Phishing attacks are one of the most common security challenges that both individuals and companies face in keeping their information secure. Whether it’s getting access to passwords, credit cards, or other sensitive information, hackers are using email, social media, phone calls, and any form of communication they can to steal valuable data. Businesses, of course, are a particularly worthwhile target.
To help businesses better understand how they can work to avoid falling victim to phishing attacks, we asked a number of security experts to share their view of the most common ways that companies are subjected to phishing attacks and how businesses can prevent them. Below you’ll find responses to the question we posed:
There are multiple steps a company can take to protect against phishing. They must keep a pulse on the current phishing strategies and confirm their security policies and solutions can eliminate threats as they evolve. It is equally as important to make sure that their employees understand the types of attacks they may face, the risks, and how to address them. Informed employees and properly secured systems are key when protecting your company from phishing attacks.
A big component of protecting against phishing is employee training that actually works. Most security training delivered in the enterprise today is either a yearly event or held at employee orientation. If the training is given online the employees rapidly click through the content, ignoring most of the information. This is usually done at lunch while surfing other content. If actually given in person, the training is usually a deck of PowerPoint slides in small font narrated by an uninterested speaker for an hour. The enterprise really needs an effective Training, Education and Awareness (TEA) program for security.
There are several different technological approaches to combating phishing attacks. Certain products send test phishing emails to corporate staff which then provide metrics to security leadership about the efficacy of their anti-phishing training programs. The quality of these can vary but Wombat is a popular product in this space.
Another technological approach is to use a heuristics product to determine if an email is fraudulent. The success rate of these solutions is mixed. They filter out many of the obvious scams, but leave the more cleverly designed emails intact. IronPort is a leader in this niche. Outside of attempting to control social engineering exploits, businesses can also manage risk by investing in cyber security liability insurance. The ROI for this type of policy would have to be weighed against the business model, the data stored and the potential damages they could incur in the event of a data breach.