Maksim Kabakou - Fotolia

Security Think Tank: Three-pronged approach to phishing prevention

What are the most effective types of security controls and end user training approaches to dealing with phishing?

Phishing is one of the most successful and commonly used attack vectors we face, and this is because it involves people.

I’ve said it before and I’ve read it many times over, but people are always going to be the Achilles heel in security. Attacks that exploit the unpredictable nature of people are therefore strong candidates for success.

The most successful phishing attempts are the ones that create an emotive knee-jerk response from people who click without thinking first. When given more than a moment to think about what they are doing, many people then make a more informed choice on what to open, so the more urgent the consequence of not clicking on a link and supplying personal details, the likelier people will do it.

In this case, one of the best forms of defence against phishing should be raising awareness among the people it seeks to exploit. We know from many sources, such as the recent Black Hat conference in Las Vegas and numerous surveys by reputable researchers such as Ponemon Institute, that a high number of staff (and managers) do not know what phishing even is. Given that phishing is the prevalent attack method, this is rather poor.

The problem is, and has been for a long time, that a tiny amount of budget is allocated to good quality, role-specific training, education and awareness activities. If employees have email access, including to their own personal email, they must be given thorough training on how to spot phishing attempts and report suspicious emails to an appropriate source. This would help disseminate accurate, up-to-date information on the latest scams. If everyone is aware, and this means at all levels of the organisation, and used to talking about phishing, the chances of someone being caught off guard decreases.

Read more from the Computer Weekly Security Think Tank about approaches to anti-phishing training

The second line of defence should be software. There is a dearth of security software designed to help prevent phishing incursion, and much of it is an excellent backup to your well-trained and regularly tested staff.

Software can be designed to react well, but it has to be primed with successful phishing attacks to be effective. This is why the nuanced reaction and response from a real person will often spot phishing that is new, and maybe not raise any of the flags a piece of software might be using.

Email monitoring software is great, but look at how many phishing emails may drift into your account on a daily basis anyway. It’s best not to rely on it 100% as your only defence.

Lastly, we have to talk about spear phishing. This is a deadlier form of phishing that is causing nightmares for information security managers all round.

Specific training needs to be given to people handling sensitive or valuable information. Too often, senior managers will excuse themselves from training on the grounds they are too busy, yet they may be responsible for highly sensitive information and, as such, may be specifically targeted for a bespoke spear phishing attack. It may mean mandatory, specialised training for senior management, but if it steps between a criminal and someone preparing to hand over valuable information, then surely it’s more than worth the time.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Security policy and user awareness