Phishing is no new phenomenon - but it is being used more and more as A formidable weapon to attack victims with. What can be done to negate its impact?
"In the new hybrid working world, organisations have been left seriously exposed to cyberattacks," points out Richard Watson, EY Global & Asia-Pacific cybersecurity leader. "In fact, 77% of security leaders have witnessed an increase in the number of disruptive attacks over the last year [according to the latest EY Global Information Security Survey]. In addition, phishing tactics used by cyber criminals have become increasingly sophisticated and difficult to detect, compounding the problem even further.
"Leaders need to put in place a comprehensive cybersecurity strategy that incorporates both technology and human elements, especially since phishing attacks take advantage of human vulnerabilities and weaknesses," adds Watson, who suggests the following approach:
Know the signs of a phishing attack - "Despite years of sitting through computer-based training modules, too many employees are still not aware of the signs of a phishing attack, often falling victim to them. Leaders should make cybersecurity training mandatory for all employees, so they can identify a phishing attack immediately and that training should be experienced based (for example simulated phishing exercises) as this is considered to be a very effective way to really get the message home," he states.
Foster greater communication and collaboration between the CISO and C-Suite - "Cybersecurity is too often a technical conversation causing many executives and boards to shy away from it. To help manage this, CISOs should use business language with the C-suite, articulating the risks, not reams of technical operational data, to ensure they're properly educated about the realities of cyber-incidents and how to mitigate them. This will also help with the conversation about funding - which many CISOs consider to be the hardest part of their job."
Security by design approach - "All teams should follow this approach when creating systems, products and services within their businesses and, to do it properly, cyber experts should be involved in the planning process of any new initiative from the very start. This is a term that has become known as 'left shifting security in the plan'. This means that cyber protection is built into everything from the outset and is maintained through consistent monitoring, testing and implementation of safeguarding procedures. Worryingly, today just 19% of cybersecurity professionals feel like they are consulted in the planning stages of new business initiatives - so it's clear there is significant room for improvement."
Richard Watson, EY: phishing tactics
used by cyber-criminals have become increasingly sophisticated and difficult
to detect.
If leaders fail to take these steps, says Watson, the consequences for their organisations could be catastrophic and lead to significant financial and reputational damage, especially for those who hold sensitive customer data or operate critical infrastructure.
STAYING IN CONTROL Phishing is a threat that cannot be avoided, but it can be controlled, argues Lee Schor, chief revenue officer of VIPRE, outlining crucial technology tools and training needed to reduce the threat of such attacks and ultimately for organisations to create a phishing prevention toolkit. "Technology solutions can support businesses by acting as a layer of security protection to help identify, stop and block potential phishing threats from entering the network.
Email is the leading attack vector used by cybercriminals to deliver phishing, ransomware and malware attacks. The first step in preventing phishing via email, is to ensure that businesses have the right protection in place at the time of receiving and handling emails, such as email attachment sandboxing; anti-phishing protection; data loss prevention tools (DLP); and outbound email protection."
Innovative technologies such as machine learning can be used to scan emails for possible phishing scams by comparing links to known phishing data, he adds. "Additionally, DLP tools help to stop sensitive information from leaving the organisation at the time an employee sends an email by offering a crucial double-check."
Digital tools can help to identify and stop potential phishing emails - but these technologies are not the complete solution. "No phishing prevention plan is effective without users understanding the threat landscape," says Schor. "Therefore, it is crucial that businesses implement a security and phishing awareness training programme that educates users on the different types of phishing and potential threats. It is vital that this training includes phishing simulations and penetration testing, so that employees can face real-life scenarios. This type of education will help identify areas of weakness where organisations need to provide support to employees through additional training, for example, and will help businesses to continuously assess the success of a phishing awareness programme."
Investing in a phishing toolbox is essential to fully protect your organisation against ever-changing attacks and zero-day threats delivered via SMS, phone and email, he concludes. "By implementing the right technology, combined with user education and security awareness training to give all-around protection, businesses can carefully manage and avoid phishing threats. As the growth of the cyber security threat landscape shows no signs of slowing down, organisations can be reassured that they have the necessary protective layers in place to combat the modern threat landscape by using the right tools and training."
