As seen on Toolbox...
Forget about locking the doors of your office. You have a much bigger security concern from phishing attacks that land in your inbox.
Last year, 76 percent of businesses surveyed by Wombat Security suffered a security breach as part of a phishing attack. That’s because the average employee gets 16 malicious emails per month. And that number is going up, increasing by 65 percent last year.
What’s worse, 30 percent of phishing messages get opened by employees, according to Verizon data, and 12 percent of employees actually click on the malicious link or attachment that initiates a security breach. This costs the average mid-sized business roughly $1.6 million per successful phishing attack.
“Credential and data stealers are silent killers,” says Jack Danahy, co-founder and CTO for AI-based endpoint security platform, Barkly. “Unlike ransomware that trumpets its presence by disabling systems and flashing ransom demands, more sophisticated attacks can live for weeks or months, exfiltrating private information and credentials from systems where the unaware users continue to do their jobs.”
Phishing is a huge problem, and one that businesses cannot easily surmount with technology because it targets employees and relies on human nature. But there are tactics and best practices you can use to minimize the risk of a security breach from malicious email.
We talked with a dozen security professionals for this story, and here are five of their best tricks for defending against phishing attacks.
1. Monitor External Traffic
Phishing only benefits cyber criminals if the data they steal comes back to them. That means there are clues in your outbound traffic that can signal a security breach.
“Data or credentials aren’t stolen until they leave the building, and if you are watching for unusual volumes or destination of traffic, particularly encrypted traffic, you may be able to stop it before it goes too far,” says Danahy.
Monitor all network traffic, looking both for unusual activity and connections to IP addresses with bad reputations. Bad addresses change rapidly, but security services can provide updated lists of sketchy IP addresses globally.
2. Make Reporting Security Concerns Easy
Only 17 percent of phishing campaigns get reported by employees, according to Verizon research. Work on increasing this number by setting up an easy and clear system that employees can use for notifying IT and getting the word out.
“Make it really easy for employees to escalate potential phishing emails for review, and reward diligence,” advises Joe Sullivan, chief security officer for cloud security firm, Cloudflare, and former head of security for Uber and Facebook.
“Integrate your users as part of your protection, don’t treat them as vulnerabilities,” adds Danahy at Barkly. “Users who feel that they are sensors and guardians take that role seriously, and if you train them to help you identify campaigns in process they will pay more attention than if you are simply tell them activities to avoid.”
3. Verify Sender Identities
Spear phishing, where malicious email masquerades as legitimate communication from a trusted contact, is one of the bigger phishing threats. But you can cut down on spear phishing by installing technologies that verify sender identity and raise a red flag if something looks amiss.
“Implementing email authentication mechanisms such as DMARC/DKIM/SPF can significantly reduce a malicious actor’s ability to impersonate people in your organization,” notes Leonardo Varela, director of engineering, metasploit and offensive security at vulnerability management firm, Rapid7.
Especially make sure that the identify of email from senior executives and your financial department are clearly marked as legitimate, as these are common vectors for spear phishing.
4. Ban User-Generated Passwords
Easy passwords are part of the phishing problem. Once a phishing attack has succeeded in infiltrating a business, malicious software that has been installed can sniff out weak passwords and exploit the employee habit of using the same password for multiple systems.
When defending against phishing attacks, Sullivan at Cloudflare recommends that businesses should tackle the password problem head-on and keep employees away from password creation altogether.
“Give out subscriptions to a password manager to your employees, and require all company passwords to be generated by the app,” suggests Sullivan. “Have a 100 percent ban on passwords created by humans.”
5. Automate Containment
Most of the damage from phishing attacks comes after a successful breach. Crucial in the defense against phishing is a rapid containment and remediation response. This containment and remediation should not be a manual process, however. Remember, human error is how the phishing attack succeeded in the first place.
“Automating the whole process for containment is perhaps the most important investment that a security team can make to evolve their phishing security posture and defend against current and future phishing attempts,” stresses Varela at Rapid7.
Make sure you not only have a plan for containing successful phishing attacks, but also software and systems in place for automatically taking care of things like removing phishing email from all employee accounts once a threat has been discovered.
Since phishing relies on human error, completely defending against it with technical solutions is sadly not possible. The human element is inherently insecure, so phishing security likely will be a going concern until the robots completely take over business.
That doesn’t mean your company must succumb to phishing attacks, however. It just means that the battle is ongoing and constantly evolving. Technology and good prevention can help.