Maksim Kabakou - Fotolia

Security Think Tank: Phishing awareness a key element of a security positive culture

What are the most effective types of security controls and user training approaches for dealing with phishing?

Although many people are aware of phishing attacks, there are still a large number of successful compromises.

Phishing attacks counterfeit communications from a legitimate/trustworthy source to mislead recipients into revealing sensitive information. Email containing malware-infected links is the main means of conducting phishing attacks, but attackers are also increasingly using social media  for phishing to exploit vulnerable individuals.

As well as considering inbound phishing attacks directed at their company, organisations must also think about external parties and phishing attempts from attackers masquerading as the organisation.

For external parties, most organisations are limited to providing awareness advice. Good examples include The Imposter advert produced by Barclays and published advice from HM Revenue and Customs saying it will never contact people via email or text message about a tax rebate.

From an inbound attack perspective, potential technical security controls include email scanning, verifying the source IP address of senders’ emails to limit spoofing, and preventing the opening of attachments from unknown or untrusted sources. Some organisations choose to block any email with an attachment; others use whitelists for links.

But technical controls alone are not enough; security awareness is an essential component. Many organisations conduct regular phishing simulations to “test” employees and measure behavioural change. One organisation recently sent a fake phishing email to 1,000 employees; 50% of the recipients opened the email and clicked on the link within an hour.

Other methods of cultivating expected security behaviours include gamification (for example, building up points during awareness “quizzes”) perhaps combined with the development of easily remembered mantras, for example: “Stop and think before clicking on a link” or “If you suspect it, report it”. Select the awareness training that works best for your organisation.

Do remember that how employees deal with phishing attacks is only a small part of expected security behaviours. Developing an overall security positive culture is the main goal.

Maxine Holt is principal analyst at the Information Security Forum (ISF). ...........................................................................................

Read more on Security policy and user awareness