Gone Phishing: Why Secure Email Is Not Enough

Gone Phishing: Why Secure Email Is Not Enough

Protecting your business from cyber attacks starts with training your own staff on how to spot a threat.

Here, Tom Franson, Vice President with Custom Computer Specialists, shares his insights on how to mitigate this growing threat.

What is the number one threat organizations need to be worried about?

Hands down, email is the number one threat, closely followed by web-based attacks. We’re currently looking at email malware infections impacting 67% of organizations and web-based attacks in second place at 63%.

What are the different types of email-based attacks?

The top four are phishing emails, which is when an email is sent to a large number of users simultaneously and attempts to “fish” sensitive information. Then there’s spear-phishing, which is more targeted and usually contains information that is specific to a group. Executive whaling is one of the newer tactics being used by cybercriminals as they go after C-level executives who are more likely to click, since they usually receive so many emails they don’t have time to review and analyze each email. Finally, there’s CEO fraud, which is when a CEO’s email gets spoofed while she/he is travelling and asks employees to transfer large amounts of money out of the country.

What is the best way to defend against these attacks?

We’ve found that passive security practices, such as setting up firewalls, don’t work against highly aggressive threat sources. This doesn’t mean that traditional defenses won’t work. They all play a part and make it harder for the bad guys to succeed; they’re just not enough. The first line of defense should be the users themselves.

In essence, you’re talking about a human firewall?

Exactly. Build a Human Firewall and just remember, for example, a study was done with 100 engineering and science majors, and one in six fell victim to obvious phishing scams. Another showed that 96% of executives failed to tell the difference between a real email and a phishing email. The best way to mold employees into human firewalls is with security awareness training.

How does security awareness training work?

It’s important to identify a training program that educates and informs employees to make them phish-savvy. The best programs are comprehensive. It’s important to find a program that not only provides security awareness training, but also coordinates that training with simulated phishing attacks. Of course, to determine the effectiveness of any program we encourage organizations to baseline how susceptible their employees are to phishing attacks.

I’ve heard sometimes these simulated attacks go awry when employees tell each other about the “internal phishing” they just received.

That’s so true. We find the best way to avoid this is to ensure the simulated phishing attacks are random, meaning the emails are sent to random groups, at random times using random phishing templates.

Is there any other advice you can give organizations?

Just to keep in mind that hackers only need to get lucky once, but security systems have to win every time. If anyone has any questions about their security defenses, I’d be happy to jump on a call.


Tom Franson is a Vice President at Custom Computer Specialists and a seasoned professional with deep experience as a manager, director and consultant in IT operations. He has over 20 years of experience in the science and practical application of developing performance metrics and building performance improvement and quality management programs. Tom has managed large “follow the sun” technical support operations and has provided performance improvement consulting services to some of the world’s leading service organizations including: Bloomberg Financial Markets, American Express as well as many Northeast Healthcare and Public Sector organizations. Over the past few years Tom has led the Healthcare Solutions practice at Custom where he incorporates ISC2, COBIT and ITIL into his framework. He has worked with Long Term and Acute Care organizations as well as Physician and Ambulatory practices throughout the Northeast to address regulatory mandates such as HIPAA and ICD-10 as well as right size their technology support, maximize IT expenditures and develop long term and tactical plans to meet goals. Tom is ITIL Service Management, HDI Support Director and HCISPP certified and has implemented and managed in a variety of Quality Management environments including ISO, Six Sigma and Lean. He holds a Masters degree in Statistics and Organizational Development from Columbia University and currently serves as the President of the Long Island Chapter of the Help Desk Institute.