Prevent Data Breaches with Stronger Email Security

Posted by Geraldine Hunt on Thu, Jun 30th, 2016

Even with the nonstop news coverage of data breaches, malware attacks, and the affect of ransomware on network and email security, it seems that UK IT security pros don’t realize that these problems are overwhelmingly caused by malicious emails!  The mimecast survey of 600 global IT security pros from the US, the UK, South Africa, and Australia. Almost two-thirds of them regard email as a serious threat to their business and the same percentage feel unprepared for such attacks. In comparison, figures solely of respondents from the UK were 10%  and 27% respectively.

Here are what UK IT Pros believe are the top three results of an email breach:

• data loss/sensitive data leak (54 percent)
• brand reputation damage (20 percent)
• and compliance failure (12 percent).

Oh, the damage phishing can cause

According to the respected SANS Institute, successful phishing attacks could result in serious implications such as:

• Loss of competitive advantage and significant financial consequences due to theft of sensitive information such as intellectual property, trade secrets, and research data.
• Disruption of business operations. A company may not be able to access its systems or data, stopping the business dead in its tracks.
• Reputational damage if the company’s network is used as a platform to launch attacks on customers and suppliers.
• Significant financial costs relating to the investigation, incident response, and recovery.

In other words, phishing can cost the company a lot of money. And employees who fall for the scam can lose their job. Two examples suffice.

CEO fired after company lose £31 million to a whaling attack

The CEO of FACC Operations GmbH, an Austrian aircraft parts manufacturer, was fired after the company lost €40.9 million (£31 million) to a whaling attack. A whaling attack is also known as a C-level fraud and BEC (business email scam). It involves targeting high level executives with forged emails asking for payments to be made to third parties. Although FACC managed to recover €10 million, the net loss wiped out its profits for the year.

Since January, at least 68 companies have announced that they fell victim to a spear phishing attack responsible for stealing the W-2 U.S. tax records of all their workers. One or more employees receive an email appearing to be from the CEO with subject lines such as: “Request for all employees’ W2.” If the employee falls for the scam, the attacker attempts to file tax returns for all workers before the workers do. Then the attacker steals the victims’ tax refunds. There are costs to the company, too. It must pay to provide identity theft protection to all employees, and the employee responding to the scam may be fired. Stocks can be affected, as happened at Seagate Technology; on the day the news of the W-2 attack hit the media, the company’s stock price decreased 3.5 percent.

How do you stop a phishing attack?

Hopefully, you are convinced that protecting against phishing is a critical part of your company’s security strategy. Phishing will continue as long as it is profitable for the attackers. The key is to change user behavior when confronted with a phishing email. The obvious advice is not to click on strange links in email. But phishing emails are becoming increasingly convincing. According to Verizon’s breach report, 30 percent of people fall for phishing emails.

Users who have been burned by phishing are less likely to fall for them again. Ideally, though, it would be better to train employees to recognize phishing emails before a breach occurs. A report from Experian and the Ponemon Institute surveyed 601 IT executives and other corporate decision-makers whose companies provide data protection and privacy courses to their employees. A discouraging 60 percent of respondents say that their employees are either not knowledgeable or have no knowledge at all in cybersecurity. Only 49 percent say that their company training includes lessons on phishing and social engineering. Most disconcerting is that merely 54 percent of the companies have security training at their place of work that is mandatory, and of those companies, more than a quarter excuse executives and contractors from attending. Furthermore, only 30 percent of companies require employees to take or retake the course following a data breach.

It is obvious that these shortcomings in data security training must be remedied. But instead of waiting for a new course to be developed, there is a stop-gap method; ready-made websites offering phishing training. Just google “phishing training” for a list.

What I.T. can do

Although employee behavior is the key to tackling the phishing problem, IT can help:

• Use the Principle of Least Privilege in assigning credentials. This will make it more difficult for attackers to wriggle their way into other areas of the network.
• Implement two-factor authentication.
• Use email filtering (anti spam) and web filtering solutions that have proven records in blocking malware.
• Encrypt your data.
• Implement technology solutions that really work against phishing.

It’s important to put technologies in place to detect and block phishing scam from reaching your users. Phishing scams will evolve as will the technology to battle them.  The best line of security defense always will be educated users.

Some guides and articles to help you learn how to identify phishing scams & safeguard your data :

Top 5 Tips for boosting your spam arsenal

Spam Filtering Essentails Checklist

Learn how to think like a hacker to prevent attacks