TWO-FOLD APPROACH Tackling the threat of phishing requires a two-fold approach, says Jamie Akhtar, CEO & co-founder of CyberSmart. "On the one hand, organisations must deploy technologies that can help filter through incoming communications for any suspicious language, links and attachments; quarantining these until they have been inspected by the security team. In conjunction, measures must be implemented to educate employees on the threats that exist and how they can best manage them. The latter is trickier to do, and requires a good understanding of cyber psychology and human behaviour to be effective."
Most employees, generally, prioritise their efforts on direct work tasks and deliverables, employing slow and deliberate (or 'system 2') thinking to do so, he points out. "Cybersecurity concerns, however, usually come secondary to these tasks and may not receive the same amount of attention. Instead, the majority of individuals will use system 1, or automatic thinking, when assessing threats. We use cognitive shortcuts, like identifying familiar logos, images and names, when making a judgement on the safety of clicking a link or downloading an attachment. There is also an element of learned helplessness when it comes to cybersecurity, because it is often made out to be a complex and intimidating matter. Therefore, it is critical that organisations foster good cybersecurity habits as early as possible and embed them into the company culture."
There are a couple of ways to make this work in practice, suggests Akhtar. "The first is to leverage security tools and other awareness training technologies that are user friendly to improve overall security posture. For instance, introducing regular, bite-sized training videos that address specific knowledge gaps in the organisation. The second important step is to build an empowering and encouraging culture where it is okay to ask questions, make mistakes and learn from them. If your employees are scared or uncomfortable reporting an issue to your security team, that is when you should be worried."
In the past, employees have been vilified for being the 'weakest link' and fear was used to instil best practices, he adds. "Yet research has shown that relying on fear to enact change is not sustainable, so we need to take steps to bolster employee confidence in handling threats. We should also place greater emphasis on the benefits of being cyber secure and compliant, such as keeping their data safe, as opposed to the dangers that exist."
INSIDER THREATS "Phishing is not a new phenomenon," comments Joseph Carson, chief security scientist and advisory CISO at Delinea, "so strategies need not drastically change, but organisations need to adopt basic best practice, educate users and reinforce through repetition. Whether made by a public or private organisation, security processes should ultimately be the same and user access should be a top priority, given insider threats are the predominant cause of phishing and other breaches."
Carson points to the proliferation of NHS email, SMS and web-based phishing attacks over the past year, adding that so far we've seen cyberattack campaigns lure thousands of victims into leaking sensitive information, such as log-in credentials and payment details. "In fact, these phishing campaigns have been so sophisticated and widespread that business leaders can only reasonably assume that a colleague or employee has already fallen victim to one - especially if they have been working remotely for the first time in their career."
Cybersecurity and awareness training for all employees should be a top priority, adds Carson. "The earlier you identify attacks, the quicker you can implement detection and response controls to mitigate any impact. However, training alone is not enough and we shouldn't expect employees to all become cybersecurity professionals. While they should be made aware of common phishing techniques and how to identify and report such attacks, it is imperative for companies to adopt a zero-trust approach enforced by least privilege access.
"This way, a user will only get access to specific applications and data once their identity has been verified and only for the time needed to complete the task, thus ensuring that leaked log-in credentials do not necessarily translate to a breach of data. Every organisation will likely have at least one employee who will click on something bad, so let's adopt a zero-trust approach to reduce the impact of when that happens."
TUNNEL VISION According to recent research from OpenText, there was a 1,122% increase in phishing attacks in the first quarter of 2022, compared to Q1 in 2021. To ensure cyber resilience, it states, organisations must deploy strong, multi-layered security and data protection policies to prevent, respond to and quickly recover from threats. With this in mind, OpenText Security Solutions has unveiled new patent-pending technology that, it says, "stops rogue DNS requests and identifies and blocks vulnerabilities exposed through DNS, including tunnelling and data exfiltration attacks".
Real-time threat intelligence is an essential component of a business's cyber resilience strategy, advises Open Text, citing the following findings in a 2022 BrightCloud Threat Intelligence report:
- 1,122% increase in phishing in the first quarter of 2022, compared to 2021 Q1 phishing numbers, indicating a buck in the trend of hackers taking holiday in Q1
- For the first time, Instagram broke into the top five most impersonated brands for phishing, demonstrating increased targeting of younger users
- 36.1% reduction in malware encounters for customers using both endpoint and DNS protection versus only endpoint protection, reinforcing the added efficacy benefit of securing DNS and using layered security.
