Maksim Kabakou - Fotolia

Security Think Tank: Phishing: protect, educate and limit damage

What are the most effective types of security controls and end user training approaches to dealing with phishing?

Phishing is a perennial problem. Traditionally, larger organisations have been the focus of attackers with the primary aim of gaining access to networks. 

However, ransomware, with its mainly financial motives, changed the game and suddenly it became just as valid to target SMEs as well as large corporates. Not only that but, in many respects, SMEs are much easier to breach because they often lack the budget to invest in technical countermeasures and the resources to educate employees.

The key to minimising the likelihood of a successful attack is to recognise that phishing requires a person to perform an action. The following activities should therefore be adopted:

1. Reduce opportunities for users to encounter a phishing attempt

The first level of protection is technical. If users do not encounter a phishing attempt, then there is no decision for them to make that could result in an attack. There is a strong ecosystem around anti-phishing and anti-malware technology and it is important that this is enabled for both email and browsers.

2. Improve users’ decision-making

Technology is not infallible and phishing attempts can still get through. As noted, human interaction is required for a phishing attack to work, whether it is malware that could be clicking on a link and/or running an executable program (intentional or not), or a user entering their details on a webpage that results in the theft of credentials.

The most effective measure in which organisations can invest is improving user awareness through education and testing. Education is most effective if it is relevant for the audience at which it is targeted and delivered in a way that is easy for them to consume. 

Many organisations are choosing to reinforce ongoing awareness campaigns with periodic phishing exercises on their staff and any third parties that have access to the network. We have seen a strong correlation between the quality of awareness campaigns and the results of phishing simulations, in particular when failures are followed up with additional education.

3.  Limit damage

At some point, the previously mentioned controls will fail and a user will download something they should not or give away their network credentials.

Devices must be protected by effective and current anti-malware protection and organisations should have defined procedures for dealing with a network breach. Many of the costs associated with a network breach are due to reduced productivity as a result of both the breach and subsequent remediation activities. This should be factored into recovery planning.

Use of multi-factor authentication provides good protection against loss of credentials and is more commonly used to control access to resources and services both within an organisation’s network and external cloud services.

In response to the cyber threat faced by SMEs, the UK government developed the Cyber Essentials scheme, which enables businesses to assess themselves against a set of security controls and measures that, although not solely aimed at preventing phishing, could reduce the impact of a breach.

Richard Hunt is managing director of Turnkey Consulting. ............................................................................................................................

Read more on Hackers and cybercrime prevention