People are irreplaceable as a line of defence in the fight against phishing

George Ralph of RFA outlines the importance of people in the fight against phishing attacks

First published on HFM Connect

Phishing attacks are on the increase and are becoming ever more complex and harder to spot. These observations are nothing new. The best defence for your business is to build a strategy based on process, people and technology. Protecting against phishing attacks is part of your overall cybersecurity programme and it is becoming more important to have a comprehensive policy in place. Regulators and investors, often as part of their ESG questionnaire, want to see a robust policy that covers cyber defences to prevent attacks and also procedures are in place in the event defences are breached.

Phishing campaigns take two main forms: a mass campaign where the attackers aim is to secure passwords or make small sums of easy money, or a targeted campaign against your specific business where an attacker can be more realistic, using details that you assume only ‘safe’ emails would have contained in them. Spear phishing, as this is known, uses your digital footprint (like website or social media accounts) to build a researched picture of your business, collating information from multiple sources to build an overall picture. It is more complex than a mass campaign but in turn offers more reward to the attacker. Engaging your staff to work with your business to help prevent or isolate attacks is a primary key to your overall cybersecurity success.

A key driver to engaging staff in understanding, looking for and reporting phishing attacks is to create the right environment to report a real or possible attack. Not only does this help you understand how at risk you are, it also helps you understand where there is perceived risk. Perceived risk can have an effect on workflow and output which, when monitored digitally, helps a business to consider potential improvements using digitisation strategies. Build an effective process for users to report any suspected phishing attempts and include a process for feedback when a report has been made. An environment where a team member can ask without fear of being thought ignorant is key alongside a no blame culture should someone make a mistake and click on a phishing email. This process is even more important in the current hybrid working environment when communicating a potential attack isn’t as easy as asking the IT team to come and take a quick look at a screen.

As part of your policies and procedures, invest some time in understanding which processes you have which could be mimicked by an external bad actor. Where digitising a process could work, set up a proof of concept and trial a digital solution. This helps your internal teams as it prevents them being able to respond to a phishing email asking for information, but also helps your third party vendors, investors and data providers as they too could be subject to a phishing attack. Where digitisation isn’t possible, use two factor authentication for email requests; back up the request with an SMS, phone call or by using a secure collaboration tool like Teams.

Training, and how that training is delivered, also has an impact on the success of your cybersecurity process and procedures. Your users cannot compensate for weaknesses in your processes or technology. It isn’t realistic to expect, when each member of your team is dealing with hundreds of emails every day, often under pressure, for the team to be vigilant at all times. Different roles in your business will have different risks associated with them, so it is worth setting up different security measures accordingly. Where appropriate, deliver containerised desktops remotely for users to view sensitive information, or provide documents that cannot be downloaded via secure collaboration tools, separate data from the email chain. Where you or your technology partner are training, make it accessible, understandable for all and aim for a series of short sessions rather than one long one. In our scattered working environment, perhaps even make the training a part of a team catch up, ensuring it is inclusive for every member of your team, no matter what their role within your business.