how to recognize phishing and social engineering activity and how to manage them. Social engineering and phishing have long been thought to be the principal cause for many malicious data breaches. Fostering good security awareness training is indispensable to building a human firewall.
Culture: Prioritizing security isn’t just a technological problem to be managed by the IT department, but indeed everyone’s problem within the organization. The key isn’t just finding “yet another security solution” but changing the way organizations think about cybersecurity. The key to stopping cyber-attacks involves every part of the organization being concerned about security. IT is already on top of this, but you need the C-Suite managers, HR, and users in general on board as Grimes emphasized with each one working towards a more secure way of operating.
The success of security depends on whether a culture exists that emphasizes both the need for security and the use of security in everyday work. This cultural shift requires a paradigm change where everyone in the organization plays a role:
Senior leadership: Those in senior leadership are well situated with a general vision of the whole organization to see the changes in culture. They also have the capability to influence an organization-wide collaboration towards building a security culture.
HR leadership You understand the pulse of the organization. As the culture shifts towards including security as a daily aspect of the job, you can ensure employees understand why it’s important, obtaining valuable feedback from users on how the culture change impacts them, then providing this to IT.
IT leadership – IT managers function as the bridge between the business, operational, security, and technology requirements necessary to create and maintain this culture change.
Security staff – You can help assess risk, elaborate strategies, ensure reporting and accountability around those technologies and processes that drive culture change.
IT staff – You can help to identify and implement solutions that will augment security culture. A focus on simplified adoption and ease of use, complemented with an actual ability to make the organization safer is something required of someone close to both the organization’s technology and users.
Users – You can integrate security awareness into your daily work activities, being aware of the need to be on alert when interacting with anything outside the organization (e.g., email, websites, phone calls, etc.), as well as the need for good security pratices around passwords and data security. Creating a security culture takes a community It’s time to do far more than just “sharpen spears and post lookout points”; it’s time to engage the entire community to work on ensuring security.
Some of the strategies Griems suggests to help change the cyber-security culture in an organization include:
Develop comprehensive and in-depth defensive plans
Develop a sense of the technical controls all organizations should consider
Review the “gotchas” to watch out for with cybersecurity insurance
Review periodically the benefits of implementing new school security awareness training
Review regularly what are considered test practices for creating and implementing security policies
https://info.knowbe4.com/comprehensive-anti-phishing-guide?hsLang=en-us