In our prior post, we discussed what phishing attacks are, how they work, and the impact they can have on you and your organization. In this installment, we’ll focus on how to prevent, detect, and recover from phishing attacks.

With 90% of data breaches originating with a phishing attack, attackers will continue to launch them. In just the last month, phishing attacks resulted in more than a dozen city and other government agencies being paralyzed by ransomware, so it is critical we address the most common vector for attackers.

Training, Training, Training

First, prevention.

Much like real estate agents have the mantra, “location, location, location” for the three most important factors in a successful real estate sale, your mantra when it comes to preventing phishing should be “training, training, training.”

Being aware of how phishing email scams are executed is the first step in preventing them. Everyone needs to be able to recognize what the most common clues are in a phishing email, such as typos and referring to you as “Dear Customer” in the greeting. Everyone also needs to understand that opening attachments and clicking on links is the most common cause of ransomware compromises and a leading cause of data breaches.

Organizations that don’t take training seriously often pay the price. If your training program is part of an annual event (or worse, only given once to new hires), this is “security theater” – going through the motions so someone can check a box and say, “Yup, everyone is trained!”

The belief that new hires come in, start a new job, get their orientation, details on their health insurance options, and information on the 401k plan, fill out their tax forms, etc., AND internalize a one-hour or less cybersecurity training is laughable.

Similarly, having employees go through a compliance training day where they learn about sexual harassment, job interviewing and management compliance guidelines, health and safety training, diversity training, and cybersecurity awareness training is also a “check the box” approach to cybersecurity.

Of course, every employee will sign the form acknowledging that they have read and understood everything. And by the next day, they will have forgotten everything you’ve taught them.

How To Incrementally Change Behavior

A better approach is to provide small bits of training several times during the course of the year. Each time there should be a limited or even a single training objective, such as how to recognize suspicious links.

The goal is to incrementally change behavior over time. If I teach you a single thing that you can apply immediately, there is a better chance that you’ll remember it. A month later, I can teach you something else. Lather, rinse, and repeat. If I try to teach you 15 things in the course of an hour once per year, you are likely to remember almost nothing.

While training is critical, it is not our only defense. There should be multiple layers beyond improving user behavior. Spam filters are a powerful weapon against broad phishing attacks. They can block emails from known bad sources so that users won’t be as likely to be tempted to do the wrong thing.

In addition, the use of email signing certificates can also give you assurance that senders are legitimate by allowing them to digitally sign emails they send you, giving you the ability to validate that signature.

Browser extensions, add-ons, and configuration tools can be configured so that they stop users from going to the multitude of websites that have malicious intent when visitors go to the site, infecting computers with malware, by, for example, suggesting you perform a “security scan” of your computer that may actually just install malware.

Another crucial thing to focus on is applying patches and updates in a timely manner. We can all remember the global WannaCry ransomware attack in May 2017. It disabled more than 200,000 systems in 150 countries, with damage estimates running from the low tens of millions up to potentially billions of dollars. And this was two months AFTER Microsoft had released a patch that could have prevented the outbreak.

A good process for evaluating, testing, and then deploying patches and updates is a very basic step, but a key to having a secure environment.

Why Good Backups Are Critical

Finally, I would be remiss if I didn’t bring up backups. While good backups will not prevent any sort of compromise or data breach, they are a critical tool in your arsenal to minimize the damage. In the event of a compromise, good backups will allow your organization to quickly recover and get back to business.

Your backup and restore process should be regularly updated to reflect your hardware environment and, most importantly, tested. If the first time you “test” your restore process is after a compromise, I can almost guarantee that you will discover a small detail you missed in designing the process that is not obvious until you realize your environment and data cannot be recovered.

iDiscovery Solutions is a strategic consulting, technology, and expert services firm – providing customized eDiscovery solutions from digital forensics to expert testimony for law firms and corporations across the United States and Europe.