By Jeff Penner, Senior Manager at ActiveCo Technology Management.
Is your business ready to combat spear phishing attacks?
It’s a question that gives many seasoned CTOs bad jitters.
The truth is that you can shore up your technical systems with the latest IDS systems, firewalls, and all manners of monitoring, but with each new report of unprecedented data and security breach coming in now, the threat of security vulnerabilities always seems to loom only a stone’s throw away. The problem does not lie only with the detection and flagging capabilities of your safety systems. It is likely that your IT systems are doing a sophisticated job of that already. But that doesn’t guarantee your safety from phishing attacks.
IT Outsourcing firm has considerable experience in both planning and executing pre-emptive safety tactics to protect businesses from spear phishing. In this article, we will lay out exactly why and how your business needs to be covered beyond standard IT double checks.
Not a computer problem, but a very human one
The scope of building systemic responses against phishing attacks is always limited as it’s mostly limited to a purely technical response. This is simply not enough. There can be no systemic defense against phishing as the threats/ vulnerabilities can literally come from anywhere in the system.
Phishing attacks almost always catch businesses unawares simply because, beyond a small coterie of technical experts, the rest of the people involved simply cannot grasp the scope of how a few apparently insignificant human errors/ breach of protocols can have such a devastating impact on the business.
No matter how many horrifying security breaches pop up in the news every day, the average office-goer (which may include even high-ranking executives and managers) is trained to think of security vulnerabilities as ‘someone else’s (most likely IT’s) problem’.
In my view, this mindset problem causes more vulnerability in the system than any technical loophole you may encounter.
Recognize that clever social engineering can always beat the best-designed firewalls
As far as security systems are concerned, a business can only be as strong as the human links holding it together. This means enabling everyone from the busboy and interns to the executives running on attention bias by default to learn how close and personal security problems can get. Their imaginations need to extend more than the obvious Nigerian prince scams to understand just how sophisticated targeted phishing attacks can get just by using the information in the public domain to be able to dupe everyone from high-ranking political officers, bureaucrats, company leaders, and entire boards and trustees of organizations.
Whether your system is targeted with phishing, spearfishing, or vishing attacks, your staff needs to be made aware enough about each to detect anomalies a mile way. They also need to be empowered enough to be able to be proactive when an emergency arises and resourceful enough to follow protocols without fearing a backlash when they report an incident or admit an error. A toxic or emotionally charged office atmosphere can be as or even more harmful to your business’ security than a long-running undetected systemic vulnerability.
Most businesses will benefit tremendously from setting up transparent incident management and security breach reporting systems that train key personnel in how to respond and protocols to follow in case of a breach.
Drive the vulnerabilities home and make the problems ‘real’
One of the problems in preparing for security breaches is that few people outside the IT department have a notion of what to expect in the case of a breach.
Many businesses are starting to realize just how important employee awareness and proactivity is in traversing fraught scenarios in the case of a threat/ attack. But traditional modes of top-down employee communications, such as pamphlets, fliers and organization-wide communiqués mostly prove ineffective in driving the desired levels of security awareness and engagement.
We advise most clients to walk the opposite route. Instead of routine server downtime notifications and multiple security checkpoint clearances that naturally tend to get associated with a ‘punishment’ neural association with security protocols, we encourage clients to do fairly informal, small group meetings or roadshows that discuss potential vulnerabilities in a manner that makes the problems appear closer and more ‘real’. Discuss latest breaches by all means, but also brainstorm or maybe even create roleplaying games around how to detect deceptions if someone sends emails to group members while posing to be a key team member, a vendor/ supplier, or even top leaders in the organization.
Divide and stay safe
When it comes to systemic checks to ensure security, your best line of defense can come from the separation of responsibilities, flatter hierarchies, and procedures that require at least dual or multiple authorizations to initiate transactions. Whatever security structure you may come up with, please remember that its usability is always limited to a few weeks or months. Every system is vulnerable to insider threats and it’s in your company’s best interest to review and refresh the protocols every few days/ weeks/ months depending on the sensitivity of data. Systemic reviews and risk analysis should be mandatory both periodically and after key exits/ inductions to ensure every team member remains up to date with the latest processes. For sensitive data and key financial transactions – extra controls should be implemented.
Conduct penetration tests at regular intervals
Regular fire drills and hazard awareness are a pain for everyone involved – including drill conductors. They involve downtime, slow productivity for minutes/ hours, and do cost a pretty penny in annual budgets. But in real usage scenario, they do save lives – the value of which can scarcely be calculated.
With heightened data risks, we hope security penetration tests should become a regular feature in most workplaces. Simply put, these tests deploy security experts in the role of hackers who tap into the length and breadth of a business looking for potential security issues and vulnerabilities. Many businesses do not have the requisite resources and expertise to conduct these tests in-house. IT support Vancouver can help you be prepared for and execute security penetration tests efficiently to cover the scope of all major and minor vulnerabilities at your workplace.
Recognize that spear-phishing attacks cannot be isolated
Unlike conventional security products such as antivirus or anti-malware software that most people are familiar with shoring up your system against phishing attacks cannot be an endpoint approach. Spear phishing works on the basis of having enough internal knowledge of your business, technical systems, and key human resources in advance to be able to extort confidence in fraudulent activities despite being on alert.
Building up a defense against spear-phishing tactics requires developing systemic resilience against a multitude of attack vectors. This involves keeping a tab on potential sources of attack, their short and long-term goals, understanding how they choose and build rapport with their intended victims, and recognizing parts of your system most likely to be under threat. Your system needs to be in shape to be able to fight off spear-phishing attempts before, during, and after an attempted breach. You also need to consult with experts with direct knowledge of dealing with rapidly evolving threats from unknown sources in businesses of like size and magnitude as your organization. IT security Vancouver can be a good place to start your research into strengthening your business’ defenses against targeted spear-phishing attacks.
About the Author
Jeff Penner is a senior manager at ActiveCo Technology Management, an IT Outsourcing Vancouver company. Jeff has been in the managed services industry since 2015, understanding what business owners are looking for from technology, and helping them find it. The most important element for a business owner taking on a new technology partner is peace of mind and thus Jeff directs his efforts on finding practical information that any leader can apply to their business. Jeff lives in Vancouver, BC, sharing his love for learning and “the great indoors” with his 2 daughters. Stay connected on Twitter.