With a likely upsurge in regulations requiring corporations to divulge whether sensitive customer data has been illegally accessed, Canadian companies will have to pay increasing attention to the prevention of phishing scams directed at their employees.
During a recent Internet Security Systems Inc. (ISS) Web seminar, David Lineman, CEO of Information Shield Inc., said businesses that have customers in California, where the recent Senate Bill 1386 requires all companies to tell residents if their customer data has been compromised, are learning that lesson. But the California law is just the start. In the future, there is a reasonable likelihood that companies will be successfully sued if a phishing scam (in which an e-mail message, which appears legitimate, tricks recipients into surrendering key private data that aids in ID theft) leads to the loss of corporate data that affects third-party partners, Lineman said.
The role of the individual corporate user in relationship to the outside world is “really getting complicated,” he said.
Recent Gartner Group statistics back up this bleak picture — it found that 57 million U.S. Internet users have received phishing e-mails. Chad Hunt, special agent for the Federal Bureau of Investigation’s cyber crime unit, said as many as five per cent of recipients respond to the e-mails. According to the Gartner report, “1.78 million Americans, or three per cent of those attacked, remember giving the phishers sensitive financial or personal information, such as credit card numbers or billing addresses, by filling in a form on a spoof Web site.”
Once hackers “have one piece of information, [it] can open a lot of doors,” Hunt said.
Since users often use the same passwords at home and at work, companies need to, at the very least, make sure user names for access to corporate networks are not the same as those used to access home-based accounts.
If user names are defaults (e-mail addresses, first name_last name, et cetera), an employee surrendering a home account password to a phishing scam could be opening up corporate access right through the corporate firewall, Hunt said. One successful phishing scam mimicked a Microsoft Corp. Web page with information on downloading an operating system patch.
“A lot of well-meaning people might think they are helping the IT department” by downloading the patch, Hunt said. In the meantime they have given away corporate access information by entering user names and passwords.
Education is the key to protecting corporate access, with technology playing an important secondary role, the participants agreed.
Lineman said companies need to create consistent policies, standards and procedures to prevent successful phishing attacks. Companies should have data classification policies so employees know what information is most critical to corporate success, he said. Security policies have to have a clear corporate owner. In his experience, the owner of security policies is often no longer with the company or in a different job. Additionally, enforcement of policies has to match up to HR expectations. Finally, users have to understand that they have some level of responsibility for corporate security.
Since internal training exercises often fall on deaf ears, Lineman often resorts to what he calls “Murphy’s Law of free stuff.” Those who successfully finish online security surveys or courses win T-shirts or gift certificates. He said responses can go from around zero to 98 per cent. Employees should also be vigilant for spelling errors in official-looking e-mails, Hunt said, though admittedly people often don’t notice them. If an employee is uncertain of an e-mail’s veracity, manually entering the URL will bypass a phishing e-mail, he said.
On the technology side, there are a variety of things that can be done to decrease phishing, said Clarence Morey, product line manager for content security with ISS. To protect their own corporate brand, companies should periodically monitor domain name server registration to make sure there are no sites designed to mimic their own. An example would be www.micr0soft.com. Another is to spider the Web looking for unauthorized use of corporate logos on a site, though he admitted this won’t stop the craftiest of phishers since they just have the logo on their site link back to the real corporate site.
Morey said phishing intersects many other corporate governance issues. Whether it is spam, viruses and worms or obscene content being accessed using the corporate network, Morey said monitoring the network is the key to reducing inappropriate and malicious activity. ISS has both software and hardware-based solutions designed to help with the task, he said.