Five key steps to defend your organisation from harmful phishing attacks

By Chris Watkins, Head of Security, Ultima

Some of the worst cybercrimes have taken place because of a tiny flaw. Cybercriminals rely on this flaw in an organisation’s security defences – commonly the employees themselves – to launch their attack. You only need to look at the number and scale of phishing attacks taking place every year. In 2021, 83% of organisations reported experiencing phishing attacks. In 2022, an additional six billion attacks are expected to occur.

Many phishing defences start and end with employee training to help them spot a phishing email. Empowering employees is certainly a key strategy. But employee education is only a part of the solution. This article will explain how organisations can widen their defences using technical measures as well as reporting processes and plan for attacks to minimise their impact.

Phishing at its worse

A phishing attack is where a malicious hacker launches an email-based attack with the objective of obtaining user credentials so that they can gain a foothold within a corporate network and use that foothold to exploit data or demand a ransom. Cybercriminals use deception tactics to encourage users to click on a link which launches malware or makes the user give away details such as usernames, email addresses or better still, passwords.

Phishing emails are so common because it’s a numbers game; if a phishing campaign circulates to enough users (often in the millions), it increases the chance of success. Such data breaches not only cause loss of company data but lead to loss of revenue from a decline in customer trust and market value.

Here are five steps to take to bolster the defence of your corporate network that should be combined with effective employee training.

1. Review how you’re preventing phishing emails reaching you in the first place
   

Whether manual or through your cloud-based email provider, ensure that the filtering or blocking service is sufficient for your needs and that it is applied to all users’ accounts.

A filtering service will send them to a junk folder, whereas a blocking service will prevent the email getting through to the user completely. This is based on the senders IP address, domain name, attachment type or because it’s detected malware.

1. Think like a hacker

Often, thinking like a hacker is the best ways to spot one and this involves gaining an understanding of the nature of the threat that phishing poses to your organisation. What would a hacker want from an employee? Which departments are managing processes that are most sensitive (such as product development or finance) and could these processes be mimicked by a hacker?

1. Make specific processes more resilient

This involves good cyber hygiene practice. If dealing with many external email requests, try using multi-factor authentication, such as an SMS message or phone call to verify the sender.

Rather than sending and receiving email attachments, use a different login method or share files through an access-controlled account in the cloud such as Dropbox or Microsoft Teams.

1. Adopt a zero-tolerance security culture It’s important to be realistic – not everyone can spot a phishing email 100% of the time. Phishing emails have become much more sophisticated in recent years. Zero trust is the mindset of ‘protect everyone, verify everything’. Every user and device accessing a network is a potential threat. A zero-trust policy requires employees to act with a healthy dose of scepticism to everything that lands in their inbox. Such a culture brings the employee into the broader security network, establishing trust between the organisation and employee while increasing resilience.
2. Encourage transparency and ensure ease of reporting Often, it’s the phishing culture within an organisation that needs to be improved. Far from pointing the finger and assigning blame to an employee, it’s important to foster a culture of awareness, support, and action. If an employee feels that they are going to be reprimanded for not spotting a phishing email or making a mistake, they may not report it promptly, or at all. Implement a process that is easy to follow when an employee believes that a phishing email has made it past the company’s technical defences. Once it’s been reported, make sure that employees know that it will be actioned so that they feel encouraged to repeat the exercise again. Create an environment where employees aren’t afraid to ask out loud for extra support in spotting phishing attacks. 

Being involved in an organisation’s awareness and reporting culture should all form part of an employee’s wider security hygiene which also includes password management, use of removable media and remote working practices among other things. As an organisation, this should be actively encouraged to ensure that security is maintained.

In summary

A combination of education, simulation, transparency and effective security reporting, along with leading-edge security tools are necessary to create a zero-trust organisation. From a technology perspective, this could involve multi-factor authentication, a VPN, encryption for files and updated hardware. Together, they can create a more secure corporate environment for all.

The reality is that there are always going to be threats that creep into a company’s layers of security. But if an organisation has the necessary security technology, employee education and a strong culture of zero-trust, then identifying and reporting threats becomes innate in everyone.