sb-au logo
Story image

How to stop phishing attacks – NCC Group

09 May 2019

Article by NCC Group APAC head Julian Davies 

In February, the Office of the Australian Information Commissioner (OAIC) revealed that it received notifications of 262 data breaches during the three months ending December, many of them the result of phishing attacks.

“Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks,” OAIC said in a statement at the time.

The quarterly report, released as part of Australia’s mandatory data breach reporting scheme, works to highlight the seemingly unabated rise of malicious attacks and their resulting breaches in the local region.

OAIC said in February that the top cause of data breaches reported under the mandatory reporting scheme in the December quarter was malicious or criminal attack, equating to 168 notifications, followed by human error, which counted for 85 notifications and system error, which led to nine notifications.

The Australian Information Commissioner and Privacy Commissioner Angelene Falk stressed at the time that organisations and individuals needed to secure personal information by safeguarding credentials.

“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords,” she said.

Given that phishing is among the most commonly employed methods of cybercriminals to obtain the credentials that could ultimately undermine a company’s security infrastructure, it makes sense that this should be one of the first areas organisations look at when working to protect themselves against potential data breaches.

Phishing has for years been one of the top methods used by malicious actors to obtain credentials.

Far from becoming obsolete in the face of new cybersecurity software and systems, phishing is just as effective now as it always has been, albeit in slightly different forms from campaign to campaign.

After all, there are almost limitless ways in which to trick or persuade someone to click on a link in an email or download a file that looks legitimate.

This is why the best defences against phishing are typically low-tech and tend to rely more on common sense than they do on highly advanced software solutions.

It should be noted that there are actually plenty of technology-based solutions that help to minimise the chances of a phishing attack getting the better of an individual or a company. Certainly, the humble email filter is a good start.

However, once a phishing campaign drops into the inbox of its intended target, there’s really only one thing standing between its success or failure: education.

Whether or not a phishing campaign hits home usually comes down to just one person, and the knowledge that the person has around typical phishing methods and how to avoid becoming a victim of them.

With this in mind, two of the most effective ways to minimise phishing risks is education, such as security awareness training, and ongoing phishing simulation programs.

Education by itself is good, but when it is backed up by a schedule of simulated phishing attacks, knowledge of such attacks and how to avoid them begin to embed themselves in the minds individuals.

The best phishing simulation campaigns are those that introduce a wide range of phishing styles and approaches, drawn from some of the most recent examples taken from attacks in the wild.

Additionally, simulation programs should be built around a relatively random schedule, so people don’t get into the habit of expecting something at set times.

Most of all, it’s vital that the results of simulated attack campaigns are shared with recipients and supported by established processes and practices to spot suspicious emails and avoid becoming victims of phishing attacks in the future.

It’s important to remember that this process is less about hunting down an individual’s mistakes as it is about empowering entire teams to be at the top of their game by adopting and maintaining best practices when it comes to identifying phishing attempts; it’s about celebrating the cumulative wins when individuals take the most appropriate action if they do see a phishing campaign in action and report it to the relevant person or team within the organisation.

This process, combined with periodical training and education refreshers, helps organisations make their most valuable asset – their people – one of the most important and effective agents of protection against phishing attacks.

Story image
It’s time for firms' cybersecurity credentials to take centre stage
leading enterprise database was also used to identify whether each company had a chief information security officer (CISO) or a chief security officer (CSO). The results proved extremely interesting…More
Story image
Securing remote workforces at scale
When employees aren’t used to working from home, their home networks generally aren’t secured to a corporate standard. This creates vulnerabilities that cybercriminals can leverage. More
Story image
IT pros fear threats to critical infrastructure, report shows
IT professionals are concerned about operational technology (OT) security and attacks on critical infrastructure, with a number of people saying the responsibility lies with government, according to a new report.More
Story image
Marriott International reports breach affecting 5.2 million customers
Marriott said in statement that an ‘unexpected’ amount of guest information may have been accessed in mid-January this year, using the login credentials of two employees at one of the company’s franchise properties.More
Link image
Take advantage of free multi-factor authentication as you work remotely
Cybersecurity is shaping up to be one of the most important areas to consider while working from home. Leverage biometrics and password authentication for free with RSA.More
Link image
Need better security now your workforce is remote? Get it for free
Remote working comes with all kinds of cybersecurity risks. Protect your business by leveraging multi-factor authentication, biometrics and push notification software for free.More