By: Kevin Hayes
Phishing remains the biggest cyber threat out there. It still yields the most fruit for attackers who trick people into opening links in emails and visiting questionable websites.
But the tools to fight back are growing more sophisticated. Here are three things you can do right away, at minimal cost, to defend your organization.
1. Enable two-factor or multi-factor authentication.
2FA and MFA have come a long way, with plenty of options nowadays. The ubiquity of smartphones makes it pretty hard to explain in the face of a breach why a team didn’t have some kind of authentication mechanism in place.
For Office 365-using organizations, Microsoft Authenticator is a free tool at the ready. For organizations that use Google products, there is Google Authenticator.
As for third-party apps — good for protecting beyond email — Duo Security is what Merit uses.
There are also creative authentication methods out there that go the extra mile, such as special USB sticks with NFC chips or USB sticks like YubiKey that require fingerprint touching.
2. Use special software that checks links and content within emails.
Software designed to scan emails for malicious content is available for your platform. Microsoft’s Windows Defender (formerly Advanced Threat Protection) is one; Proofpoint is another. Such systems spot malware attachments and links to questionable websites. They will even rewrite bad links to prevent even accidental clicks from leading to trouble.
These systems can also pop up alerts asking if the user really intended to click a link, or to tell the user that this link leads outside the organization’s network (handy when the phishing attack tries to masquerade as a safe, internal source).
More than 95% of attacks today begin with phishing. If there’s one place to spend money, it’s here, said Merit Chief Information Security Officer Kevin Hayes. “They offer the best bang for the buck.”
Such systems are typically licensed on a per-employee basis, with the cost amounting to a few dollars per employee.
3. Test your defenses.
Merit performs monthly phishing tests against its employees to see if they are following guidance. Simulated phishing operations use filters to target individuals. “We can go in and see which exact one got any individual person,” Hayes said.
A gigantic database and dynamic filter makes this possible. It might seem a bit harsh to do this to your own people, but remember that attackers will have no such qualms and do use tailored “social engineering” tactics to target specific people.
Merit uses KnowBe4, which offers an integrated suite of protections, for these simulated phishing expeditions, as well as for analyzing messages and general security awareness. KnowBe4 comes with a large library of short but engaging videos from which Merit’s IT staff curates selections. Merit staff members are then required to log into KnowBe4 and watch five to 10 minutes of video content every month.
A similar service, Gophish, is open source and free. “A savvy IT department can get it up and running in a matter of minutes,” Hayes said.
Want More Insight?
Each Merit Member organization gets two FREE hours of CISO consulting with our Information Security team to discuss additional cybersecurity strategies that can save you both time and effort. Contact our team to schedule an appointment.