Enter your details below and we'll get back to you.
Share this article
There’s nothing new about scams designed to infiltrate work emails. But with more staff working in isolation, away from our IT and IS teams, it’s never been more important for employees to know how to protect against phishing emails.
Sitting at a desk in a quiet corner of the house, your employees and colleagues are at risk of more than just an interruption from an irate toddler. As the Covid-19 pandemic has seen unprecedented numbers working remotely or from home, the volume of phishing emails has also reached unparalleled levels. Increasing by 600 per cent in the first quarter of 2020 they continue to put business system security at risk as we move through the third quarter.
Although naïve Internet browsing can open up opportunities for hackers, it is not enough to simply warn staff about clicking suspicious links, acting on poorly worded emails or opening unfamiliar browsers. To protect against the potential damage caused by phishing emails, a more advanced level of understanding is required. That is because phishing attacks are becoming increasingly sophisticated, often appearing to come from reputable sources; from your own HR department or a trusted source.
Although there are still rudimentary scams that try to persuade people to part with money for non-existent services or products, the greatest risk for businesses actually comes from phishing emails designed to persuade individuals to share password or access information so the hacker can gain access to network systems and, ultimately, the most valuable commodity of all: data.
The first line of defence is ensuring that everyone has a basic level of personal awareness. This includes (but is not limited to):
If in doubt, any links should be checked with the sender or avoided altogether by accessing the website directly. One common tip to be followed is to hover the mouse pointer over a link before it’s clicked in email clients like outlook to reveal the full URL before selecting. Reading these URLs carefully can help to identify subtle modifications designed to catch people out – e.g. sampledomain.com could be changed to sampledomaln.com.
In many cases this slight change can be enough to make a malicious domain look legitimate. Another similar tactic is to use a subdomain instead of a domain – e.g. sampledomain.site.com. Careful proofreading doesn’t take long but it can be extremely effective in avoiding a phishing scam.
These basic steps will go some way to helping individuals to protect their own devices but when it comes to corporate network security an altogether more rigorous security posture is required.
Firstly, antivirus software should be kept up to date. Then, check all other software that is being used and install every update and patch issued by the manufacturers on a rolling schedule or as soon as they become available. A number of notable breaches have been attributed to the failure to install patches which had been issued.
Secondly, consider installing solutions that block access before rogue emails even reach the inbox of employees. SPAM filters are available that can detect viruses, blank senders or suspicious sources and stop them getting through. Browser add-ons can also be enabled to prevent users from clicking through to potentially malicious sites.
Passwords are the keys to the kingdom, providing access to systems. So, they should always be treated as the valuable commodities they are. A security policy should include password expiration and complexity. In addition, two-factor authentication can also be used to add a layer of security and to prevent hackers who may have compromised a user’s credentials from gaining any further access.
To remove the need for individual passwords, a single sign-on (SSO) with strong authentication can be employed. These systems can be configured in such a way that employees never have to enter passwords manually. Because their password strings are unknown to them, they could not even enter them if they wanted to. Where an SSO is used across an organisation, any request for a password or log in credentials can almost certainly be assumed to be a phishing attack.
As with all information security plans, testing is vitally important to establish how effective a strategy is. This means that employees should be regularly tested with fake phishing emails and similar types of social engineering attack. The aim is not to specifically catch out individuals, but to enhance awareness and to develop and improve training through phishing simulation. These tests need to be carefully engineered to establish any gaps or weaknesses while promoting a culture of openness and co-operation. After all, as the first line of attack, your employees need to know how to protect against phishing emails, as they will be the first to spot any abnormal activity and should feel free to report these without fear of blame or reprisals.
This is where the adage “Expect the best, prepare for the worst” comes in. While every precaution can and should be taken, given the relentless nature of hackers, there is always a chance that one of their attacks will succeed. It is therefore essential that steps are taken to limit the extent of access gained by any one breach.
Access to each area of the network should be limited only to those who need it. If sensitive data is encrypted and internal firewalls and secure areas are built into systems, they will provide additional barriers, preventing hackers from moving freely through a system once they have gained entry.
A well-structured security protocol will also have strong policies around the uses for inbound and outbound gateways through the firewall. These are essential to monitor what is coming into a network but also to monitor what is going out. That is because a breach can be detected by monitoring and curtailing traffic going out of the network, using Data Loss Protection and outbound email scanning tools.
Arguably the most important element of the matrix, employee training needs to be effective if it is to deliver any genuine benefit. Annual training, in today’s ever-changing environment, is unlikely to be sufficient. Nor is online training which simply requires employees to click through pages of content. The most effective form of training is delivered by experienced professionals with knowledge of the most recent exploits and delivered in a way that actively engages the user.
The team here at SRM have expertise in delivering cost-effective information security solutions for businesses of all sectors and sizes. We have many years’ experience in building defences, testing systems and delivering effective and engaging training programmes. We can help to show clients how to protect against phishing emails and other social engineering activities.
To find out more about how we can assist you in training, phishing simulation and regular vulnerability scanning, drop us a message today by clicking here.