Opinion

With phishing attacks soaring, how can we minimise the risk?

5 min read

22 August 2017

A look at minimising the risk of phishing attacks as the numbers continue to grow, affecting businesses and individuals alike.

Phishing is amongst a category of sneaky exploits that sets out to coerce an individual to take part in something that either is damaging to themselves or the organisation they belong to. How does it work?

The unsuspecting victim is usually lured into clicking on a link or opening an attachment. The element that is exploited here is a human one, and can be regarded as attacks of social engineering.

What is particularly worrying is that this form of attack has proven to be very successful. Researchers at Columbia University conducted a study to show how efficient email attacks are. 2,000 emails were sent out by researchers and 176 of those were opened.

Immediately, the 176 people were warned that they had fallen for a phishing attack. Another set of emails were sent out the same people and ten people continued to fall for the attack. On the third batch of emails, three people were victim to the attack. It wasn’t until the fourth round that nobody opened the emails. 

So, the lesson to be learnt from this study is that often, it’s people who are the weak links. But what can we do to make them a stronger part of the chain?

As phishing is a form of attack where human decision-making is crucial, employee training is an essential and ongoing component in the defence strategy. 

We can look at security as a pyramid where the horizontal axis is the number of incidents and the vertical axis is the level of sophistication involved. The top of the pyramid features the smallest number of incidents, but a level of sophistication that is very, very difficult to defeat.

The bottom of the pyramid has the highest numbers and the least sophistication. This is often the realm of phishing or related exploits that depend on someone clicking without paying attention or exercising bad judgement. 

This is where training comes into play. By running an exploit on yourself and staff, we can minimise the number of these incidents as awareness grows. Certainly, someone will often still click, but the numbers can be minimised – which is the key goal. 

Email will continue to be the first victim when it comes to breaching systems, because we have been so reliant on email for so long.

In an ideal world, we need to start looking at other communication modalities to help protect against these types of attacks. There are better, arguably more secure solutions out there for communications, examples being an internal intranet via Jive or social business applications such as Yammer or Slack.

But in the meantime, the first line of defence remains looking at the traffic. Organisations usually filter 65-75 per cent of incoming mail, which appears as suspicious or even simply annoying.

The intent is to avoid blocking something that might be legitimate, but to give the user a flag and the opportunity to delete or to create a rule to divert the emails so marked.

Many companies employ a security framework such as NIST or ISO27001. Such frameworks include risk assessments, policies and controls to mitigate risks, and audits to demonstrate implementation.  One of the key controls is always security and security awareness training.

Phishing in particular relies upon human mistakes and so to minimise the danger from phishing, it is in the interest of CISOs to ensure all staff are trained, take responsibility collectively and individually for keeping the network and its associated data safe and secure and that effective traffic monitoring is implemented.

Since email will continue to be around for a while, we need to focus on putting measure in place to keep staff and organisations safe.

Unfortunately, due to the effectiveness of unsophisticated attacks, it doesn’t take much to incite criminals to carry out a phishing attack. So, instead, organisations need to build resilience to become effective at blocking attacks. 

Todd Kleppe is VP of global operations at A10 Networks

[rb_inline_related]