Microsoft Security. PHOTO: Cybercrime Magazine.

How To Make Employees Part Of The Cybersecurity Solution

All hands on deck to protect against phishing scams and the latest digital threats

Ann Johnson

Seattle, Wash. – Sep. 17, 2019

Phishing scams grow ever more sophisticated. Your employees may not be getting voice messages deepfaked to sound like your CFO asking them to arrange an urgent money transfer, but they’re facing a barrage of fake invoices and tax refunds, along with increasingly realistic warnings that their email account or storage quota is full.

So far in 2019, Office 365 has detected over 10 million zero day phishing links. In the month of July alone, there were 15 million emails impersonating everyday brands and 21 million emails made to look as if they came from a known and trusted domain.

Not all phishing mails are generic messages that are easy to spot; hacking groups like Fin7 tailor the messages to the organization they’re attacking, crafting plausible attachments that look like the normal course of business. In July, there were 6 million targeted business email attacks on Office 365 trying to trick victims into thinking the message came from someone they know so they’d click through and get compromised.

Whether the payload is a coin miner that infects their machine and consumes compute resources or a credential compromise attack that moves across the network to steal usernames and passwords, phishing is a weak point for many companies; nearly a third of the data breaches in Verizon’s 2019 Data Breach Investigations Report involved phishing.

The first line of defense is training employees to spot and report phishing attacks. Every person who has access to the corporate network — whether they’re a full-time employee, a consultant or a contractor — should receive regular training to help them develop a cyber-resilient mindset.

That needs to cover not just the IT security policies for identity-based access control that they need to adhere to, to make sure data remains where it’s protected, but also how to recognize suspicious events, attacks and even infected systems so they can alert IT and help minimize time to remediation. Rather than warnings about specific ‘lures’ used in phishing messages, showing them how to verify email addresses and links and educating them to be suspicious of attempts to bypass normal procedures will help them avoid being tricked as attackers change tactics in their phishing messages.

Well-trained employees who are aware of the threats your organization faces can become part of the solution rather than part of the problem. But that needs to be backed up by cybersecurity tools that can detect user behavior that’s abnormal and forms part of an attack so you can be proactive and resilient. Phishing is getting so sophisticated that leaving the burden on employees doesn’t give you the protection you need.



To withstand cyberattacks and human error alike, it’s critical for organizations to create a cyber resilience program that leverages the combination of people, processes and cloud services that use machine learning to turn the scale of today’s attacks into a resource for detecting and blocking them. Microsoft sees 6.5 trillion diverse security signals a day from billions of sources; machine learning turns that into a prioritized list of meaningful alerts to help IT react without blocking employees need to get work done wherever they are with a variety of devices and apps.

The IT landscape has changed enormously over the last decade or so. Where we used to have tightly managed systems on users’ desks safe behind a firewall and locked down to only run approved software and connect to network servers and storage, we now have mobile users, with a mix of managed and unmanaged devices accessing cloud services as well as key business systems. Employees adopt shadow IT, not because they don’t care about risk but because they need to get their job done and will turn to any tool that helps them. That exposes them to phishing risks you might not even have thought of training them to spot.

While security tools have evolved to manage this ever-more complex environment, they also flood defenders with alerts, and they’re not designed for the volume and speed of threats organizations are facing. Spending countless hours sifting through warnings and manually correlating them across products to find the genuine threats amongst the torrent of false alarms leaves them no time to investigate complex attacks or anticipate future compromises.

Modern machine learning approaches are changing the way we handle security. Building on those trillions of security signals, the Microsoft Intelligent Security Graph helps identify attack patterns across hundreds of thousands of global organizations, as well as threats targeting Microsoft’s own properties, with inputs coming from endpoints, consumer and commercial services and on-premises technologies. That allows us to craft responses that protect those businesses through the security tooling in services like Microsoft 365 and Office 365, detonating malware and automatically blocking many phishing messages. Office 365 Advanced Threat Protection extends those defenses to your own on-premises mailboxes, and can trigger automatic investigations when users report phishing messages, click malicious links in email, or even when previously delivered mail is discovered to be a phish.

Responses need to be automated, taking humans out of the loop in order to deliver targeted remedies quickly. Operational resilience requires speed and agility, delivering defense in depth against attacks. Azure Sentinel, our cloud-hosted SIEM, extends this approach to your own environment. It integrates with the full breadth of IT systems and uses machine learning to correlate millions of signals from them as well as from the security graph, to help focus your attention on active threats and give you a coherent solution for delivering cyber resilience. Defenders are no longer overloaded with potentially irrelevant information, significantly reducing the risk of alert fatigue. Early adopters report that seeing only significant, relevant alerts and using the dashboards and playbooks provided reduces threat hunting time from hours to seconds.

Azure Sentinel doesn’t only identify threats, it actively defends against them. Once malware or phishing messages are identified, filters can be automatically updated, blocking them before they get into your network and your devices. New threats are sandboxed and detonated, giving Azure Sentinel new signatures that are shared across the security graph. As new patterns of attack emerge, Microsoft designs and trains new models to detect them, and the Sentinel community contributes new queries for exploration and threat hunting. It’s not just your instance of Azure Sentinel that’s protecting you, it’s all of them, all over the world.

That gives security teams back the time to train and support users through the on-going waves of phishing attacks, backed by a flexible and reactive cyber resilience solution. The ‘assume breach’ mentality is a necessity in today’s world, but true operation resilience means having the confidence to deal with attacks rather than it being a counsel of despair.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.


Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.