Stop your organisation falling victim to phishing attacks
Date: Mar 19, 2018
No matter how much is invested in securing IT infrastructure, organisations are only as secure as their end users.
Users have the knowledge and access that cyber-criminals need to breach an organisation’s security. And cyber criminals are using more and more sophisticated phishing attacks to obtain this information.
Today, compromised credentials represent the vast majority of hacks, and phishing attacks are responsible for the majority of those breaches.
So how can organisations prevent users from opening and clicking on phishing emails?
The quickest, easiest and most cost-effective way is to train and test employees to actually change their behaviour.
End Users are the Target
Without training, users often fail to question whether they should open an attachment or click on a link without verifying that the attachment is legitimate and the website is valid. Plus, in the workplace, employees may have a false sense of security that the organisation’s IT security technology will catch anything malicious, so they do not need to worry.
Unfortunately, cyber criminals are good at social engineering. They research organisations, read news articles, blogs and other information, and they find out who works at an organisation and their job role. The result is a well-crafted and targeted phishing email.
These attacks cannot be prevented but they can be stopped with effective training and testing. Plus, organisations should carefully review what information is made public.
Typical Phishing Attacks
Once the cyber-criminal has the ‘trust’ of the target end user, typical attacks include:
* Embedding a link in an email that redirects to a fake website requesting sensitive information.
* Installing ransomware via a malicious email attachment, or by downloading a ‘free’ app.
* Spoofing the sender address in an email to appear as a reputable source and request sensitive information.
* Requesting a fund payment over the phone by impersonating a known company contact. or referring to a request by a more senior member of staff.
The goal is to collect sensitive information so as to gain access to otherwise protected data, networks, etc. The phisher’s success relies upon establishing trust with their victims – your employees.
Changing Employee Behaviour
Employees need to be aware of, and vigilant against, the potential risks of opening email attachments or clicking on links from unfamiliar sources. This can only be achieved by providing an effective security training and testing program that actually changes behaviour.
Unfortunately, security training is often delivered as an annual event or held at an employee’s orientation. If the training is given online and not tracked or tested, employees can rapidly click through the content, ignoring most of the information. If given in person, the training may be PowerPoint slides in a small font narrated by an uninteresting speaker for an hour…
The solution is a continuous program of professionally developed, workplace training (delivered at the desktop), bespoke phishing tests, and immediate remedial training for those who ‘click’.
This approach will also provide reports detailing the effectiveness of the program (ie the reduction in the number of users who ‘click’).
Remember it only takes one end user to take the bait.
Read more about Security Awareness Training and Testing (SATT)
See our SATT managed service: https://www.infosec-cloud.com/security-awareness/