- Security TWENTY
- Women in Security Awards
Despite having been around for nearly 20 years, phishing remains a problem for individuals and companies alike, writes V Balasubramanian, Marketing Manager, ManageEngine.
As the IT landscape evolves with more of us using social media platforms such as LinkedIn, Twitter and Facebook, so will the nature and sophistication of the phishing threat. Cyber criminals are now making significant advances in how they track, obtain and steal our personal and corporate information. We live in an age where accessing work files has never been simpler. The rise of flexible working, Bring Your Own Device (BYOD) and Mobile Device Management (MDM) are just a few examples of this. Yet, with these growing trends, targeted phishing attacks are only going to become more advanced, threatening corporate, as well as personal data. This is well and truly the age of the phishing attack, and companies of all sizes should swiftly learn to protect themselves and their employees from such threats.
Individuals and enterprises: are we all at risk?
Phishing attacks can often take the most simplest of forms, with attachments in emails looking like they come from a credible and trust-worthy source. Before you know it- you may have downloaded a document riddled with exploits and Trojans. These kind of phishing emails are particularly dangerous and are rarely one off events. Instead, they can spark a long chain of possible repercussions and risks for individuals and companies alike. Three years ago, RSA, the security division of EMC was faced with the most damaging security data breach in its history. The breach, which was caused through a simple spear-phishing email sent to a small group of employees whose details were harvested from social media sites, resulted in a loss of $66 million to the organisation. Not only was this a huge financial blow to the company, but also significantly damaged its reputation.
The RSA is not alone here. During the summer of 2013, American retail chain, Target Corp. fell victim to a similar breach, which is believed to have originated through a phishing attack on one of its contractors. The attackers planted malware into Target’s payment system and siphoned off credit card data belonging to 40 million customers.
It’s clear that organisations of all sizes are vulnerable to these, often simple, attacks. It may be a contractor or an employee that provides the cyber criminal with a way in to the company. Once the personal credentials of an employee have been stolen from social media such as Facebook or Twitter, it is then only a matter of time before hackers can find out who they work for, and how to target these companies. Individuals can thus often unknowingly become the’ threat from within’, putting huge amounts of corporate information at risk.
Stay vigilant and review logs
So what can enterprises do to protect their data, and their employees from phishing attacks? Firstly, it must be a matter of education. Enterprises should sensitise end users and warn them to remain vigilant and cautious to any unusual emails. Users should only deal with websites that they know and trust and must never open attachments on suspicious mails. They should also never respond to offers that arrive in a spam email, instant message or SMS. If it looks too good to be true it probably is.
Security administrators and IT departments should regularly review firewall logs and server access logs, which will help to identify zero-day attacks through abnormal network traffic, failed logins, server behaviour, multiple access attempts and other suspect activity. Furthermore, IT departments should ensure that all applications and operating systems are up to date, and fully patched.
IT departments should implement and maintain the technical controls necessary to reduce the number of phishing emails coming through the network. Many of these controls can be very successful at blocking large volumes of fraudulent emails and it’s these kind of defensive controls that should be at the heart of a company’s IT strategy. However, these robust controls can only take us so far. It is ultimately trusting in employees and making sure they are aware of what form phishing emails look like, that will protect company data. Continually assessing end user and security administrator routines are crucial to fortifying the security of organisations we work for and the people we work with. Employers and employees need to continually action cyber best practice to protect each other from the phishing threat.
Phishing scams are only going to mature and we need to be increasingly vigilant on how to safeguard against them. Individuals need to understand that the impact of a successful, personal phishing attack (such as stolen bank details), may also prove costly to their employer in the long run. Organisations need to continually assess their cyber defence posture and most importantly, educate their employees to stay alert and cautious. With huge amounts of corporate data at risk, arming against the ever evolving phishing threat has never been so imperative.