Phishing has evolved into the most effective social engineering attack hackers use to infiltrate organizations. Phishing aims to con employees into unknowingly downloading malware or revealing their access credentials. The best defence is our individual vigilance.
Phishing.org defines phishing as “a cybercrime in which a target or targets are contacted by email, telephone or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.”
The annual Cyber Security Awareness Month is intended to remind everyone that our individual and collective behaviours are what contain the risk of cyber security incidents. The Canadian government website GetCyberSafe offers several resources to help raise awareness at your company.
Below are the measures most organizations can implement, at a modest cost, to raise individual vigilance significantly and thereby reduce the risk of successful phishing attacks.
Security awareness training
|Protect yourself from financial phishing
|The Internet’s dark side has made cybersecurity essential
|How to prevent ransomware attacks on your computer
Security awareness training is the simplest counter-measure that reduces phishing attacks. In many organizations, every person is required to attend basic security awareness training. Typically the training outline includes:
- Appropriate internet usage for organization and personal purposes.
- Definition of phishing and other types of attacks.
- Overview of motivations of hackers.
- Adverse consequences of successful phishing attacks and other malicious intrusions.
- Adherence to password policy and how to secure personal access credentials.
- How to spot suspicious incoming emails.
- Limitations of the electronic surveillance defences of the organization.
- Review of the confidential information management policy, including:
- Proper handling of confidential information.
- Admonition to not click on links or attachments in emails from unknown sources.
- Reminder to never give out organization information without appropriate authorization.
- Encouragement to report suspicious emails to the cyber security team.
- Reporting phishing and other security incidents.
- How the cyber security team investigates phishing and other incidents.
- Physical security and access to buildings.
Sometimes hackers join organizations as employees or contractors just to gather insider information. Background screening is an essential policy to pre-emptively counter future phishing attacks based on information gathered. Screening should not be limited to employees but should include vendor staff and contract workers because almost everyone has some form of access to the organization’s network and facilities.
Not screening or haphazard screening invites hackers to gather insider information for future attacks.
Every organization should operate an access control system to ensure that only explicitly authorized people can access systems and facilities. Everyone needs to learn to challenge people they don’t recognize firmly.
Frequent physical security oversights include:
- Not rigorously deleting individuals from access control systems after they leave the organization.
- Providing too much access to individuals for the roles that they hold.
Mock social engineering drills
Occasionally, the cyber security team should send a phishing message to employees as a drill to gauge the effectiveness of security awareness training in the organization.
Events that preclude value from drills include:
- Not holding drills.
- Holding too many drills and annoying large numbers of employees.
- Sanctioning employees for understandable missteps rather than using such drill-related incidents to reinforce training.
Information classification policy
The organization should develop, and employees should be expected to read and sign an information classification and management policy. Classification assigns a level of value and sensitivity to categories of organization data. Each information classification includes different rules for viewing, editing and sharing the data.
The cyber security team should constantly monitor the information about the organization floating around on the web. The discovery of confidential information should trigger an investigation. These processes should protect confidential information and make passive information gathering more difficult for attackers.
Factors that undermine the policy and these processes include:
- Foggy or complex and lengthy definitions for every information category.
- Failure to investigate potential incidents.
- Failure to censure employees for infractions.
For more information, please read Security Awareness Month Tips: Make employees feel they’re on the team.
For tips on cyber security, visit the Get Cyber Safe website.
Yogi Schulz has over 40 years of information technology experience in various industries. Yogi works extensively in the petroleum industry. He manages projects that arise from changes in business requirements, the need to leverage technology opportunities, and mergers. His specialties include IT strategy, web strategy and project management.
For interview requests, click here.
The opinions expressed by our columnists and contributors are theirs alone and do not inherently or expressly reflect the views of our publication.
© Troy Media
Troy Media is an editorial content provider to media outlets and its own hosted community news outlets across Canada.