Partner Article

Phishing in the C-Suite: 3 Ways to Avoid Getting Harpooned

In June of last year, the corporate controller for Scoular Co., a U.S. grain trading and handling firm, received an email from the company’s CEO asking to wire transfer money to the tune of $780,000 to a bank in China. So he did.

Then another email came from the CEO, asking for more money, and the comptroller did it again.

And then another email came. Within a week’s time, Scoular had wired over $17 million.

Unfortunately, the emails weren’t actually from the CEO. This was actually a sophisticated spear phishing attack.

But the money was gone.

Will your employees spot fake emails in time?

If you don’t think this could happen to you, think again.

A recent study conducted by Intel Security found that 94% of people failed to tell the difference between a real email and a phishing email 100% of the time. What’s worse: among the executives that took the survey that number rose to 96%.

Email phishing has proven to be the preferred technique for breaching an organization’s security, and the volume is staggering. Over 150,000 new phishing URLs were found in the fourth quarter of 2014 alone!

It only takes one employee to fall for a phishing email to impact your entire organization. That’s why it’s so important to be aware of the dangers of phishing scams. Below are three things you can do to counteract these threats.

1. Employee education: Your best defense against security attacks

Forewarned is forearmed, as they say. Building awareness of email scams and the motivations behind them is one of the most important things you can do to reduce your company’s vulnerability to an attack. But you can’t just train once—you need to continually educate your employees.

One of the best ways to educate employees, including executives, is to lead them through active learning exercises that simulate real-world security attacks. A great example of this is Facebook’s annual Hacktober initiative, which stages simulations of real-world security attacks like sending phishing emails and dropping thumb drives.

Develop a list of best practices to further help employees identify and avoid phishing scams. Remind your employees of the dangers of phishing by keeping them up-to-date on the latest techniques and threats. This will help them recognize and avoid such scams.

2. Deploy comprehensive protection to safeguard your attack surface

Attackers know that if they want to phish your company, they have to get their emails through your outer perimeter – or your “attack surface” – and into your users’ inboxes. Regularly reviewing email distribution lists and preventing outsiders from sending emails to internal groups with common addresses is a simple way of closing gaps that can be exploited by phishers.

Technology also offers multiple layers of protection to help you fend off not just spam and viruses but also sophisticated phishing attacks. While it doesn’t completely replace user education, it can block some attacks and reduce the impact of an attack should users do fall victim. Deploying anti-malware filters from industry leaders can help prevent malicious emails from making their way into your inbox. Utilizing this technology in conjunction with real-time URL scanning gives you an added layer of defense should a malicious email evade your malware filters and end up in a user’s inbox.

3. Prepare for the worst case scenario

Even with the best technology and most prudent safeguards in place, the rapid evolution of phishing techniques makes it nearly impossible to protect your company from these threats 100 percent of the time.

You need to protect yourself by hardening your infrastructure. This way, if —or more likely, when— you’re targeted, you can lessen the impact of the attack. Look beyond how your sensitive data is stored and accessed, and implement tools that can protect your IP while still enabling your employees to effectively do their jobs.

Here’s an example. If an attacker gets your email password, then they will have access to all your messages. Which means that if you stored any passwords in an email or an attachment, the phisher will have access to those too. To avoid this scenario, you should deploy a single sign-on (SSO) tool, which will remember all your passwords for you so you don’t have to store them in your email. In addition, leading SSO tools offer an extra layer of protection—2-factor authentication – that requires a user to not only know a password but also to have a physical object (like his or her mobile phone) to confirm identity.

Another example: if everyone in your organization is using personal file sync and share solutions to store corporate data, then your IT teams can’t protect that data. Consider deploying a enterprise-grade secure file sync and share solution. Your IT manager can then control access to all corporate data from a central location, and can change passwords or wipe mobile devices to prevent the data from being stolen.

Finally, use an outbound email monitoring application to scan emails that leave your company for malicious URLs and attachments. That way, if anyone has broken into your email system, they will be prevented from sending malicious links to other employees. In addition, this scanning tool can also prevent sensitive information like customer contacts or corporate IP from leaving your inbox.

By Jonathan Levine, Chief Technology Officer at business and IT service provider Intermedia

This was posted in Bdaily's Members' News section by Jonathan Levine .