Post By: Michele R. O’Brien, Corporate Information Security Officer at Easterseals-Goodwill
Phishing attacks continue to be one of the most effective online threats to organizations and the data they possess. As these attacks become more sophisticated, IT Departments or out-sourced IT consultants will need to step up their game against the criminals and the Artificial Intelligence (AI) threats of tomorrow.
Phishing is when a scammer or cyber-criminal attempts to trick you into giving them information. These attacks can come in the form of email, text or even a voice call.
Phishing techniques used by cyber criminals:
- Embedding a link in an email that redirects you to an fake website that requests sensitive information
- Spoofing the sender email address to appear as a reputable source and request sensitive information
- Installing a malicious piece of software via an email attachment or ad which will allow the intruder to exploit system loopholes and obtain sensitive information
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department – this can be a voice call or text
So how do we protect ourselves against these attacks?
The Human Factor
Your organization’s staff should always be considered the first line of defense against cyber threats. Unfortunately, they can also be the biggest risk factor when it comes to phishing. It takes just one employee to take the bait and that’s enough for attackers to steal intellectual data. What if this data turns out to be Personal Health information (PHI)?
- Ensure your organization has an effective security education program that trains employees on cyber threats like phishing and other tactics used by criminals.
- Employees need to understand what to look for to identify a phishing email. Ensure they know how to look for bad or faked information in the sender address, links or URLs in the email body, bad grammar and spelling errors. Also ensure they take note when the sender uses tactics that cause a sense of urgency.
- Employees should also understand the risks when opening attachments or clicking on links from unfamiliar sources. These can lead to malware or virus infection and can also trick the user into sharing personal data, like passwords or bank account information, that can then be used to access or change other systems and make a small problem a very large one quickly.
- Conduct phishing tests in your email environment before and after training takes place to keep a pulse on where training needs to repeated or reinforced.
Policies around good data security should also be in place and routinely checked to keep up with evolving threats. Policies surrounding good password requirements and comprehensive data backup procedures are especially important in case a phishing attempt is successful.
An important practice your organization should implement is to deploy systems or processes where users can quickly and easily report a phishing attack to IT. From there, IT staff should be able to filter other similar incoming attacks by adding the known bad IP or domain information to a blacklist that will protect both internal employees and those that are remote or on mobile devices.
Check the technical side too:
Your IT Department or IT Consultants should ensure that the following technology prevention pieces are enabled or completed when possible;
- Spam filtering
- Web filtering
- Email encryption
- Data encryption
- Anti-phishing email client toolbars
- Virus protection
- Multi-factor authentication
- Timely system updates
Finally, work with your organization’s stakeholders. Communicate the security, financial and reputational risks of breaches caused by phishing and gain buy-in for deploying a robust educational campaign around phishing in your organization.