Spear phishing attacks are becoming increasingly common and more sophisticated. Because attacks can be cleverly tailored, traditional IT network defences alone are often not enough to detect and prevent them.
You can reduce the vulnerability of your organisation by working with employees to dispel the perception that, ‘if something gets through the firewall, it is probably genuine’. Your employees have an important role to play in protecting your organisation as a second line of defence, after technical measures. So says the official CPNI (Centre for the Protection of National Infrastructure).
Hence its ‘Don’t Take the Bait!’ campaign; based on the principle that if you can increase awareness of the scam techniques that are often deployed, then employees will be less likely to fall for them. The campaign encourages the idea that employees have a role to play in keeping the organisation secure by not falling for, or being tricked by, spear phishing.
The CPNI advises that you ‘think before you click’, in other words take the time to pause and not habitually just click; understand how the phishing mails are trying to influence readers; and that there’s ways in an organisation for computer users who receive phishing email to report suspicious, whether they have clicked on it or not.
This ties in with other advice from CPNI. As the phishing is all about harvesting details, you ought to be careful about how much you give away in your regular mails – could details be misused by phishers, to make their emails look more believable? In other words, beware of your ‘digital footprint’. Visit www.cpni.gov.uk/my-digital-footprint. While you should work on technical and network defences, you should also have what CPNI term a ‘security culture’, whereby an engaged workforce is receptive to security advice and is more likely to act on it. And for ’embedding security behaviours’, CPNI recommends its ‘5Es framework‘ for planning and maximising the impact of your in-house behaviour change campaigns.
For a six-page guide to the subject, visit https://www.cpni.gov.uk/system/files/documents/18/fe/org%20guide.pdf. For posters to raise staff awareness and signpost an in-house campaign, and other materials, visit https://www.cpni.gov.uk.
