The email looks legitimate – it has the logo of a bank, an attachment from an organization that your company does business with, maybe it even comes from a behemoth like Apple.
Welcome to the wonderful world of phishing scams where hackers have perfected a variety of techniques to lure users into their pond of stolen data and malicious malware.
In the course of a busy day where hundreds of emails are being opened in an organization that has a multitude of employees using workstations, it wouldn't be that difficult for a cybercriminal to easily infiltrate your organization's IT network.
Here's one scenario: an email arrives; it looks credible enough. The employee opens the attachment or, perhaps clicks on a bogus link. This could create a vortex – a hole in the system – which can not only cause a network to be compromised, but worse yet, lead to the distribution of personal information from a company's client list, compromise trust, and could eventually crumble the foundation of an organization.
While this may sound dramatic, it is the state of affairs, and one that costs companies not only billions of dollars to fix, but also a multitude of labor-hours that includes everything from remediation of a breach, to patching, to cleaning up a company's seriously tarnished image.
Why should executives be paying attention to this?
It could be that you're a prime target and phishing attacks are on the rise. It's also to make you consider that your organization must prepare for the click to occur, because it will, at some point.
Executives should be asking the following question to providers and staff: How do our systems protect us when an employee clicks on a phishing email?
Systems today try to remove infected and suspicious emails before they get to a person's email. However, this does not always work. Other technologies exist that will actively look at traffic which may be unusual or suspicious leaving your network. Watching this and having a quick quarantine of infected machines is essential to best protect your assets.
Big businesses are obvious targets, but cybercriminals are notoriously creating phishing attacks against small businesses – those with 250 or fewer employees. Why? Because small businesses are proving to be the most vulnerable. While large corporations have buckled up due to the big publicity of phishing attacks on companies such as Target, many small businesses are doing business as usual.
Because of the very nature of small to mid-size businesses, hackers can use specific methods to find potential flaws. Even weaknesses appearing minor can have detrimental effects because some of the smallest exposures can lead to the biggest exploits.
C-level executives need to find ways to support the organization by directing the implementation of multiple layers of information security to detect, alert and quarantine threats.
Part of a good defense is taking time to brief and train employees on cyber-safety measures, working with experts who understand the specifics of how social engineers stalk their prey and adding an extra layer between being a victim and beating the cybercriminal at their own game.
Even the best information technology departments that have setup, what they believe, to be the most secure firewalls have found that they are still having difficulty staying one step ahead of crafty hacker's schemes. Most firewalls in use today, even if fresh out of the package, are inadequate protection.
The old adage, “the best form of defense is a good offense,” is wholly applicable here. One of the most successful methods for turning the tables on the bad guys is Twinstate Technologies' Preemptive Attack Strategies™ (PAS). PAS is "Good People Doing Bad Things™", where our experts think like hackers. Sounds crafty, yes, but it's the way to really drill down and identify the small and big holes, pin-point potential areas of weakness or discover areas that are already exposed due to misconfigurations in software or hardware. Overall, it's the best way to figure out what specific susceptibilities are present. The truth of the matter is that what might not be a vulnerability for one business could be a gaping hole, open for attack, for another.
A relatively new practice, "ethical hacking" simulates malicious cyberintent. Twinstate Technologies is one of the few EC-Council-Certified Ethical Hacking groups in the markets where we operate. What ethical hacking does is locate and identify vulnerabilities within technology systems; once the defects are identified, a cybersecurity expert can assist in offering tools and fixes to secure and reinforce the systems at the most valuable time – before they are exploited.
While thinking like the bad guys helps identify the weaknesses, the good guys can go on the defense even before hackers can get close. Twinstate Technologies' Multi-Threat Protection™ (MTP) is a highly advanced system security defense, which begins first in the cloud, then at the point-of-entry, and finally at the end-point. This ties everything together to create a cohesive stream of security. There are also other levels of service that survey the network landscape, i.e. internal and external technology environments, to gauge potential threats and then employ safeguards to fight against them. Think of MTP as "Good People Keeping Watch™."
While all of these systems can certainly help stave off phishing attacks, and should be at the top of any c-level executive's "must do" list, these shouldn't be a replacement for the first line of defense — the employee. They should be an enhancement.
What employees should know:
- Brief employees on what qualifies as a "suspicious" email or attachment, such as emails from an unknown address. Instruct them to use extra caution if an email is asking for credentials, such as passwords or other information that is proprietary to a company. Some expert phishing attacks have even been able to target specifics of a company, sending emails from vendors and attachments that look like credible invoices.
- Have steps in place as to what the company expects the employees to do when they receive something that doesn't look quite right, or if they click on something that is suspicious.
- Inform employees who they should contact.
C-level executives have a responsibility to their organizations to keep them safe from hackers. There are ways to help cut the line on phishing; just take some proactive steps forward to be well on your way.
Devi Momot, CEO, received the GSLC – GIAC Security Leadership Certification from SANS (SysAdmin, Audit, Networking and Security) Institute, a certificate for security management that demonstrates the learning of key security essentials that are necessary to administer any security component within an IT environment.
Our Information Security Advisory Team (ISAT) is dedicated to providing comprehensive best practices on cybersecurity protection for organizations. To learn more about our Information Security Services (ISS) and how our ISAT team can support you, contact us.