Spear phishing is a growing problem, with half of all IT professionals reporting that their organization has been targeted by such a specialized attack. In more than a third of these cases, login credentials were compromised and corporate IT systems accessed. Could your business recover from such an attack? Read on to discover six key ways to protect your firm from the growing dangers of spear phishing.
1) Learn the Basics of Spear Phishing
Most IT professionals are familiar with the term “phishing,” which describes the practice of sending emails mimicking correspondence from reputable companies in order to gain personal information like passwords and credit card details from recipients.
Spear phishing is an evolution of this phenomenon — online attackers target prey like fishermen with a sophisticated ploy that works like a proverbial spear. Rather than sending out a mass number of e-mails and seeing what comes back, spear phishers have a specific target in mind. And that specific target could be no less than your company and the sensitive data its servers hold.
2) Create Policies to Protect Sensitive Data
The first step to keeping your company’s sensitive data safe is deciding what information is sensitive. This might include your employee’s login details and customer credit card numbers. It could also encompass any number of internal reports and accounting details.Even inane and seemingly innocuous bits of data could be open game, because this information could be leveraged in unforeseen ways in the wrong hands.
Once this data is identified, you should build policies to keep it as secure as possible. For example, you might protect company log-ins by ensuring employees don’t share their details with others and making it mandatory to change passwords every month. You might also ensure that only key staff members can access customer credit card details.
3) Encrypt Sensitive Data
Encrypting sensitive data ensures that it’s useless to a spear phisherman if they do get past your company’s defenses. Encryption software will turn your private company emails and corporate information into a garbled mess, which can only be read using an encryption key. Despite its effectiveness, around 26 percent of organizations don’t have encryption measures protecting databases of sensitive company information. That means more than a quarter of businesses are especially vulnerable to spear phishing attacks.
Using encryption software can also improve your reputation among consumers. When they see the secure padlock in their browsers, they’ll feel more comfortable sharing sensitive data with your website.
4) Educate Employees on Spear Phishing
Spear phishermen can send their emails or social network messages to any company employee, so it’s important to educate your entire workforce about the threat.
Encourage them to treat emails and social network messages with suspicion, even if they contain personal information. Teach workers that spear phishers use social networking pages and company websites to obtain such details, so they should always have their guard up. That’s especially true for correspondence which refers to current news event or asks for immediate action, as these are common spear phishing tricks.
Recipients should consider the tone of any correspondence they receive and whether it’s what they’d expect from the sender. Spear phishers might be able to find out the name and email address of a colleague, but they won’t be able to mimic his writing style. For example, an employee should hear alarm bells if a normally chatty co-worker sends a one-line email stating, “Click this link.”
Employees should learn never to download an attachment unless they’re positive it’s come from the source they expect, and to type URLs into their browser rather than simply clicking on emailed links. Teach workers to hover over links to verify their authenticity in emails and web browsers.
A British study found just 30.5 percent of small to medium business owners would hesitate before clicking on an email link directing them to the nation’s Her Majesty’s Revenue and Customs department. This figure is particularly troubling, as most spear phishing emails purport to come from financial institutions. Employees should also know to never visit websites mentioned in online correspondence unless they trust them.
5) Use On-Premises Security Products to Keep Systems Safe
A range of on-premises security products, including anti-virus software, firewalls, and secure web gateways, are designed to keep the bad guys out. If an employee accidentally downloads malware or a virus with an attachment, anti-virus software can detect the problem before it does damage. Firewalls and secure Web gateways work together to ensure workers don’t access parts of the web that will place your company’s security at risk.
However, it’s important to note that while these solutions are useful, they will not block all spear phishing attacks. For example, users might still download a malicious application from a link situated inside the company firewall or embedded in a fraudulent program update. A new virus can also infiltrate if anti-virus software is not updated to recognize it.
New programs, known as Advanced Persistent Threat (APT) software, aim to detect rather than prevent spear-phishing attacks. These cloud-based programs monitor communication, which takes place using a company’s IP address or web interface domain. When it discovers that unauthorized communication is taking place within a botnet traffic, the system alerts the organization of the malware threat.
Unlike traditional security solutions, APT software does not rely on signatures. This means it can detect a spear phishing attack using brand new malware and viruses that may not be recognized by more conventional security programs. As detection is based on evidence, companies also aren’t bothered by false positives.
6) Be Vigilant in Detecting Threats
Security programs can play an important part in preventing an attack, but nothing is foolproof.
Business owners should be vigilant in monitoring their networks for any unusual activity. Studies show that two-thirds of network breaches aren’t discovered for many months. In fact, the average hacker spends eight months accessing a victim’s computer network before being detected. That’s plenty of time for an experienced spear phisherman to access all kinds of information that could cripple a company.
Another weak spot that calls for vigilance involves telecommuting employees — particularly ones who access sensitive data via an unsecure public WiFi in places like the local coffee house. This can potentially leave company information open to lurkers and hackers, who can then use that data (for instance) as part of a more complex spear-phishing attack. A sound company policy in this respect would be to require employees to use a VPN Service whenever they’re using a public network, or to disallow access from these networks altogether.
It’s worth noting that 63 percent of company data breaches are disclosed by third-party sources, including media outlets. This rattles consumer confidence to such a degree that many companies never recover. Your business should certainly focus on prevention to prevent spear phishing attacks, but it’s also important to concentrate on early detection to minimize the impact of any security breach.
Spear phishing is a growing threat across the Web, but these important measures can ensure your company doesn’t become the next victim. Has your company ever been a victim of spear-phishing attacks? Tell us about your experiences in the comments below.