We live in a time where deepfakes, synthetic identities, and sophisticated cyberattacks are rife, which makes safeguarding credentials and personal information more critical than ever. 

With people remaining the most targeted attack vector, and social engineering attacks including phishing responsible for 70% to 90% of all breaches, KnowBe4’s security awareness experts share their top tips and advice to help organisations safeguard against the theft of their employees’ digital identities.    

Anna Collard, SVP of content strategy & security awareness advocate 

• Cultivate a Zero Trust Mindset: Never trust, always verify, even when communication comes from seemingly familiar contacts. 
• Phishing-resistant MFA: Mandate the use of multi-factor authentication (MFA). Supplement this with additional layers of security, like biometrics (fingerprint, facial recognition) or contextual risk analysis (location, device health, time of access). 
• Security Awareness Training: Conduct regular security awareness training to educate employees on the tactics used in social engineering attacks. This includes recognising phishing emails, smishing (SMS phishing), vishing (voice phishing), and other phishing and social engineering techniques. 
• "Stop, Breathe, Question" Technique: Teach employees to pause, take a breath, and question the legitimacy of requests before clicking on links, opening attachments, or approving access. 

Javvad Malik, lead security awareness advocate 

• Prioritise Security and Usability: Implement a user-centric approach to security that ensures all employees can easily and securely access the resources they need, while maintaining the confidentiality, integrity, and availability of sensitive data. This involves streamlining authentication processes, minimising friction, and providing clear instructions to guide users through security protocols. 
• Easy-to-Understand Security Measures: Educate employees on the practical benefits of security measures, emphasising how they protect both personal and organisational data. Use clear and concise language, relatable examples, and interactive elements to engage users and cultivate a strong security culture. 
• Continuous Authentication: Implement advanced authentication mechanisms that continuously verify users based on their behaviour patterns, like typing speed, mouse movements, and location data. This helps to detect and prevent unauthorised access, even if login credentials have been compromised. 
• Self-Service Capabilities: Empower users with self-service capabilities such as self-service portals that enable employees to do things like manage their accounts, reset passwords etc. This reduces delays and frustration, improves user satisfaction, and ensures that all users can maintain access to critical resources. 

Martin Kraemer, security awareness advocate 

• Share On a Need-To-Know Basis: Uploading personal documents like passports online has become increasingly common for various services like opening a bank account. While this practice can be convenient, it's essential to exercise caution. Only share sensitive information when absolutely necessary and with legitimate parties. Always verify the legitimacy of the request and the organisation before sharing any personal data. If you are asked for sensitive information without a clear and valid reason, or if something feels suspicious, don't share it.  
• Your Online Behaviour is Monitored: Social media platforms and other online services track your online behaviour to create detailed profiles. These profiles gather your behaviour, interests, and preferences, which can then be used for targeted advertising or other purposes. If you are uncomfortable with others knowing about your online activity, be mindful of your actions. Consider adjusting your privacy settings, limiting the information you share, and being selective about the websites and services you use. Remember that your digital footprint can have long-lasting consequences.   

James McQuiggan, security awareness advocate 

• Empower Employees to Report: Many employees hesitate to report suspicious logins, unexpected MFA prompts, or phishing attempts due to fear of blame, unclear processes, or negative past experiences with IT support. It’s important to foster a security culture where prompt reporting is rewarded, not reprimanded, and to integrate user-friendly reporting mechanisms, for example one-click buttons, and SSO (single sign-on) portals. Ensure the process for reporting phishing, credential misuse, or MFA fatigue is simple, fast, and judgment-free. 
• Post-Incident Response: Use incident reviews as learning opportunities rather than blame sessions. Ensure support teams respond quickly to reported incidents to build user trust. 
• IT and Cybersecurity Teams: Stay informed about Initial Access Brokers (IABs) and Stealer Malware trends. Monitor underground forums and markets for exposed corporate credentials and for insights into attacker tools, techniques, and procedures (TTPs). 
• Governance, Risk Management, and Compliance: Establish a process for regularly collecting, tagging, and analysing stealer logs to identify exposed employee credentials (especially those with saved browser sessions or cookies). Share insights with IT and cybersecurity teams to prioritize high-risk cases. 
• Threat Intel Teams: Align findings with MITRE ATT&CK techniques (e.g., T1556, T1539) to enhance defensive strategies. 

Erich Kron, security awareness advocate 

• Do not reuse passwords: Credential stuffing attacks use automated tools and stolen login information to log into accounts. Reusing passwords across multiple platforms makes employees and organisations vulnerable because if one account is compromised, all accounts using the same password are compromised as well.  

Roger A. Grimes, data-driven defense evangelist 

• Phishing-Resistant MFA: This is the most secure option, as it protects against common social engineering attacks like phishing scams. Examples include hardware security keys and biometrics like fingerprint or facial recognition. These methods require something you have (the hardware key) or something you are (your biometrics), making it much harder for attackers to impersonate employees. 
• Any MFA: If phishing-resistant MFA is not feasible, any MFA is better than none. Examples include SMS-based authentication, time-based one-time passwords (TOTP) generated by an app, and push notifications to a trusted device. While not as secure as phishing-resistant MFA, these methods still add an extra layer of protection to your accounts. 
• Use a Password Manager: Use a reputable password manager to create and manage strong, unique passwords for every site and service. Password managers generate complex passwords that are nearly impossible to guess, and they store them securely so you don't have to remember them all. Many password managers also offer features like autofill and password sharing, which can save time and improve your security.
• Strong, Unique Passwords: If you can't use a password manager, create strong passwords or passphrases that are at least 20 characters long. A strong password should include a mix of uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable information like your name, birthdate, or pet's name. Most importantly, never reuse passwords across different sites or services. 

By implementing these strategies, organisations can significantly reduce the risk of identity theft, credential compromise, and subsequent phishing and social engineering attacks, ultimately protecting their employees and their valuable data.