Member Article

“Employees shouldn’t be able to derail operations,” phishing expert warns

A cybersecurity specialist and penetration tester has cautioned businesses against relying on human instinct to defend against phishing attacks.

Phishing is an attempt to obtain sensitive information or persuade a victim to perform an act by pretending to be a trustworthy source. Phishing attacks are most commonly delivered via email.

Speaking at a security event in Manchester, Technical Director of cybersecurity firm Secarma, Holly Williams, urged, “Your users shouldn’t be your business’ first or last line of defence. There should be several lines of defence between me sending an email to the user and it being delivered. A user shouldn’t be able to completely derail business operations just by opening an email.”

Williams advised that rather than relying on employee action, businesses should improve the monitoring of their network in order to better deal with subsequent attacks.

“If you know the roles employees are supposed to be performing and improve your awareness of commands being executed across your systems, you can then detect when users appear to be behaving unusually and start implementing behavioural analytics to combat phishing attacks.”

Commenting that phishing accounts for 90% of all data breaches, Williams continued: “Phishing is a go-to for attackers, but there’s confusion over where it sits in the attack chain. The end result of a phishing attack is very often not just something simple like gathering credentials; it’s one part in a larger story to gain access to systems.”

With 97% of people unable to identify a sophisticated phishing email, Williams further emphasised that employee training is essential in recognising the signs of a malicious email, but if businesses are leaving their phishing defence down to human reliability, then they will be far more vulnerable to attacks.

Worst-case scenarios after a phishing attack include significant financial loss, reputational damage and compromised data. In June, Lancaster University suffered a high-profile phishing attack in which student data was stolen and used by criminals to send fraudulent invoices to undergraduate applicants.

A panel of fellow security experts highlighted the increasing sophistication and volume of phishing attacks, and consequently the growing risk to UK businesses.

Last year, 14 billion phishing emails were sent – two for every person on the planet.

Stephen Crow, Head of Defensive Securities and Compliance at hosting firm UKFast, explained, “We’ve seen the complexity of phishing attacks increase dramatically in the first half of this year. Fake chains are being created between board and senior directors asking staff to perform tasks and act fast.”

“Often employees are scared to question the request if it has come from higher up,” he added.

“There are lists of email addresses you can purchase online or even obtain for free. It’s a numbers game for hackers: the more you send out, the more likely you are to catch somebody,” Crow explained.

Advice to businesses concerned over the increasing number and convincing nature of fake emails is to limit the assignment of admin privileges, particularly for SMEs where one person could be responsible for multiple tasks or roles, to lower the number of employees with access to sensitive data who are more of a target for threat actors.

This was posted in Bdaily's Members' News section by Tim Parker .