[BreachExchange] Reducing the risk of targeted phishing attacks

[Inga Goddijn]

https://www.itproportal.com/features/reducing-the-risk-of-targeted-phishing-attacks/

It’s no secret that email inboxes are under siege. According to the 2018
Verizon Data Breach Report, phishing attacks are at the heart of 93 per
cent of data breaches. In fact, the FBI’s 2017 Internet Crime Report
indicates that business email compromise (BEC) and phishing drive 48 per
cent of ALL internet crime-driven loss — more than all other
business-related internet crime combined. And with $12B lost globally, it’s
proving extremely effective.

While these facts indicate defending against phishing attacks needs to be a
priority for all organisations, many businesses often underestimate their
risk level. In fact, in a recent survey by EdgeWave, we asked IT pros how
confident they were in their existing email gateways to protect them
against advanced, targeted email attacks. The result? 80 per cent said they
were confident or very confident in gateways blocking these threats.

Unfortunately, that mindset is creating more risk for all businesses. Email
gateways are decades-old technology designed to stop high volume spam and
phishing campaigns, not targeted attacks like BEC. As long as businesses
keep telling themselves their security is “good enough”, they’ll be open to
socially engineered attacks.
Is security awareness training the answer?

Phishing preys on a combination of human psychology and technological
vulnerabilities. Cybercriminals realise it’s easier to fool a distracted
worker in an email environment than to hack a server or bull rush a domain
URL. Today’s workforce is used to working at warp speed, and not paying
much attention to email addresses or the “from” fields. They are also used
to being asked for Personally Identifiable Information (PII) and may not
think twice about responding to a personal request. Over 1.5 million
“spoof” web sites are now created every month to fool unsuspecting users.

Over the past several years, many organisations have turned to Security
Awareness Education to help users become more aware of these cyber threat
tactics and become an active part of their defence posture. This training
includes lessons on what to look for, and simulated phishing attacks to
assess “readiness” of users. However, after training, many firms are now
realising that the benefits of this training are fleeting. Despite
training, users are still only reporting 17 per cent of phishing attacks
(based on Verizon’s Data Breach Report 2018). What’s more, training is
expensive and never ending. As new users come on board, training begins
again anew.

Security Awareness Training is a good step to creating awareness of the
problem, but it is not the silver bullet everyone thought it could be. If
you think about it, you are asking everyday users to become expert at
recognising cyberattacks. IT pros themselves have stated they don’t trust
users to do this. So why give users that responsibility?
So what can you do to stop phishing?

Organisations don’t need large budgets to effectively defend against
phishing attacks. However, they need to change their mindset and recognise
that it’s no longer if you will be attacked, but when.

A good starting point is 1) understanding the threat landscape, 2) knowing
where your sensitive data resides and 3) what could likely cause your
business harm. Most successful phishing campaigns tend to be very targeted
(Spear Phishing and BEC), going after specific job functions in the
organisation that have access to or manage critical data and finances –
C-level, HR, IT, Accounting and Finance. This is where cybercriminals pull
emotional levers like trust and fear to get employees to take the bait.
Focus on securing those areas of the business as an initial priority, yet
don’t stop there. Successful anti-phishing programs need to touch all
employees.
Start by understanding the nature of phishing emails

   - Always be on guard. While obvious issues like grammatical errors and
   spelling mistakes still exist, modern phishing emails look very legitimate.
   Treat anything from the internet as suspicious.
   - Be cautious of individuals or organisations that ask for personal
   information or transferring of funds. Don’t click on any links -- verify
   directly with the company itself to avoid any potential issues.
   - Take a close look at the sender’s email address (not the display name
   – this can be easily spoofed) when checking the legitimacy of an email.
   Would your CEO truly send you an email from their “personal” account asking
   you to transfer money?
   - Don’t be frightened or intimidated by messages that have an alarmist
   or urgent tone.  Contact the company or individual directly if they are
   uncertain about the status of their accounts or the request.

Build a cyber aware corporate culture

   - Make cybersecurity a priority for all employees, not just the IT team,
   and provide a written cybersecurity policy that all employees must read and
   acknowledge
   - If your business works with third parties and systems are integrated
   (e.g. retail POS), make it a policy to ensure their applications are secure
   – ask them about their security policies before deploying.
   - Set formal, explicit security policies to stop BEC or CEO Fraud.  For
   example, all wire transfers or movement of company funds requires verbal
   and written approval.

Deploy relevant technologies and tools

Deploy a multi-layered email security posture including email gateway,
anti-phishing postdelivery detection and incident response technologies.
Adding Postdelivery Detection and Incident Response solutions to your
existing email gateway not only greatly reduces your risk, they also
dramatically reduce dwell time for threats that get into inboxes. The
faster these threats can be deleted across the organisation, the less
costly the attack. Our company, EdgeWave, currently offers a platform with
all these solutions to provide a modern email security platform.

Because phishing criminals continue to innovate, you need to enhance your
security approach as well to stay ahead of these attacks.  Although there
is no silver bullet, a combination of employee education to increase
awareness, formal cybersecurity policies, and specific, anti-phishing
technologies can drastically reduce the risk of successful phishing attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181120/cd773faa/attachment.html>