How to protect your organisation from phishing attacks
Cyber Security Awareness Month
Now in its 18th year, Cyber Security Awareness Month continues to raise awareness about the importance of cybersecurity across the world. The theme for Cyber Security Awareness Month 2021 is “Do Your Part. #BeCyberSmart.”
The theme empowers individuals and organisations to own their role in protecting their part of cyberspace. If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone.
Fight the phish
Phishing attacks and scams have thrived since the COVID pandemic began in 2020 and today, phishing attacks account for more than 80 percent of reported security incidents. Week 2 of Cyber Security Awareness Month is about the importance of educating your employees so that they can identify and report suspected phishing emails.
Phishing is a type of social engineering attack in which users are contacted by email, telephone or text message by someone posing to be from a legitimate institution to lure individuals into providing sensitive data. Attacks can install malware (such as ransomware), sabotage systems, or steal intellectual property and money.
What is phishing?
Phishing emails can hit an organisation of any size and type. It could be a mass campaign or a targeted attack against your organisation, where the aim could be something much more specific, like the theft of sensitive data. In a targeted campaign, the attacker may use information about your employees or company to make their messages even more persuasive and realistic. This is usually referred to as spear phishing.
In this blog post we outline three ways you can protect your organisation from phishing attacks:
1. Filter or block incoming emails
Improve your resilience against phishing attacks by blocking emails before they reach your employees
2. Educate employees
Provide your employees with training so they are able to identify and report suspected phishing emails
3. Have an incident response plan
Minimise the damage and return to business as usual quickly and efficiently with an incident response plan
1. Filter or block incoming emails
Filtering or blocking an email before it reaches your employees will obviously reduce the probability of a phishing incident and it also reduces the amount of time your employees need to spend checking and reporting emails. Your filtering/blocking service might be a cloud-based email provider’s built-in service, or a bespoke service for your own email server.
If you use a cloud-based email provider you should check that the filtering/blocking service is adequate for your needs, and that it is switched on by default for all your users. If you host your own email server make sure that a proven filtering/blocking service is in place. This can be implemented locally and/or purchased as a cloud-based service. Again, ensure that it is switched on by default for all your users.
Filtering services usually send email to spam/junk folders, whereas blocking services means the email is blocked completely. The rules determining blocking or filtering need to be adjusted for your organisation to make sure you have the right balance in place. Filtering all suspicious emails to spam/junk folders might mean users have a lot of emails to manage and this could mean they are more likely to click a phishing email however if you block all suspicious emails then some genuine emails may never get through. You will need to ensure you have the right rules in place for your organisation and that they are regularly reviewed.
Email can be filtered or blocked using a variety of techniques including: IP addresses, domain names, email address white/black list, public spam and open relay black lists, attachment types, and malware detection.
2. Educate employees to identify and report suspected phishing emails
Recognising fraudulent emails and phishing scams is not easy so it’s important that you educate your employees on why phishing is harmful and empower them to detect and report phishing attempts.
Depending on your organisation’s culture and size this can be delivered via a written document, videos or in person training, or a combination of the above.
Simulated phishing campaigns reinforce employee training and help to understand your risk and improve workforce resiliency. Your organisation can then monitor the results to understand which attack types were most successful or if any departments were more susceptible to allow you to strengthen your phishing awareness training and add additional training where it is needed.
Customer-facing departments may receive high volumes of unsolicited emails so may be a greater risk. In addition, employees authorised to access sensitive information, manage financial assets, or administer IT systems will be of greater interest to an attacker and therefore may be the target of a sophisticated spear phishing campaign. Ensure these more exposed employees are aware of the risks and offer them additional support.
Creating the ability for users to report phishing attempts (including ones that that are clicked on) gives you vital information about what types of phishing attacks are being used. You can also learn what type of emails are getting mistaken for phishing, and what impact this might be having on your organisation.
3. Have an incident response plan
It’s not possible to stop all attacks and all organisations will experience security incidents at some point. So it’s important to make sure your organisation can respond to them quickly and effectively.
A good incident response plan will reduce the impact when an incident does happen. Being able to detect and quickly respond to incidents will help to prevent further damage, reducing the financial and operational impact. Knowing how to respond and manage external communications around the incident will help to reduce the reputational impact. After an incident has happened it is important to then update your response plan with any new learnings to ensure that you are more prepared in the future.
Prepare response plans
- What information needs to be protected and where is it stored?
- Who owns the data and has responsibility for managing it?
- Do you have sufficient IT resources to respond to an attack or do you need to consider third-party support?
- Do you have executive buy-in from the top of the organisation?
- Have all stakeholders been assigned roles and responsibilities? This is likely to include your IT security team, but will also include legal, HR and Public Relations, as well as suppliers and vendors.
- Is your incident response plan linked to disaster recovery, business continuity and crisis management plans, and supported with the relevant capabilities?
- What is the chain of command that includes both IT and organisation leaders?
- Establish your criteria for escalation to senior management and what needs to happen for you to scale up your response?
- What is the incident response workflow among different stakeholders and departments ?
- Do you have 24/7 contact information for all incident response team members, their backups, and managers, as well as alternative channels of communication if regular channels are compromised or unavailable?
- Do you have an up-to-date list of preferred suppliers for forensics, hardware replacement, and related services that might be needed before, during or after an incident.
- Do your employees know how to report suspicious emails and activities?
- Do you have a comprehensive and integrated communications plan to inform both internal and external audiences on incidents in a fast and effective way?
Practise your response plans
Practising response plans ensures your employees know how to respond during an incident, are clear on roles and responsibilities and can also highlight any problem areas in your planned response. Develop and regularly conduct tabletop exercises to evaluate and test your incident response plan and ensure there are no gaps.
Update your response plans
You should always update your response plans after every incident; or if there is a change in your team structure. Use the incident to improve on the security of your organisation. If you can understand how the incident happened then you can potentially put new measures in place to prevent something similar happening again.
How can CyberCX help?
CyberCX provides organisation-wide education and training support, backed by years of experience in learning and development. Find out about our simple, effective and measurable phishing training with our own Phriendly Phishing product, to build your workforce’s resilience against the most effective contemporary hacking technique, phishing.
Phriendly Phishing aims to create long-lasting learning and enhance the performance of both employees and organisations. Unlike other solutions, Phriendly Phishing provides learning that is continuously practised, tested and measured, all within a zero-touch automation learning path.