Sep 12, 2018
Phishing is a big problem for organisations, for two simple reasons: it's easy to do, and it works. It's relatively easy for hackers to send hundreds of thousands of emails, to employees at hundreds of organisations. It's low risk and low cost, and without proper security in place, it can take as little as a single click from an unwitting employee to give hackers access to highly sensitive and highly valuable data. So, to help your organisation defend itself against the risks of serious attacks and data breaches, I'm outlining 5 ways you can take action against phishing.
1) Roll-Out a Security Awareness Program
Phishing is so problematic because it targets the end-user: people who typically have little-to-no security knowledge. Whilst there's no silver bullet for the problem, educating your employees about the risks and hallmarks of phishing attacks can significantly reduce the likelihood of a serious data breach from occurring. Phishing attacks typically use a handful of tactics to get employees to part with login credentials, most commonly leveraging emails, web browsers and social media sites. Security awareness training will help your employees to effectively scrutinise suspicious communication from each of these channels, and make it easier to identify the signs of a potential phishing attack - whether it's a suspicious email attachment, an unsolicited friend request, or an unexpected browser redirect.
2) Use Layered Security
Your organisation's sensitive data should be protected by several layers of security, so that in the event of a successful phishing attack, malicious third-parties are unable to gain access to the entirety of your secure systems. Secure log-in information and password security should function only as the first layer of defense, supported by email security, data encryption, anti-virus software, user monitoring, priveleged access protocols and other forms of layered security.
3) Keep Anti-Virus, Anti-Malware and Anti-Spyware Up-to-Date
Whilst anti-virus, anti-malware and anti-spyware software won't eradicate all phishing attempts, they will help to significantly reduce the volume of suspicious emails and attachments making it into the hands of the end-user. Crucially though, security software shouldn't be approached with a set-it-and-forget-it mentality. Most applications require some form of manual oversight, and function best with regular maintenance of their parameter settings; changing thresholds and sensitivity to respond to the types of phishing attacks experienced. The same concepts apply to all of an organisation's applications and operating systems. All forms of software and infrastructure need to be regularly maintained, and updated and patched to keep them up-to-date with the latest vulnerabilities and threats.
4) Get Smart with Password Security
Almost all organisations use some form of password security; but few implement passwords in a secure way. As well as outlining and enforcing the best practices of password security, it's important for organisations to use some kind of password expiration date on all login credentials. In doing so, the damage of successful phishing attacks is limited - making stolen passwords obsolete, and preventing malicious third-parties from gaining permanent access to your secure systems. This type of security works even when phishing attacks go undetected, and when combined with two-factor authentication, can dramatically help reduce the damage caused by phishing.
5) Test Your Security
In the same way that penetration tests are used to test application security, it's important to periodically assess your organisation's phishing defences. Whilst eLearning and periodic testing play a crucial role in this, some organisations choose to go a step further, and use fake phishing emails to assess their employee's security knowledge. In doing so, it becomes possible to continually assess the security knowledge of your employees, and identify areas which require additional training in order to further improve your organisation's security.