infographic
Industry experts have issued
guidance on how businesses can
best defend themselves against
phishing attacks.
22
A
A cybersecurity specialist and
penetration tester has cautioned
businesses against relying on
human instinct to defend against
phishing attacks.
Speaking at a security event in
Manchester, Technical Director
of cybersecurity firm Secarma,
Holly Williams, said: “Your users
shouldn’t be your business’ first or
last line of defence. There should be
several lines of defence between me
sending an email to the user and it
being delivered. A user shouldn’t be
able to completely derail business
operations just by opening an email.”
Williams advised that rather
than relying on employee action,
businesses should increase visibility
on their internal network to better
deal with subsequent attacks.
“If you know the roles employees
are supposed to be performing
and improve your awareness of
commands being executed, you
can then detect when users appear
to be behaving unusually and start
implementing behavioural analytics
to combat phishing attacks.”
Commenting that phishing attacks
play a part in 90% of all data
breaches, she continued: “Phishing
is a go-to for attackers, but there’s
confusion over where it sits in the
attack chain. The end result of a
phishing attack is very often not
just something simple like gathering
We’ve seen
the complexity
of phishing
attacks increase
dramatically in
the first half of
this year.
Your users shouldn’t
be your business’
first or last line of
defence.
credentials; it’s one part in a larger story
to gain access to systems.”
With 97% of people unable to identify
a sophisticated phishing email, Williams
further emphasised that employee
training is essential in recognising the
signs of a malicious email, but if
businesses are leaving their phishing
defence down to human reliability,
then they will be far more vulnerable
to attacks.
A panel of fellow security experts
highlighted the increasing sophistication
and volume of phishing attacks, and
consequently the growing risk to UK
businesses. Last year, 14 billion phishing
emails were sent – two for every person
on the planet.
Stephen Crow, Head of Defensive
Securities and Compliance at hosting
firm UKFast, explained: “We’ve seen the
complexity of phishing attacks increase
dramatically in the first half of this year.
Fake chains are being created between
board and senior directors asking staff
to perform tasks and act fast.”
“Often employees are scared to
question the request if it has come from
higher up,” he added. “There are lists
of email addresses you can purchase
online or even obtain for free. It’s a
numbers game for hackers: the more
you send out, the more likely you are to
catch somebody.”
Advice to businesses concerned over the
increasing number and convincing nature
of fake emails is to limit the assignment
of admin privileges, particularly for SMEs
where one person could be responsible
for multiple tasks or roles, to lower the
number of employees with access to
sensitive data who are more of a target
for threat actors. u
Issue 18
|
www.intelligentciso.com