Phishing – The “Unchartered” Territory
In today’s digital world, the risk presented by phishing is constantly increasing as the quantity and confidentiality of data stored electronically is rapidly increasing. Phishing is a growing threat and continues to be a pronounced problem for both companies and individuals. Despite being one of the oldest internet scams, the susceptibility of employees to phishing attacks within an organization to a great extent is mostly unknown.
Phishing is the attempt to pose as a reputable company, entity or person to obtain sensitive information like passwords, user names and other confidential information over the Internet in electronic communications predominantly for malicious reasons. Most organizations now have policies, security controls and procedures in place to respond and react quickly to a phishing attack; however, the efficacy to a genuine phishing attack is mostly inefficient especially if the attack goes unnoticed.
Recent reports have shown that the number of phishing sites detected in 2016 was an all time high. After briefly understanding the term ‘Phishing’ and its impact on individuals and organizations let’s now try to understand the risks posed by phishing attacks, the susceptibility and the impact it can have on our companies and how to measure and alleviate these risks. All these key points and insights will give you a better understand of phishing attacks and how to mitigate risks.
Is Your Company’s Security Stance Good Enough to Identify and Ward Off Phishing Attacks?
Although most organizations now have stringent security policies and controls for software, infrastructure and network threats, they often do not provide a clear understanding into the susceptibility of its employees to external phishing attacks.
The following key points will help your company understand and evaluate security measures with respect to risks posed by phishing attacks:
- Performing a controlled phishing attack regularly to assess and understand the impact on your employees and the company
- Educate your employees about external threats including possible phishing attacks and how to react to such threats through security awareness programs
- Understanding your company’s susceptibility to phishing attacks with respect to other organizations within the same market
- Identifying which specific departments within your company are most susceptible to a phishing attack
- Evaluate the number of employees who would possibly perform an action like clicking on a link within an email that would disclose sensitive information or download a malicious software
- Would a phishing attack in your company go unnoticed or would there be an internal response?
Understanding the Impact of Risks posed by Phishing to your company
A well-executed phishing attack can pose great security danger to an organization including the following:
- Trick employees into clicking on malicious links to download software that the attackers can use to access the company’s network bypassing security controls
- Access company’s resources, domain and password credentials including confidential information like financial data, sales information, budgets, corporate sales projections, employee data and more
- Access files and sharing options to extract other corporate assets
- Access and exploit client side softwares which can be later used to access the company’s network without the use of download links or other malicious softwares
A phishing attack not only poses a data security risk but also tarnishes the company’s reputation leading to loss of sales and revenue in the long term.
Is My Company Susceptible to Phishing attacks? And How to Measure and Alleviate Risks Posed by Phishing Attacks
- Perform controlled phishing attacks on a regular basis to measure the employee susceptibility to phishing attacks
- Include a good sample of departments and employees to get better results from the controlled attacks
- Review and Record information on how many employees:
- Clicked on malicious links leading to phishing attacks
- Downloaded malicious software and responded to attacks
- Entered confidential corporate information into phishing sites
- Educate and train employees based on results recorded to minimize risks to the company:
- Let users know that they need to be cautious of anyone asking for personal information – ask them to verify with concerned people in the company
- Check for legitimacy of an email and its content
- Check for any unusual information in the message like software and system information which can be indicators of phishing attack
- Was the security team able to review and identify all key areas that needed improvement after the controlled attack performed? This assessment will improve the efficiency and management of internal responses to control phishing attacks and improve the effectiveness of identifying and responding to future threats and attacks.
Based on recent reports, the overall susceptibility reduces with each controlled phishing assessment leading to a substantial decrease in susceptibility over a period of time; thereby, improving the company’s internal response system to external threats making it less vulnerable to phishing attacks. Reviewing, understanding and applying these key points and measures can considerably reduce the susceptibility of companies and individuals to possible phishing attacks.