It is often said that people are the weakest link in information security. No matter how many technical controls IT staff might put in place, a simple click of a malicious link can bring an organisation to its knees. All it takes is one employee, and one click.
Phishing attacks continue to be one of the greatest online threats to organisations and their data. Phishing is when a cyber-criminal attempts to trick you into giving them information or clicking a link that takes you to a malicious site. These attacks can come in the form of email, text or even a voice call.
Phishing techniques used by cyber criminals include:
* Embedding a link in an email that redirects you to an fake website that requests sensitive information
* Spoofing the sender email address to appear as a reputable source and request sensitive information
* Installing a malicious piece of software via an email attachment or ad which will allows the adversary to exploit system loopholes and obtain sensitive information
* Attempting to obtain sensitive info over the phone by impersonating someone you trust (e.g. a member of your IT team)
So what should an organisation do to protect itself and its information? The answer is a combination of technical controls and “people” controls.
Some technical controls
Organisations should have the following technical controls in place:
* Spam filtering
* Web filtering
* Email encryption
* Data encryption
* Anti-phishing email client toolbars
* Virus protection
* Multi-factor authentication
* Timely system and security updates
* An incident response plan
* An IT recovery plan (and business continuity plan)
Some “people” controls
Staff should be considered an important line of defence against cyber threats. The following should be considered:
* Have an effective security education program that trains employees on cyber threats like phishing and other tactics used by criminals.
* Help employees understand what to look for to identify a phishing email. Ensure they know how to look for bad or faked information in the sender address, links or URLs in the email body, poor grammar and spelling errors.
* Help employees understand the risks when opening attachments or clicking on links from unfamiliar sources.
* Conduct phishing tests before and after training to keep a pulse on where training needs to be repeated or reinforced.
* Have policies in place around good data security and routinely review them to keep up with evolving threats.
* Make sure staff know where to report suspected phishing threats and incidents.
* Make sure IT staff know what to do in response to an incident. Regularly rehearse incident response plans