Phishing is one of a number of exploits that attempt to get an individual to participate in something that is damaging either to themselves or to the wider organisation they are part of. Employee training continues to be a vital part of the defence strategy and the need for vigilance is vital and ongoing. Todd Kleppe, the VP of Global Operations at A10 Networks outlines how to minimise the danger from phishing below.
Phishing is achieved by luring the individual to open an attachment or click on a link, etc. A study conducted at Columbia University showed the efficacy of email as a form of attack. Researchers sent out 2,000 phishing emails, of which, 176 were opened. Those 176 people were then warned that they'd fallen for a phishing attack. The researchers later sent another round of phishing emails to those same people, and 10 of them once again clicked. After another warning, and a third batch of phishing emails was sent out, three people fell for it again. It wasn't until the fourth round that no one opened the emails.
As that study shows, it's often people who are the weak links as phishing is a form of attack where human decision-making is critical.
Certainly training and awareness can help minimise the number of such incidents, and the effectiveness of training can be tested by running an exploit on oneself. Usually someone will click, but the numbers can be minimised.
The first line of defence remains looking at the traffic. With email for example, most organisations drop anywhere between 65 per cent to nearly 75 per cent of the incoming email. Some of the email is merely suspicious or annoying and you may see emails come through marked with labels such as [SPAM], [Marketing Mail] or the like. The intent is to avoid blocking something that might be legitimate, but to give the user a flag and the opportunity to delete or to create a rule to divert the emails so marked.
Most companies employ a security framework suck as NIST or ISO27001. Such frameworks include risk assessments, policies and controls to mitigate risks, and audits to demonstrate implementation. One of the key controls is always security and security awareness training.
Unfortunately, email will continue to be a top vector when it comes to breaching systems. We have relied far too heavily on email for far too long and need to move away from email and begin to seriously look at other communication modalities. In the meantime, measures need to be put in place to keep an organisation and its staff protected. Phishing in particular relies upon human mistakes and so to minimise the danger from phishing it is in the interest of CISOs to ensure all staff are trained, take responsibility collectively and individually for keeping the network and its associated data safe and secure and that effective traffic monitoring is implemented.
The bad guys are incentivised to attack consistently, often with unsophisticated methods, so organisations need to build resilience to be effective at defending against the attacks.