A recent report by GreatHorn reveals that security experts have seen a 25% increase in the number of phishing emails that successfully evade security defences and arrive in users’ inboxes, in the past year alone. The study also found that impersonations accounted for 45% of phishing attempts, which researchers say are the result of hackers having an insight into the organisation’s structure and leadership.
As the figures demonstrate, it is not uncommon for attackers to ‘plant’ malware on an organisation’s network and use Artificial Intelligence (AI) to obtain information about the company’s employees and activities.
This information is then used to launch phishing attacks via emails that look like they come from legitimate sources and refer to actual meetings, projects or other activities within an organisation, and are targeted at relevant employees who are genuinely party to those activities. The sophistication of these attacks often means that only the tone and language used in these emails expose them as being phishing attempts.
With the rapid evolution of technology and the increasing frequency, complexity and sophistication of phishing attacks, there is no guarantee that all attacks can be prevented, but organisations need to act to mitigate the risk.
In many cases, the new techniques and methods used to carry out phishing scams mean that these attacks are as yet unknown and thus difficult to identify and stop by an organisation’s security experts.
Therefore, in many cases, employees are becoming an organisation’s last line of defence against phishing attacks, but it is up to the company to ensure that they are up to the task. Conversely, employees who are not informed or educated about what to look for can easily become an organisation’s weakest link.
Some 95% of all security breaches are caused by human error, and the majority of attacks happen when an employee is fooled by a phishing attempt. This underscores the importance of internal education, simulations and awareness among employees if an organisation wants to have any chance to effectively fend off phishing attacks.
Any employee can become a target, so it is key for enterprises to ensure that all their workers maintain a current knowledge of defensive procedures and responses, in case of an attack. It may be a challenge to identify specifically who the most likely targets of phishing attempts may be within an organisation, but senior management is often the prime target. However, to be safe, any employee who has access to a company’s network should be able to identify an attack and know what to do if it occurs.
In terms of education, programmes should be defined to address security challenges in two key parts: training and awareness theory – which is presented in the classroom and online, as well as simulation – which is a more difficult component. During simulation, a group of security experts will attempt to trick employees to click on links that could potentially be dangerous. This can be done in real-life scenarios and is a safe way to see how adept an employee is at spotting a cyberattack.
However, organisations must realise that education should not be a one-time fix, but should take place on a regular basis. Depending on an employee’s risk profile, the frequency of training should be tweaked accordingly, or there is a risk that he or she could fall behind the latest trends.
Lastly, do not believe that any off the shelf solution will be adequate to address your security concerns and keep you safe from phishing attacks. Rather, turn to a specialist partner who can interpret the data and design a solution that is specific to your needs.
By Lukas van der Merwe, Specialist Sales Executive: Security at T-Systems South Africa