Of the many tactics hackers have employed to bypass perimeter defenses, none are as devastating as social engineering schemes. Phishing ploys in particular manipulate millions of people into downloading malicious attachments, clicking on links to malware or inadvertently compromising their own login credentials to business systems.
The situation is dire, according to a study recently conducted by PhishMe: 91 percent of all cyberattacks start as phishing emails. Verizon’s Data Breach Investigations Report corroborates this report, also noting that the majority of data breaches in 2016 were direct consequences of email phishing.
A few notable examples include:
- SWIFT: The global financial messaging system was broken into by hackers using stolen login credentials, resulting in the loss of $81 million.
- John Podesta: Hillary Clinton’s campaign chairman surrendered access to his Gmail account after receiving an illegitimate email telling him to reset his password.
- Los Angeles County, California: As many as 108 LA County employees fell for email phishing scams, resulting in the theft of 750,000 people’s personal information.
- Most cases of ransomware: 2016 was the year of digital extortion, thanks in large part to phishing emails as a tool for ransomware dissemination.
The question going forward is this: What are some actionable steps employers can take in the war against phishing?
Teach Employees Best Practices
Human beings are typically the weakest link in the cybersecurity chain, which is why it’s so important to teach employees how to identify phishing scams. To be fair some of these schemes are more elaborate than others. Nevertheless, a few very basic best practices include:
- Don’t open links that are sent without any message or context, especially from unidentified senders.
- Forward any emails requesting password resets to the IT department before taking any action.
- Don’t download any attachments that are sent without a message in the body, especially from unidentified senders.
- Disable automatic macro launching.
- Do not reply to emails from news sites, vendors, etc. that request personally identifiable information.
All of the above will be extremely useful in the event that the a phishing email sneaks past spam filters and web gateways, which brings us to the other critical component of beating phishing.
Implement Smart Cybersecurity Controls
Sometimes employee gullibility is the biggest threat to an organization.
In so many words, use of application control software is absolutely essential. Organizations need to deploy anti-executable software that makes it possible to block any and all unknown executables until they’ve been vetted by network administrators. Legitimate applications can be whitelisted, and known threats or unauthorized executables can be blacklisted.
Active protection is also critical to guarding against phishing scams. If a malicious executable somehow sneaks past application control, perhaps in the form of a macro, and an employee makes the mistake of enabling that macro, real-time threat detection from an anti-virus solution that runs quietly in the background can be a lifesaver.
Last but not least, if every layer of cybersecurity somehow fails, it’s important to have a final backup plan to quickly eliminate malware introduced on the system, be it ransomware or something a little more clandestine, i.e. a backdoor trojan or keylogger.
Contact Faronics today to learn more.