Intelligent CISO Issue 32 | Page 42

An educated employee is the first line of defence against phishing attacks , so training is a key method to tackle the issue .
EXPERT OPINION
False login pages
Another common attack involves criminals sending links to organisationbranded pages where they are asked to log in as part of new working from home processes . The username and passwords of the individuals are then stolen and subsequently used to attempt to access company information and applications .
False alerts
Fake pandemic alerts are also sent out with the aim of getting employees to click on them so malicious software can be installed on their computers . From there , criminals can use that software to remotely access networks , or launch ransomware to lock away all the data on the network and only return access to it once a fee has been paid ( which is never guaranteed ).
Criminals will often target certain individuals in these attacks and with enough planning can tailor the contents of the email to almost guarantee that the person will click on them and provide information . Individuals performing critical jobs including senior managers , finance , HR and vendor management are often the main targets due to the amount of sensitive information they have or their access to critical processes such

An educated employee is the first line of defence against phishing attacks , so training is a key method to tackle the issue .

as payroll . Members of the IT team are often additional targets due to the wide range of administrative access they have to the organisation ’ s network .
Prevention through training
An educated employee is the first line of defence against phishing attacks , so training is a key method to tackle the issue . It is critical to ensure that training covers both how to identify and how to report attempts . If attempts are reported then it can be identified whether other individuals within the organisation are being targeted in a similar way and action can be taken to respond and safeguard others . Using real examples where possible , such as false news bulletins or tailored , branded communications , helps to increase the effectiveness of these exercises .
Training the entire organisation might not be feasible , in which case it is important to focus on individuals who might be high risks . These people can be identified through threat intelligence activities or by job . Users with access to sensitive data ( HR , finance ) and individuals with privileged system access ( application support teams , network administrators ) are common targets . Internal phishing campaigns can help to pinpoint individuals who are commonly vulnerable , for more intensive training .
Mitigation tools and techniques
Should employees fall for the alwaysevolving phishing attacks , then the organisation needs to be able to detect when someone has been compromised .
42 www . intelligentciso . com