By Bhavesh Goswami, CEO & Founder, CloudThat
In two years between 2013 to 2015, Google and Facebook were tricked out of USD 100 million due to a phishing campaign. The same year, a breach exposed over 78.8 million health care records of Anthem, setting a lawsuit of around USD 115 million. The source, again, was a spear phishing attack. In the years since then, phishing attacks have continued to soar, only to become one of the most prevalent and dangerous cyber threats organizations around the world are currently facing.
According to a recent IRONSCALES research, 81% of organizations have experienced a spike in phishing attacks since March 2020. The number of business email compromise (BEC) attempts, too, saw a dynamic increase of 15% between Q2 and Q3, with one in five malicious data breaches in companies being caused by stolen credentials (according to IBM).
Despite this very real threat, only a few organizations provide phishing awareness training to their employees. This lack of awareness is one of the largest contributing factors fuelling phishing attacks. Remote or hybrid ways of working, virtual communication platforms, and unfamiliar cloud technologies have further augmented this risk.
Unfortunately, there is no single silver bullet solution to stop these. What organizations need is a multi-layered approach – including technical as well as human-centric solutions – to defend themselves. Diving deeper, this can be enumerated into the following seven measures:
1. Secure Email Gateways (SEGs)
SEGs monitor employees’ inbound and outbound emails and scan them for malicious content. If they detect any phishing or malware threats, they block or quarantine the email so that it doesn’t reach the intended recipient.
2. Cloud Email Security
These security solutions sit on the email network and monitor all internal communications, as well as inbound and outbound emails for malicious content. Cloud Email Security employs AL/ML to analyze employees’ communication patterns and can thus detect personalized phishing attempts.
3. Multi-factor authentication (MFA)
MFA is a small technical control that employs multiple authentications – a secondary OTP delivered via SMS, a physical token, and a biometric ID – than just a username and password. In case, a phisher crashes the username and password, the other authentications offer a guard.
4. Endpoint Monitoring and Protection
Increased use of cloud services and personal devices has introduced several new endpoints in workplaces. As not all of them are fully protected, it is safe to say some of these will get breached by endpoint attacks. This makes it essential to employ exhaustive monitoring and rapid remediation of these endpoints.
5. Security Awareness Training
Security Awareness Training platforms and phishing awareness training deliver a complete program of training materials and simulated phishing campaigns. This helps transform employees into a robust line of defense against such attacks than just being potential targets.
6. Anti-phishing workshops
These workshops are another tool that can be particularly effective with high-risk teams. Organizations can make it fun by including live polling for quizzes or a game-show style theme or challenges with rewards.
7. Mock phishing campaign
Simulating phishing attacks can help businesses evaluate the effectiveness of their defense strategy as well as training programs. If employees are good at recognizing suspicious threats, they should be tested regularly. If not, it’s time to up their awareness training.
The fear of phishing attacks is neither unfounded nor unwarranted. According to Zscaler, the number of blocked suspicious threads targeting employees soared by a staggering 30,000% between January and March 2020 alone. Since then, the threat landscape has only evolved. The cyber-attack awareness and security strategies of organizations need to evolve at the same pace as well.