Article by NCC Group APAC head Julian Davies
In February, the Office of the Australian Information Commissioner (OAIC) revealed that it received notifications of 262 data breaches during the three months ending December, many of them the result of phishing attacks.
“Most data breaches resulting from a malicious or criminal attack involved cyber incidents stemming from compromised credentials (usernames and passwords), such as phishing and brute-force attacks,” OAIC said in a statement at the time.
The quarterly report, released as part of Australia’s mandatory data breach reporting scheme, works to highlight the seemingly unabated rise of malicious attacks and their resulting breaches in the local region.
OAIC said in February that the top cause of data breaches reported under the mandatory reporting scheme in the December quarter was malicious or criminal attack, equating to 168 notifications, followed by human error, which counted for 85 notifications and system error, which led to nine notifications.
The Australian Information Commissioner and Privacy Commissioner Angelene Falk stressed at the time that organisations and individuals needed to secure personal information by safeguarding credentials.
“Employees need to be made aware of the common tricks used by cyber criminals to steal usernames and passwords,” she said.
Given that phishing is among the most commonly employed methods of cybercriminals to obtain the credentials that could ultimately undermine a company’s security infrastructure, it makes sense that this should be one of the first areas organisations look at when working to protect themselves against potential data breaches.
Phishing has for years been one of the top methods used by malicious actors to obtain credentials.
Far from becoming obsolete in the face of new cybersecurity software and systems, phishing is just as effective now as it always has been, albeit in slightly different forms from campaign to campaign.
After all, there are almost limitless ways in which to trick or persuade someone to click on a link in an email or download a file that looks legitimate.
This is why the best defences against phishing are typically low-tech and tend to rely more on common sense than they do on highly advanced software solutions.
It should be noted that there are actually plenty of technology-based solutions that help to minimise the chances of a phishing attack getting the better of an individual or a company. Certainly, the humble email filter is a good start.
However, once a phishing campaign drops into the inbox of its intended target, there’s really only one thing standing between its success or failure: education.
Whether or not a phishing campaign hits home usually comes down to just one person, and the knowledge that the person has around typical phishing methods and how to avoid becoming a victim of them.
With this in mind, two of the most effective ways to minimise phishing risks is education, such as security awareness training, and ongoing phishing simulation programs.
Education by itself is good, but when it is backed up by a schedule of simulated phishing attacks, knowledge of such attacks and how to avoid them begin to embed themselves in the minds individuals.
The best phishing simulation campaigns are those that introduce a wide range of phishing styles and approaches, drawn from some of the most recent examples taken from attacks in the wild.
Additionally, simulation programs should be built around a relatively random schedule, so people don’t get into the habit of expecting something at set times.
Most of all, it’s vital that the results of simulated attack campaigns are shared with recipients and supported by established processes and practices to spot suspicious emails and avoid becoming victims of phishing attacks in the future.
It’s important to remember that this process is less about hunting down an individual’s mistakes as it is about empowering entire teams to be at the top of their game by adopting and maintaining best practices when it comes to identifying phishing attempts; it’s about celebrating the cumulative wins when individuals take the most appropriate action if they do see a phishing campaign in action and report it to the relevant person or team within the organisation.
This process, combined with periodical training and education refreshers, helps organisations make their most valuable asset – their people – one of the most important and effective agents of protection against phishing attacks.