Email phishing: A three billion-dollar IT problem
- Posted on November 23, 2017
- Estimated reading time 3 minutes
91% of cyber-attacks start with phishing by attempting to gain access to credentials, access to systems through malware via email and browser vulnerabilities or simply tricking people into transferring money or providing information. Globally, these types of threats are on the rise and gaining in sophistication. The FBI have stated that even malware-less phishing alone has grown into a multibillion dollar threat.
Some simple examples include:
- A government department being told by their “manager” by email to take the day off
- The “CEO” requesting and being emailed a full client list, which was not discovered for months
Traditional IT security control approaches such as mail hygiene, patching, antivirus and the like, are no longer enough. So what security controls should businesses be considering to reduce the risk of a breach and limit their liability? A more holistic; people, process and technology approach is needed.
Maximising the effectiveness of your technology solutions
The first line of defence needs to be technology that filters email to reduce the volume of attacks getting through. However, no technological solution is 100% effective. The basic email protection capabilities such as, IP and envelope filters, signature-based malware protection, anti-spam and anti-malware filters are generally not enough for these threats. Better solutions have the following:
- Real-time protection against malware-less attacks like whaling or CEO fraud
- Protection against unknown or newly observed domain names
- Protection against display name or friendly name spoofing
- Protection against domain similarity attacks
- Attachment sandboxing
- Be cloud-based for immediate availability of the most current email security protections
These are capabilities offered by our partner Mimecast and their cyber security solution as well as others. Exchange Online Protection currently only provides some of these capabilities if the additional Advanced Email Threat Prevention capability is purchased.
Maximising the effectiveness of your human firewall
Security awareness training is another key element in a business’s defense strategy. With 55% of workers not being able to remember security training, the security community has quite rightly called its effectiveness into question. More effective approaches focus on contextual awareness and simulated attacks to test knowledge retention and identify staff who need further training. Avanade uses several methods to turn staff into a human firewall, from gamified security awareness training to simulated attacks. We use PhishMe to allow staff to report phishing attempts; if they fail to report or click on a simulated attempt, they are re-enrolled in our security awareness training. We use KPIs to further incentivise staff to be compliant with training and be vigilant, as this is part of what we do to protect our clients.
It may be an unpopular point of view, but until technology catches up with our behaviour, I believe that company officers should accept additional security hassle as part of their pay grade, especially when accessing email to reduce the risk of Business Email Compromise (BEC). I take comfort in the thought that those outside of the organisation are also inconvenienced in getting at the company’s most sensitive data.
Process brings it all together
Tying people and technology together requires well defined security processes. For email threats, it is important for staff to ensure defences are maintained, raise staff awareness of current threat actors and any targeted attacks that may be occurring. For example, if there is a spear phishing attempt against one executive, you can be sure they will try with others. Let the others know so they can be more vigilant!
Finally, it is generally good practice, to prepare for the eventuality that a phishing attack will be successful. It’s important to have a tested incident response plan in place. It needs to consider relevant breach notification legislation in your region to avoid penalties to the organisation and personally to board members.