Don't only rely on training to stay safe from phishing threats - here's how to protect yourself

How robust is your phishing tackle?

More than 90 per cent of data breaches are attributed to successful phishing campaigns. That's a haul that should make any CEO sit up and take notice. Since you probably can't shut your organisation off from the outside world without compromising its ability to function, you need to find a way to defend it from phishing expeditions.

Your single best defence is a well trained staff, but you need to do more than educate employees in how to spot the treacherous hooks: you need to test them. Play the phishers at their own game and if you catch out your staff, train them better. Learn to block tackle the phishers, or at least to recognise when you're under attack.

Phishing is a frighteningly effective way to open a back door to an organisation, whether by scatter-gunning employees, directing an attack more narrowly (spear-phishing) or targeting a big fish like the CEO (whaling). Whatever you call it, it's dangerous.

Biggest cyber threat of all

It is hard to overestimate the risk from phishing, and therefore the importance of securing your communications. Email security demands the C-suite's full attention, as affirmed by some of the most credible voices in the world of cyber defence.

Yasmin Green, head of research and development at Jigsaw - the think tank set up by Google's parent company, Alphabet, to sniff out trouble in the digital world in a bid to keep people safe - says that phishing is the most common way individuals are hacked.

Former US Secretary of Homeland Security, Jeh Johnson, told a symposium in New York: "The most devastating attacks by the most sophisticated attackers almost always begin with the simple act of spear-phishing."

Johnson shared his agency's best practice for countering the threat: send emails to employees with suspicious links for enticing giveaways, and then deliver a cybersecurity lesson to those who click the link when they turn up to collect their ‘free sports tickets'.

Phishing tactics - and fallacies

Email was never designed with security in mind, and while bolt-ons to email protocols have helped to reduce spam and phishing attempts, they can't lock it down.

Even people who don't use email can fall victim to a phishing scam by visiting a website that is not what it seems. Hijacking a DNS server or redirecting someone with a man-in-the-middle (MITM) attack can point a user to a fake website.

Hackers can use foreign alphabets to create counterfeit websites with addresses that look almost identical to the real thing. They can also fool smartphone users into believing links are trustworthy by padding out the first - and only visible - part of a malicious URL with a stream of innocuous hyphens.

There are some common misconceptions around phishing, but here are the facts:

• Phishing is NOT always easy to detect. We have come a long way from the Nigerian-prince-style scams. Scammers can manipulate sender addresses and URLs and create convincing counterfeit emails which even the spoofed organisation may find hard to distinguish from the authentic versions.
• Technical controls CAN'T block all phishing attempts. It is almost impossible to stop phishing emails without blocking email altogether.
• Criminals CAN create a reassuring ‘lock' for a fake website. Ignore advice that says it's safe to use a website if a green security padlock appears in the address bar, since criminals can easily obtain a TLS Certificate for a bogus site.

Protect and defend

While phishing might be responsible for reeling in the richest haul of data breaches overall, you can help to reduce its likelihood of success in your organisation.

Take it from Jeh Johnson: subjecting your employees to managed phishing attacks improves your defences. Paying for a service to routinely ‘attack' members of staff empowers people to identify hooks and exposes weak links in the defence chain.

Specific training for senior staff may be required in light of the trend for spear phishing and whaling, as attackers move away from mass-mailing towards targeting executives and privileged users.

You can take some useful technical measures too:

• Mail protection systems scan emails in real time for malicious or suspicious content, and URLs can be checked and rewritten;
• Email validation security architecture - SPF, DKIM, and DMARC - can help to limit your exposure to phishing by checking that incoming email comes from where it says it does;
• Adding a reporting function to your mail client allows staff to easily report phishing emails, enabling your security team to block Web addresses or senders;
• For high-threat or high-security environments, website white listing can be a very effective, yet authoritarian, way of ensuring outbound links cannot lead anywhere malicious.

Phishing comes in many forms and the more methods you have for external communication, the greater your risk. A corporate strategy that favours collaborative working over email transactions could make you a more difficult target for a would-be attacker.

Your starters for ten

1. Do you put employees through anti-phishing training specifically, or do you simply brief people about information security?
2. Do you maintain intelligent records of phishing attempts, client clicks, and breaches from phishing in order to understand your exposure?
3. Do you have any technical controls in place to scan inbound mail for malicious links and attachments?

If the answer to any of those three key questions is ‘No', you have important work to do.

Graeme is an IT security professional with over eight years' experience in IT delivery, information assurance and cybersecurity in a high-profile and fluid MoD environment. He now works as a senior consultant at Mason Advisory.