Insights Magazine Volume IX - Page 5

gain credentials and other sensitive information and typically also install malware to hunt for other sensitive data, or, if you are really unlucky, install ransomware. Third-party contractors can also mismanage critical organization or customer data, whether intentionally or through ineffective IT security and controls. In fact, third-party involvement in causing a data breach increases the per capita data breach cost. Strategies to Mitigate the Risk To help combat this threat, aside from system hardening and email filtering, organizations should start a security awareness program to train anyone with an email address to identify suspect emails and report them. Every industry is vulnerable to a cyberattack, but certain industries face higher data breach costs. Anthony Munns Also include a scenario in your incident response plan for how to identify, report and quarantine a malware attack. Having an incident response team and employee training are factors that decrease the per capita cost of a data breach, according to the Ponemon study. As seen in the St. Louis Business Journal online edition Ready Your Company for the Next Wave of Phishing Bill Gogel, QSA, CISA, CBRM, ACDA According to the 2016 Verizon Data Breach Investigation Report, reported email phishing incidents have increased 50 percent year-over-year. Email ph ishing is the most prevalent form of social engineering — the act of manipulating people into disclosing sensitive data. Humans are becoming an easier target than defeating modern security appliances. Worse yet, the attackers are not going to stop at gaining credentials or other sensitive information; they typically also install malware to hunt for other sensitive data. When security experts conduct requested test phishing campaigns at organizations, they see a 75 percent click rate. After users have gone through training, the security experts conduct a second campaign to see how effective the initial training was. The click rate dramatically drops to 5-10 percent at that point. FBCS, CITP, CIRM, CISA Partner, IT Audit and Security Services Brown Smith Wallace 314.983.1297 amunns@bswllc.com Steps to Take to Prevent Phishing Focus on the following three areas to set a strong foundation for preventing phishing in your organization: 1. Start with a mature security awareness program. C-level executives typically have their email addresses published on their organization’s website, which makes them an easy target for spear phishing. Anyone with an email account should go through training on how to identify suspect emails, how to report them and how IT can help communicate current threats. 2. Email filtering is a must-have for any company. The market is flooded with great products, so analyzing the cost and benefit will most likely work in your favor. If your organization uses Office 365, you get email filtering for free — it just needs a little configuration from your IT department. 3. Have a tested incident response plan. Pretend an email gets past your filters, a user gets phished, and you have to limit the impact. Have a scenario in your incident response plan for how to identify, report and quarantine a malware attack. Malware works quickly and, according to the Verizon report, only takes days to do its job. 3