Gone Phishing: Why Secure Email Is Not Enough
Protecting your business from cyber attacks starts with training your own staﬀ on how to spot a threat.
Here, Tom Franson, Vice President with Custom Computer Specialists, shares his insights on how to mitigate this growing threat.
What is the number one threat organizations need to be worried about?
Hands down, email is the number one threat, closely followed by web-based attacks. We’re currently looking at email malware infections impacting 67% of organizations and web-based attacks in second place at 63%.
What are the diﬀerent types of email-based attacks?
The top four are phishing emails, which is when an email is sent to a large number of users simultaneously and attempts to “ﬁsh” sensitive information. Then there’s spear-phishing, which is more targeted and usually contains information that is specific to a group. Executive whaling is one of the newer tactics being used by cybercriminals as they go after C-level executives who are more likely to click, since they usually receive so many emails they don’t have time to review and analyze each email. Finally, there’s CEO fraud, which is when a CEO’s email gets spoofed while she/he is travelling and asks employees to transfer large amounts of money out of the country.
What is the best way to defend against these attacks?
We’ve found that passive security practices, such as setting up firewalls, don’t work against highly aggressive threat sources. This doesn’t mean that traditional defenses won’t work. They all play a part and make it harder for the bad guys to succeed; they’re just not enough. The first line of defense should be the users themselves.
In essence, you’re talking about a human firewall?
Exactly. Build a Human Firewall and just remember, for example, a study was done with 100 engineering and science majors, and one in six fell victim to obvious phishing scams. Another showed that 96% of executives failed to tell the difference between a real email and a phishing email. The best way to mold employees into human firewalls is with security awareness training.
How does security awareness training work?
It’s important to identify a training program that educates and informs employees to make them phish-savvy. The best programs are comprehensive. It’s important to find a program that not only provides security awareness training, but also coordinates that training with simulated phishing attacks. Of course, to determine the effectiveness of any program we encourage organizations to baseline how susceptible their employees are to phishing attacks.
I’ve heard sometimes these simulated attacks go awry when employees tell each other about the “internal phishing” they just received.
That’s so true. We find the best way to avoid this is to ensure the simulated phishing attacks are random, meaning the emails are sent to random groups, at random times using random phishing templates.
Is there any other advice you can give organizations?
Just to keep in mind that hackers only need to get lucky once, but security systems have to win every time. If anyone has any questions about their security defenses, I’d be happy to jump on a call.