In addition to having the right tools in place, a company must understand the role their employees play in information security. Employees possess credentials and overall knowledge that is critical to the success of a breach of the company’s security. One of the ways in which an intruder obtains this protected information is through phishing.
The purpose of phishing is to collect sensitive information with the intention of using that information to gain access to otherwise protected data, networks, etc. An attackers success is contingent upon establishing trust with its victims. We live in a digital age, and gathering information has become much easier as we are well beyond the dumpster diving days.
There are various phishing techniques used by attackers that can negatively affect an organization and its employees. Common phishing techniques include:
- Embedding a link in an email that redirects an employee to an unsecure website that requests sensitive information.
- Installing a Trojan via a malicious email attachment or advertisement, allowing the intruder to exploit loopholes and obtain sensitive information.
- Spoofing the sender address in an email to appear as a reputable source and request sensitive information.
- Attempting to obtain company information over the phone by impersonating a known company vendor or IT department.
In order to protect itself against phishing attacks, a company can take the following steps:
- Educate employees and conduct training sessions with mock phishing scenarios.
- Deploy a Spam filter that detects viruses, blank senders, etc.
- Keep all systems current with the latest security patches and updates.
- Install an antivirus solution, schedule signature updates, and monitor the antivirus status on all equipment.
- Develop a security policy that includes, but is not limited to, password expiration and complexity.
- Deploy a web filter to block malicious websites.
- Encrypt all sensitive company information.
- Convert HTML email into Text Only email messages or disable HTML email messages.
- Require encryption for employees that are telecommuting.
Companies can implement multiple measures to protect themselves against phishing attacks that threaten the confidentiality, integrity, and availability of their data. They must keep a pulse on the current phishing strategies and confirm that their current security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that employees understand the types of attacks they may face, the risks associated with these attacks, and how to address them. Informed employees and properly secured systems are key when protecting your company from phishing attacks.