Article by Jess Phillips – Intelligent CISO
28 February, 2019
Jack Cooper, Senior Cyber Advisor, ITC Secure, discusses what procedures companies should have in place to minimise phishing attacks.
It is no coincidence that Ciaran Martin, CEO of the NCSC, described phishing attacks as being the number one priority for boardrooms this year. Phishing remains a very popular and successful type of cyberattack and, according to a recent report by Verizon, one in five employees have fallen victim to a phishing email in the last year. Recent stats also indicate that over 91% of cyberattacks start with a phishing email.
However, in contrast to the billions spent on cybersecurity hardware and latest AI-based tech, meeting the phishing challenge and saving your reputation can be a simple matter of employee awareness.
The top priority for all organisations should be to focus on user awareness and cybertraining; companies spend millions on health and safety and the latest employee feedback tool, whereas this is equally as important. Teaching your employees to spot the difference between a legitimate email and a malicious one is your best line of defence – a simple rule of ‘don’t click that link’ can be a step change in your security. Training an insider army will protect you from cybercrime.
But one click is all it takes and we are told daily that phishing scams evolve quicker than your employees do, so you should aim to develop your defences just as quickly.
Conducting phishing simulations regularly will help, but under the right controls. You should also ensure you utilise proven, accredited cyber CBT programmes and having a regular secure password change process is a must.
Of course, technology plays its part. Spam filters and anti-spoofing controls like DMARC will help, as will ensuring that you make regular checks on the dark arts by threat hunting – where identifying compromised email credentials and domain names can avoid a looming phishing attack.
In addition, only ever use supported software and devices, and make sure they are always kept up to date with the latest patch or update. Similarly, don’t let your users install random malware and check user access privileges – only allow those who need admin rights be enabled and don’t let these people use these accounts to browse the web
Finally, in this whistle-stop tour, have a plan, know what to do and how to react quickly if the worst case happens. Users should know who to contact and what to do next, without fear of punishment. The plan should cover legal and regulatory processes and a scenario should exist for all types of incident. The quicker you react, the better the outcome.
Remember; practice makes perfect so test your plan regularly.