It’s almost inevitable that at some point, a phishing attack against your business will succeed. What can you do now to mitigate the effect of this occurring? To get an answer to this question, I recently approached an expert on this area that is of increasing concern both to businesses and consumers. Rob Chapman is director, information security at Cybera, a PDI company. Rob is a cybersecurity professional and technology generalist with technology experience in academia, enterprise business, Big Data systems, and audiovisual systems. I learned about him from an article in the Disaster Recovery Journal where he asked a colleague to speak to his IT department at a lunch and learn event. The colleague agreed and did a presentation called “How I Will Phish You,” in which he demonstrated that it was only a matter of time before almost any company could get phished.
MITCH: Rob, how bad is the phishing problem nowadays? And by the way, I have control of your webcam and saw what you were doing last night. So, you better send me 1 billion bitcoin immediately or the whole world will know what kind of person you really are. To prove I’m telling the truth, click here for some sample screen captures taken from your webcam…
ROB: Ha! I see you’ve come across one of the more recent variations of phishing. Extortion-themed attacks have been on the rise and are increasingly competing with traditional phishing attacks. Our SOC team says about 90 percent of the attacks we see come through phishing attempts. It’s a bad problem given the ease and financial outcome usually being sought.
MITCH: Is it hard to resist a determined attempt by a threat actor to phish one’s business? What kinds of approaches do they take that typically succeed?
ROB: General phishing that’s not targeted can be blocked without a lot of effort, but targeted phishing will almost always be 100 percent effective eventually. As you would imagine, the approaches vary, but the best ones use easily accessible online information from job boards, social media sites, and similar forums to target a victim’s interests and work habits. We refer to this kind of information as open-source intelligence (OSINT). Much like your example above, attackers can be much more effective when using information that implies they know you personally and that you’re compromised in some way. Another effective format is the phishing attempt that doesn’t look like a phishing attempt. Usually, these are emails simply trying to get you to sign in to fake versions of a real site to harvest your credentials. These can be especially sneaky.
General phishing that’s not targeted can be blocked without a lot of effort, but targeted phishing will almost always be 100 percent effective eventually.
MITCH: Who are all these bad people trying to phish our businesses?
ROB: They are cybercriminals looking for financial gain, corporate espionage data, or access to government systems for nation-state actors. The “who” varies largely based on what they are after. My grandparents are targeted differently than my CEO, but at the end of the day, financial gain tends to be the most important outcome.
MITCH: With the widespread use of social media nowadays, it seems that most people have become desensitized to sharing their personal information online. How can companies deal with this problem when it comes to their employees?
ROB: Social habits change, and we can’t really turn back the clock on how people use social media and other online tools. Trying to control what employees put online is a tough game to play. There are some nonnegotiable items you have to insist on, but beyond that, it’s tough to govern what your employees do on their own time and out of the office. It’s also a legal landscape that’s fraught with danger. Instead, companies have to get smart about having well-thought-out and executed security programs. Security programs that include a named security lead and appropriate resources help companies have a plan of action to handle these situations. Security can’t be an afterthought or a bolt-on. It has to be integrated into the business’s design from the beginning.
MITCH: I suppose it’s almost a given that every company will get successfully phished at least once. What steps can one take to mitigate the potential damage one’s business should this occur?
ROB: Limit the blast radius of what can happen if someone is compromised. You give people the least privileged access they need to do their job. No single user should hold the keys to the company’s corporate or financial systems. You should have good administrative controls that prevent one person from sending money or other sensitive information out of the company without secondary checks.
Use multifactor authentication, so if someone’s credentials are stolen, they can’t immediately log in to the compromised account.
Measure employee training. You can’t improve what you don’t track and measure. You can train people to be better at spotting and defending against phishing.
Develop well-thought-out and exercised playbooks on how to handle these events when they happen. We have to assume that it will eventually happen, so having a plan on what to do after it happens leads to significantly less damage.
MITCH: What actions to prevent phishing tend to be most effective? Least effective?
ROB: Multifactor authentication is the most effective control you can implement. If you don’t use it today, you are behind the times and ignoring the easiest return on security investment.
The least effective is a checklist attitude about technology magic bullets. Having a spam filter, traditional antivirus, or similar security tool doesn’t magically stop these attacks. Phishing is a problem that requires multiple defense tools, and treating it like a checkbox item is the surest way to let your guard down and get compromised.
Multifactor authentication is the most effective control you can implement. If you don’t use it today, you are behind the times and ignoring the easiest return on security investment.
MITCH: Anything else you’d like to say on the subject of phishing attacks?
ROB: This can feel very daunting and overwhelming, especially if you are a smaller business with limited resources and people. That doesn’t mean you have to throw in the towel and give up. There are a lot of great managed security service providers that will gladly be that expertise for you. At PDI, we’ve invested heavily into doing that for our customers in the verticals we service. Companies want to invest in the things they are good at, and we want to be the partner for the areas that we’re good in. Giving customers that visibility, set of controls, and response capability are what allow us to serve our customers the best.
MITCH: Rob, thanks for taking the time to engage with me and our TechGenix readers about phishing attacks and how to prevent them.
ROB: You’re very welcome.
Featured image: Shutterstock