Phishing has evolved into the most effective social engineering attack that hackers use to infiltrate organizations. The goal of phishing is to con employees into unknowingly downloading malware or revealing their access credentials. The best defense is our individual vigilance.
The just ended National Cyber Security Awareness Month reminded us that our individual and collective behaviors are what contains the risk of cyber security incidents.
Below are the measures most organizations can implement, at modest cost, to raise individual vigilance significantly and thereby reduce the risk of successful phishing attacks.
Security awareness training
Security awareness training is the simplest counter-measure that reduces phishing attacks. In many organizations, every person is required to attend basic security awareness training. Typically the training outline includes:
- Appropriate internet usage for organization and personal purposes.
- Definition of phishing and other types of attacks.
- Overview of motivations of hackers.
- Adverse consequences of successful phishing attacks and other malicious intrusions.
- Adherence to password policy and how to secure personal access credentials.
- How to spot suspicious incoming emails.
- Limitations of the electronic surveillance defenses of the organization.
- Review of the confidential information management policy including:
- Proper handling of confidential information.
- Admonition to not click on links or attachments in emails from unknown sources.
- Reminder to never give out organization information without appropriate authorization.
- Encouragement to report suspicious emails to the cyber security team.
- Reporting phishing and other security incidents.
- How the cyber security team investigates phishing and other incidents.
- Physical security and access to buildings.
Sometimes hackers join organizations as an employee or contractor just to gather insider information. Background screening is an important policy to pre-emptively counter future phishing attacks based on information gathered. Screening should not be limited to employees but should include vendor staff and contract workers because almost everyone is provided with some form of access to the organization’s network and facilities.
Not screening or haphazard screening invites hackers to gather insider information to use in future attacks.
Every organization should operate an access control system to ensure that only explicitly authorized people can access systems and facilities. Everyone needs to learn to firmly challenge people they don’t recognize.
Frequent physical security oversights include:
- Not rigorously deleting individuals from access control systems after they leave the organization.
- Providing too much access to individuals for the roles that they hold.
Mock social engineering drills
Occasionally, a phishing message should be sent to employees as a drill by the cyber security team to gauge the effectiveness of security awareness training in the organization.
Events that preclude value from drills include:
- Not holding drills.
- Holding too many drills and annoying large numbers of employees.
- Sanctioning employees for understandable missteps rather than using such drill-related incidents to reinforce training.
Information classification policy
The organization should develop – and employees should be expected to read and sign an information classification and management policy. Classification assigns a level of value and sensitivity to categories of organization data. Each information classification includes different rules for viewing, editing and sharing of the data.
The cyber security team should constantly monitor the information related to the organization that is floating around on the web. The discovery of confidential information should trigger an investigation. These processes should protect confidential information and will make passive information gathering more difficult for attackers.
Factors that undermine the policy and these processes include:
- Foggy or complex and lengthy definitions for every information category.
- Failure to investigate potential incidents.
- Failure to censure employees for infractions.
For tips on cyber security, visit the Get Cyber Safe website.
What is your experience with reducing the risk of phishing in your organization?