Nettitude consultant, Cory Stone, looks into phishing scams and how they can affect your business.
Phishing is the practice of using deceit to trick users into voluntarily accessing malicious files or websites, often via email. This can be an automated process via spam emails, but businesses of all sizes are also at risk of ‘spear phishing’, where emails are hand crafted to be convincing to chosen targets. Phishing in either form has been a popular attack strategy for threat actors ever since the popularization of commerce on the internet. Now phishing is the most frequently encountered category of threat to businesses, being seen by 72% of organizations according to the SANS Institute 2017 Threat Landscape Survey, which also identified phishing as the threat with the largest overall impact. In spite of almost everyone now being aware of phishing as a concept, approximately 30% of employees will click on a phishing email, and half of those will go on to access the malicious content (according to a compilation of sanctioned security tests, published in the 2016 Verizon DBIR). Given that it only takes one to cause a breach, this issue should be at the forefront of any responsible business’s mind when developing their defense strategy.
Is training the solution?
Since the attack relies on users’ actions, employees are often thought of as the weak point when a breach occurs due to phishing. The good news is that this is not actually the case, and the solution is more manageable than attempting to make employees immune to deception. Employee training is strongly advised to mitigate the risk of employees being convinced to circumvent security measures by an attacker, but ultimately users should be considered the last line of defense against phishing attacks. Technology and processes should ensure that phishing emails will be filtered out before reaching employees, and that the damage is mitigated/minimized upon the occasion the email does reach them. An example of how mitigation could be achieved would be through the implementation of technologies such as web gateways, mail filtering and outbound firewall rules. Engineering an effective system for defense against phishing is challenging, but should be a top priority given the size of the threat.
In the industry, phishing is considered a social engineering attack vector. Remote social engineering penetration testing assesses an organization's susceptibility to phishing attacks, and determines where changes should be made to improve security. Interestingly, social engineering engagements account for less than 15% of tests performed by security assurance providers. This number is bewildering given the huge volume of breaches that involve phishing strategies, as mentioned above. The logical conclusion is that most companies are either not aware that phishing is amongst the biggest threats to their security, or are not aware that the risk can be mitigated considerably by social engineering testing. When all is said and done, having remote social engineering testing performed and implementing recommended changes should be the number one priority for businesses that care about their security given the threat landscape.
How Nettitude can help
Nettitude can provide your business with a bespoke social engineering service which not only examines the security awareness of employees but also analyses the effectiveness of a number of key technical controls which can mitigate a phishing based attack. Additionally, we offer security awareness training for your employees to help them protect your organization.
Want to know more? Our team are on hand to help, contact us today for a consultation.