8 February, 2016
The biggest security threat to companies right now is phishing. Phishing was traditionally a problem for the banking and finance industries, but now it’s a growing threat in other sectors like retail, media, and government.
[Phishing_blog] Phishing schemes are designed to infiltrate organizations and steal information for political or financial gain. They’ve been around for a while. Their longevity is due in part to the fact that fabricated emails are becoming more sophisticated all the time, and more convincing to the victims they’re targeting. Spear phishing is particularly effective because consumers think the email is coming from someone they know and trust.
In their latest Phishing Activity Trends Report, the APWG reports it is now receiving twice as many reports as it did in 2014. Phishing is a double whammy for corporations because it can target staff and customers. The consequences include everything from identity theft to financial loss, data breach, and brand damage.
What can organizations do to protect themselves against phishing attacks?
You can do a lot.
1. Two-factor authentication. For starters, implement single sign-on as well as two-factor authentication. Two-factor authentication is a technology that requires two forms of “identity” to login—something you have (cell phone, token, etc.) and something you know (username/password). CSC offers two-factor authentication, which we also use to keep our internal systems secure. Two-factor authentication gives you the biggest return on investment; it’s easy, and it’s cost-effective, making sure only authorized individuals access specific digital properties.
2. Locking down critical domains. Your domain portfolio is a target for hacktivists, especially if your brand is popular or controversial. For your company’s critical domains, consider registrar and registry lock options that prevent unauthorized transfers of domains to phishers. At CSC, we recommend implementing both through our MultiLock protection. This means that for changes to be made to the domain name, three independent parties must provide authorization, significantly reducing the likelihood of a domain name being hijacked.
3. Consider phishing detection and response services. There are also commercial phishing detection and takedown services that keep a constant lookout for potential attacks. When an attack does occur, every minute counts. You’ll want a rapid takedown service to mitigate potential damage as much as possible.
4. Protect the email channel. Since the primary channel used for phishing attacks is email, it also makes sense to protect this avenue with an email fraud protection solution. This is an additional protection that can effectively stop spoofed fraudulent emails from hitting the inbox and ensure that only safe sender emails reach your clients.
5. Educate, educate, educate. Educating your staff and customers about phishing is the single most important thing you can do, because these attacks work by exploiting a lack of awareness. A single click on a malicious link can compromise an entire organization. Ponemon Institute®, a leading cybersecurity research firm, has reported that a significant number of data breaches are due to corporate employees or contractors—whether intentional, or through careless actions. At CSC, our employees are trained and tested on security for our customers’ safety as well as our own.
Fortunately, processes and technologies are keeping pace with these ever-evolving threats. Cybercrime isn’t going away, but a combination of good technology and phishing awareness provides a good defense against a relentless enemy. Understanding how to protect your assets from any attack will go a long way toward keeping your company safe.