Reducing the risk of phishing attacks

Phishing has evolved into the most effective social engineering attack that hackers use to infiltrate organizations. The goal of phishing is to con employees into unknowingly downloading malware or revealing their access credentials. The best defense is our individual vigilance.

The just ended National Cyber Security Awareness Month reminded us that our individual and collective behaviors are what contains the risk of cyber security incidents.

Below are the measures most organizations can implement, at modest cost, to raise individual vigilance significantly and thereby reduce the risk of successful phishing attacks.

Security awareness training

Security awareness training is the simplest counter-measure that reduces phishing attacks. In many organizations, every person is required to attend basic security awareness training. Typically the training outline includes:

  1. Appropriate internet usage for organization and personal purposes.
  2. Definition of phishing and other types of attacks.
  3. Overview of motivations of hackers.
  4. Adverse consequences of successful phishing attacks and other malicious intrusions.
  5. Adherence to password policy and how to secure personal access credentials.
  6. How to spot suspicious incoming emails.
  7. Limitations of the electronic surveillance defenses of the organization.
  8. Review of the confidential information management policy including:
    • Proper handling of confidential information.
    • Admonition to not click on links or attachments in emails from unknown sources.
    • Reminder to never give out organization information without appropriate authorization.
    • Encouragement to report suspicious emails to the cyber security team.
  9. Reporting phishing and other security incidents.
  10. How the cyber security team investigates phishing and other incidents.
  11. Physical security and access to buildings.

Background screening

Sometimes hackers join organizations as an employee or contractor just to gather insider information. Background screening is an important policy to pre-emptively counter future phishing attacks based on information gathered. Screening should not be limited to employees but should include vendor staff and contract workers because almost everyone is provided with some form of access to the organization’s network and facilities.

Not screening or haphazard screening invites hackers to gather insider information to use in future attacks.

Physical security

Every organization should operate an access control system to ensure that only explicitly authorized people can access systems and facilities. Everyone needs to learn to firmly challenge people they don’t recognize.

Frequent physical security oversights include:

  1. Not rigorously deleting individuals from access control systems after they leave the organization.
  2. Providing too much access to individuals for the roles that they hold.

Mock social engineering drills

Occasionally, a phishing message should be sent to employees as a drill by the cyber security team to gauge the effectiveness of security awareness training in the organization.

Events that preclude value from drills include:

  1. Not holding drills.
  2. Holding too many drills and annoying large numbers of employees.
  3. Sanctioning employees for understandable missteps rather than using such drill-related incidents to reinforce training.

Information classification policy

The organization should develop – and employees should be expected to read and sign an information classification and management policy. Classification assigns a level of value and sensitivity to categories of organization data. Each information classification includes different rules for viewing, editing and sharing of the data.

The cyber security team should constantly monitor the information related to the organization that is floating around on the web. The discovery of confidential information should trigger an investigation. These processes should protect confidential information and will make passive information gathering more difficult for attackers.

Factors that undermine the policy and these processes include:

  1. Foggy or complex and lengthy definitions for every information category.
  2. Failure to investigate potential incidents.
  3. Failure to censure employees for infractions.

For tips on cyber security, visit the Get Cyber Safe website.

What is your experience with reducing the risk of phishing in your organization?

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Yogi Schulz
Yogi Schulz
Yogi Schulz has over 40 years of Information Technology experience in various industries. Yogi works extensively in the petroleum industry to select and implement financial, production revenue accounting, land & contracts, and geotechnical systems. He manages projects that arise from changes in business requirements, from the need to leverage technology opportunities and from mergers. His specialties include IT strategy, web strategy, and systems project management.

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight