+
EDITOR’S QUESTION
RICHARD ARCHDEACON,
ADVISORY CISO, DUO SECURITY,
NOW PART OF CISCO
/////////////////
T
he starting point for the vast majority
of cyberattacks is a click on a phishing
email; the fact that it’s still the most
common entry route for cybercriminals – and
worryingly successful – reveals a widespread
lack of solid security fundamentals.
Services such as social media sites or,
in some cases, the organisation’s own
website can be a wealth of information to
attackers. Using this information, criminals
can determine who you are with a high
degree of accuracy, what role you have in
the company, who you work with and more.
This information is then used to craft very
personalised spear phishing campaigns.
While high-profile breaches have compelled
more organisations to strengthen their
information security strategies, many still
don’t have the expertise or guidance to
implement basic mitigations. However, there
are some simple procedures and policies
organisations can put in place to prevent
phishing attacks:
• Provide your users with the ability to
recognise phishing emails. This should
cover what a phishing email looks like –
is it written in poor language and does
it have a legitimate email address? To
encourage users, make it clear that these
skills apply just as much at home as they
do in the office – transferable skill with a
personal benefit
• Continuous education through phishing
tests. Sending test phishing emails to
users will keep up their identification skills.
This should be emphasised as educational
and not a pass/fail test, so it is a positive
experience for them. In addition, very clear
instructions should be provided as to what
to do if a phishing email is detected and
most importantly, if inadvertently triggered
• Implement and require two-factor
authentication (2FA). Even if a user’s
password is compromised through a
www.intelligentcio.com
phishing attack, their accounts will still
be protected by a second factor
of authentication. Attackers cannot
log in without possession of a user’s
physical device
• Encourage users to update devices on
a timely basis. Devices running older
versions of software without security
features enabled are more likely to be
affected by publicly-known vulnerabilities
that can hide in malicious email
attachments masquerading as legitimate
files or documents
• Get visibility into the health of
the devices access the network.
Many employees use their personal
smartphones and laptops to log into
corporate resources from different
networks at different times. Gaining
insight into the health of these endpoints
means that organisations can prevent
insecure and poorly-patched devices from
accessing company information
• Get visibility into the personal vs.
corporate-owned devices on your
network. Personal devices in the
workplace may have multiple work and
personal accounts, as the line between
the two continues to blur. BYOD can
introduce risks but these can be mitigated
by identifying whether a device is
personal or corporate, and strengthening
access security policies to require more
stringent checks for personal devices
using work applications
By establishing trust in users and their
devices before granting them access, you
can protect your organisation against the
impact of phishing attacks.
INTELLIGENTCIO
33