How to prevent phishing
From employee rewards for savvy actions to showing how breaches are relevant to every-day duties, here are the tips to help prevent phishing attacks
12 July 2017 |
Most of us have clicked on an email that seemed legitimate, but turned out be somewhat less than that.
The motivations can be anything from monetary to political or even espionage, and the preventions need to be as broad. From the best technology practices to employee education and social media smarts, here are the tips that protect your employees from those spear-phishing attempts
- Inbound email sandboxing
Deploy a solution that checks the safety of an emailed link when a user clicks on it. This protects against a new phishing tactic that have been observed from cybercriminals. Bad guys send a brand new URL in an email to their targets to get through the organisation’s email security. The other tactic is when they inject malicious code into the website right after delivery of the email URL. This URL will get past any standard spam solution.
- Real-time analysis and inspection of your web traffic
First, stop malicious URLs from even getting to your users’ corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyse content in real time, and be 98% effective at stopping malware.
- Employee behaviour
The human element is incredibly important. Adopting an employee testing programme and do this training on-going basis. The result is not really employee education or security awareness—it is behaviour modification.
Employee behaviour is a key part of the protection, and there are a number of steps that can help to educate and bring them onboard to strengthen protection.
- Pen-test your organisation
Employees are critical to your security success, spear-phishing defence and ability to prevent a data breach. Below are five ways you can turn them into security advocates.
One of the best ways people create new behaviours is by making a mistake and being corrected. It is time to put your black hat on. Select a group of folks from each major department and send them targeted spear-phishing emails using an outside email address. Use only information you can locate on their social media sites (Facebook, Twitter, LinkedIn, etc.). For example, you see they like a local sports team. Send them information about a local happy hour that supports the team. When they click on the link, inform them that they have been phished and communicate best practices in a positive way.
- Ask marketing for help
Start a partnership with marketing to help you communicate to your employees. Your marketing team specialises in communicating to different audiences to get them to take action. It is time to use their skills. Create a communication plan that both teams can execute against and track what methods are the most effective.
- Change how your message is communicated
Some people learn visually, others learn audibly and for many, it is a combination of both. Change how your security message is delivered to employees. Start with a monthly email, webinar and Intranet post. Switch it up with in-person trainings and videos. Using these different mediums will help your message resonate with more employees. Remember, you will need to communicate a message multiple times for it to stick.
- Make security relevant to them
Just asking employees to watch out for suspicious-looking emails does not drive home the urgency of spear-phishing. Rip it from the headlines. When a large company makes headlines for a data breach, because an employee opened an infected email, immediately communicate how something like that could happen to your employee base. It is well-timed, newsworthy and will be on your executives’ radar.
- Reward good behaviour
IT security is known for doom and gloom, but what if you change that perception? Start rewarding your employees for a “Catch of the Day.” Start an internal contest that asks employees to forward suspicious emails they receive (both from their personal and work accounts). Pick your “Catch of the Week” every Friday, reward the employee with a store gift card, and publicise the spear-phishing attempt for other employees to see.
Social media peril
Social networks are gold mines of personal information for cybercriminals, especially for targeted spear-phishing emails. Below are three things IT security professionals should never discuss online.
- Any birthdays/addresses/other item
As these items can be used as network passwords, the information is sensitive in more ways than one.
- Holiday or home photos
It is like an advertisement for when you will be out of town, while doing reconnaissance for the criminals.
- Phone numbers
Cybercriminals are getting more creative. More and more criminals are calling targeted employees and asking for information. For example, some criminals call and pretend they are from their help desk and need to reset passwords. When in doubt, go with your gut. If something seems off or you don’t know the person, ask for their contact information and look into it. Ultimately, it is better to be safe than polite.
Phishing is not going anywhere. As long as people use social networks and email continues to be a key workplace communication channel, spear-phishing will be a weapon of choice for cybercrime.
IDG News Service