Richard Walters, CTO, Censornet, pictured, discusses how to stay in control of your inbox.
The UK Government’s Cyber Security Breaches Survey 2022 revealed that the most common threat vector for cyber attacks is still phishing attempts (83 per cent). However, it is the increasing creativity of phishing attacks that is particularly alarming. For example, the ongoing, large-scale Microsoft phishing campaign, in which criminals have found a sly way to exploit flawed Multi-Factor Authentication (MFA). This has emphasised the need for integrated platforms that protect organisations even if one feature is circumvented by hackers.
However, despite the prevalence of phishing attacks, our research shows that just half (51pc) of the UK midmarket are able to prevent dangerous attachments from reaching users’ inboxes, and only a third (35pc) have the ability to quarantine suspicious or malicious emails. So what can be done to prevent phishing?
Deploy a human firewall
Humans confound algorithms; they have a distinctive unpredictability and therefore represent one of the weakest links in security. In fact, 82pc of breaches in Verizon’s 2022 Data Breach Investigations Report involved the human element. To counter increasingly sophisticated and highly-targeted phishing attacks, security teams must view people as the most challenging part of the attack surface and treat the threat accordingly.
Giving people personal ownership of their own risk and fostering a culture of security awareness is the first step in defending against the human element. Organisations should look for opportunities to grow employee’s cyber defence skills so they can identify and avoid cyber attacks. Regularly running realistic phishing simulations can educate employees on the latest threats and help leaders identify problem areas or high-risk behaviours that need to be addressed.
A wary approach
Employee training is also key to countering savvy cyber-criminals that are proactively hunting for intelligence on social media channels that can be used to infiltrate corporate networks. Criminals can use everything from previous work experience to names of suppliers or senior executives to design tailored phishing attacks designed to trick employees. And the opportunities that social media provides for phishing attacks is increasing in accordance with its rising popularity. For example, Linkedin grew by 11pc last year, adding 82 million new users and in the first quarter of 2022, accounted for 52pc of all phishing scams globally.
As part of an effective education strategy, organisations must ensure their employees are aware of the information that cyber criminals can exploit to design tailored phishing attacks.
Know the red flags
As a natural result of a security conscious environment, an automatic scepticism surrounding emails should develop. Clarify red flags to look out for and ensure employees are double checking plain text emails appearing to come from senior management and ‘reply to’ addresses.
Though carrying out actions sent by senior management is hard-wired into employees, organisations must educate employees to associate sudden requests of authorisation for unplanned transactions with high risk. It is also worth considering manual approval for payments above a certain threshold.
Close any gaps in your defence
Phishing is both a human and technology problem. Nurturing a culture of security that permeates all levels of the organisation is key to ensuring cyber defence is at the forefront of all employees’ minds. But so are systems that can spot unusual or anomalous behaviour as the industry shifts towards a more context-focused security paradigm.
Tools, such as real-time link scanning, automatically identify and highlight suspicious links in emails before any unsuspecting team members have the chance to reach a malicious destination. Truly smart security systems can use context – and crucially identity – to understand what ‘normal’ looks like in order to autonomously flag and combat suspicious behaviour. For example, everything from size, content, attachments, headers, sender and recipients can be autonomously evaluated to determine whether an email is delivered, quarantined, re-routed or rejected.
The best defence against phishing is achieved via a layered defence strategy. The combined strategy of iterative employee education and context-based, identity-aware security offer the best technical protection and defence.
