Corporate cyberdefenses that rely on training workers to recognize and not click on malicious emails are destined to failure and must be replaced with technology, said security engineer at Black Hat 2017.
Karla Burnett, a security engineer with Stripe, told the large crowd at her ichthyology: Phishing as a Science that no amount of training will stop people from clicking on dangerous links. She told several stories of people in her own organization who fell for phishing tests even when they knew they were coming and even when they helped set up the test.
“Any protection relying on people to make the right decision will fail, the answer has to be technical,” she said.
And the technology has to be even more effective than two-factor authentication, which itself is susceptible to hackers.
“Most mitigations are easily bypassed and end up creating a feeling that people will just get phished and nothing can be done about it,” she said.
Although Burnett did not have a definitive answer to the problem, she mentioned some new methods such as a U2F USB security key as having potential. Primarily, because they are simple and require little from the user, other than that they be used.