How to Keep Criminals Out of Your Business
Successful phishing defense requires a layered approach
Phishing is a form of fraud in which an attacker masquerades as a reputable person or company in email or other electronic communication channels. A common phishing tactic is to send an email with a forged return address, so that the message appears to have originated from a legitimate source, making it more likely that the recipient will open it.
Phishing attacks are popular with cybercriminals, because it is easier to trick someone into clicking a malicious link in a seemingly legitimate email than it is to break through a computer’s defenses.
- An employee receives an email from her company’s CEO, asking her to buy electronic gift cards for a customer recognition event. The request is time sensitive so she quickly purchases these online and sends the gift card numbers to the CEO. Weeks later she discovers the CEO never made the request.
- An employee receives an email with a link to a secure document. They enter their credentials to view the document, but the document fails to load. They move on to other work and forget about the glitch. In reality, they have delivered their username and password to hackers, who can now use it to access their email and other online accounts, including systems and data used by your company.
Training alone can’t protect you from phishing. Phishing prevention requires a layered approach that combines technical controls and user education. Each layer in this strategy acts as a safety net in case the layer on top of it fails. These layers are:
- Implementing technical controls to protect end-users. Reduce the likelihood of malicious emails ending in your users’ inboxes with email security solutions as your first line of defense. These technologies include email content filtering, email authentication, and threat intelligence.
- Educating your workforce to recognize phishing attempts. Educating your users is your last line of defense for things that fall through technical controls. To keep your employees sharp at detecting phishing attempts, ensure that you implement ongoing training, have mechanisms for reporting phishing, and test and measure performance. Be careful not to shame users who fall victim to these attacks. Shaming makes users less likely to report phishing attempts and less likely to complete their training.
- Planning for technical and human failure. Despite your best technical and educational efforts, your users will be successfully phished. If all else fails, you need to be ready to respond to incidents to limit the impact of a successful phishing attack. Technologies such as browser isolation and multifactor authentication can help limit the impact. Having an incident response plan ready ahead of time helps the quality and speed of your recovery.
Parts of this post was written by VP, Research Director Joseph Blankenship, and originally appeared here.
Do you feel confident that your team won’t click on a phishing attempt?