Although many people are aware of phishing attacks, there are still a large number of successful compromises.
Phishing attacks counterfeit communications from a legitimate/trustworthy source to mislead recipients into revealing sensitive information. Email containing malware-infected links is the main means of conducting phishing attacks, but attackers are also increasingly using social media for phishing to exploit vulnerable individuals.
Download this free guide
Your exclusive guide to CIO trends
A collection of our most popular articles for IT leaders from the first few months of 2016, including: – Corporate giants recruit digitally-minded outsiders to drive transformation – Analytics platforms to drive strategy in 2016 – Next generation: The changing role of IT leaders.
As well as considering inbound phishing attacks directed at their company, organisations must also think about external parties and phishing attempts from attackers masquerading as the organisation.
For external parties, most organisations are limited to providing awareness advice. Good examples include The Imposter advert produced by Barclays and published advice from HM Revenue and Customs saying it will never contact people via email or text message about a tax rebate.
From an inbound attack perspective, potential technical security controls include email scanning, verifying the source IP address of senders’ emails to limit spoofing, and preventing the opening of attachments from unknown or untrusted sources. Some organisations choose to block any email with an attachment; others use whitelists for links.
But technical controls alone are not enough; security awareness is an essential component. Many organisations conduct regular phishing simulations to “test” employees and measure behavioural change. One organisation recently sent a fake phishing email to 1,000 employees; 50% of the recipients opened the email and clicked on the link within an hour.
Other methods of cultivating expected security behaviours include gamification (for example, building up points during awareness “quizzes”) perhaps combined with the development of easily remembered mantras, for example: “Stop and think before clicking on a link” or “If you suspect it, report it”. Select the awareness training that works best for your organisation.
Do remember that how employees deal with phishing attacks is only a small part of expected security behaviours. Developing an overall security positive culture is the main goal.
Maxine Holt is principal analyst at theInformation Security Forum (ISF). ……………………………………………………………………………….