Raconteur

Digital Transformation 2020

Issue link: https://raconteur.uberflip.com/i/1261028

Contents of this Issue

Navigation

Page 11 of 19

D I G I T A L T R A N S F O R M A T I O N 12 The coronavirus crisis has resulted in many office employees working from home and with this has come a surge in phishing attacks. As remote working became the norm in April, Google's Gmail blocked 18 million COVID-19-related malware and phishing emails every day. With phishing attacks on the rise, it's important businesses are up to date with the threats they face. Recent phishing attempts are often COVID-19 themed, with threat actors imper- sonating government Keep up to date with changing risks organisations such as the World Health Organization to solicit fraudu- lent donations or distribute malware. One type of phishing, called spear phishing, sees attackers target users via an email from a trusted sender to lure them in. This type of phishing attack often tar- gets remote workers, with hackers impersonating an organisation's admin or human resources team to encourage users to click on a mali- cious link or transfer money. "To help prevent these kinds of attacks, organisations need to set up email authentication policies as a de facto securitY measure for their domain," says Andy Kennedy, engi- neer at Google Cloud. With rapid remote-working rollouts being implemented across industries, enterprises have never been so susceptible to cyberattacks, with phishing among the most common threats. Here are five ways organisations can keep themselves safe in the coronavirus era Five ways to stop phishing in its tracks 1 4 Employees are a firm's first line of defence from phishing attacks. They need to understand why phishing is a threat, why they specifically might be targeted, what a phishing attempt looks like and what to do if they see or click on a suspicious link, says Amanda Finch, chief exec- utive of the Chartered Institute of Information Security This requires training. "The more comprehensive the better," says Finch. For instance, instead of simply emailing advice, organ- isations should share examples of phishing emails that show employ- ees what to look for and stage mock attacks to demonstrate how easy it is to be fooled. Cybersecurity training is essen- tia l, agrees Professor Kevin Curran, Institute of Electrica l and Electronics Engineers senior member and professor of cyber- security at U lster University. " There has recently been a new movement where security teams send phishing emails containing fa ke ma lware to their employees, which when acti- vated simply leads users to a site high- lighting their mis- ta ke and educating them on the dan- gers," he says. Train remote workers to spot phishing attempts Cybercriminals often make phish- ing attempts to steal users' creden- tials and access sensitive company data. It's therefore a good idea to implement two-factor authentica- tion as an extra layer of protection, says Carl Wearn, head of e-crime at Mimecast. "This should be consid- ered by every security leader." A solid extra layer of protection is provided by security keys, such as the Yubico YubiKey, which are proven to prevent phishing, says Andrew Shikiar, executive director of the FIDO (Fast IDentity Online) Alliance. He cites the example of software giant Google, whose 85,000 While training employees is crucial, technology can help to stop remote workers falling victim to phishing attacks. This is especially impor- tant when one mistake could lead to the compromise of entire business systems and expose sensitive infor- mation. "If technological controls are weak, an employee clicking on a legitimate-looking email could lead to a compro- mise of the under- lying system," says Defendza's Singh. Therefore, as well as examin- ing admin rights, Use two-factor authentication and strong passwords Assess and improve technology controls employees use security keys to access online services. "Not one has been successfully phished," he says. In addition, good password hygiene is integral to help stop phishing attacks. "Ensure employ- ees don't mix personal and work credentials, and use a good pass- word manager to generate suffi- ciently complex passwords," says Harman Singh, managing consult- ant at Defendza. At the same time, users should be discouraged from using the same password across mul- tiple services. If one password is revealed in a data breach, this will allow an attacker to gain access to mul- tiple accounts. securing systems and implement- ing network segmentation, Singh recommends enhancing email security with technical controls. "These can work together in a lay- ered structure to ensure senders' legitimacy and make sure email isn't spoofed," he says. In addition, keep anti-virus and anti-malware software up to date, says Ulster University's Curran. "Some phishing emails can be detected by anti-virus tools," he says. "However, it is important teams inform management or the IT department when they receive a suspicious email. This allows IT teams to identify how an email managed to get through their system and consider updating their software." Kate O'Flaherty 3 5 It's true that employees are a firm's first line of defence, but at the same time it's important not to blame users if a phishing attack does get through. "Provide users with an easy way of reporting these attacks," says Kevin Breen, director of cyberthreat research at Immersive Labs. Jav vad Malik, security awareness advocate at KnowBe4, agrees. "It is vital employees are given easy and convenient ways to report issues," her says. This could be as simple as a button to allow employees to Create the right culture easily and quickly report a sus- pected phishing email. But if remote workers are tricked into opening a malicious email, firms should be careful not to create a culture where they do not report it for fear of reprisal. "If employ- ees can spot and report phishing attempts, it can actually help you when you might have missed some- thing otherwise," says Breen. "It's not all about the tech- nical. While people can be a weakness, they can also be your strongest asset." C Y B E R S E C U R I T Y 2 Nelen/Shutterstock

Articles in this issue

Links on this page

Archives of this issue

view archives of Raconteur - Digital Transformation 2020