As a CIO, you know there are huge implications on not taking steps to prevent phishing attacks as according to the 2019 Verizon Data Breach Investigations Report, Nearly a third of all breaches in the past year involved phishing and that number jumps to 78% for cyber-espionage attacks.
As a Cyber Security and Digital Forensics student of Kwame Nkrumah University if Science and Technology with a passion for the prevention of phishing, I have found 2 publications highlighting the importance of training employees to recognize phishing websites.
The first one is an article titled “What is phishing? How this cyber attack works and how to prevent it” (https://www.csoonline.com/article/2117843/what-is-phishing-how-this-cyber-attack-works-and-how-to-prevent-it.html ) in the CSO Magazine written by Cyber Security expert Josh Fruhlinger (@jfruh), describes phishing attacks and provides steps to prevent them. According to Fruhlinger, Phishing is a venerable and sophisticated form of cyber-attack in which attackers masquerade as a trusted entity of some kind to try and gather personal information using deceptive e-mails and websites. The goal is to trick the email recipient into believing that the message is something they want or need; a request from their bank, for instance, or a note from someone in their company, and to click a link or download an attachment. Generally, a phishing campaign tries to get the victim to hand over sensitive information such as username and password that the attacker can use to breach a system or account, and or download malware, that can infect their own system, in the form of email attachment.
The second publication is a research paper titled “How Experts Detect Phishing Scam Emails” (https://doi.org/10.1145/3415231) published in the ACM digital Library by Rich Wash, an Associate Professor of Michigan State University, Media and Information, East Lansing, MI, USA, (https://www.linkedin.com/in/rick-wash-2a22a81/).
In addition to giving similar insights into phishing attacks as the first article, Wash stated that, while technical protections against phishing reduce the number of phishing emails received, they are not perfect and phishing remains one of the largest sources of security risk in technology and communication systems. According to him, Phishing is a difficult problem to protect against and current technical solutions do not completely solve the problem.
Based on these two publications and as a cyber security student, I have listed three recommended actions for organizations that want avoid cyber attacks:
- Use Technical Controls – This will prevent many phishing emails from getting into employees’ inboxes in the first place.
- Train your Staff – Human detection of phishing emails complements technical detection as it is likely to have very different gaps and vulnerabilities, and using the two methods in tandem should result in greater security than either would alone.
- Regulate B.Y.O.D. – Prevent staff from connecting their personal devices to the corporate network or regulate those who do so with appropriate policies.
Starting today you must take action to block and prevent phishing attacks will significantly reduce the occurrence of cyber-attacks on your organizations.
My name is Mavis Aframea-Asamoah and I am currently a Cyber Security and Digital Forensics student KNUST, Ghana. You are welcome to reach out to me on Twitter @Aaffrah.
- The Real Motive behind Cyber Attackers
- Cloud Computing: is your data safe in the cloud?
- Preventing Identity Theft