A cybersecurity specialist and penetration tester has cautioned businesses against relying on human instinct to defend against phishing attacks.
Speaking at a security event in Manchester, Technical Director of cybersecurity firm Secarma, Holly Williams, said:, “Your users shouldn’t be your business’ first or last line of defence. There should be several lines of defence between me sending an email to the user and it being delivered. A user shouldn’t be able to completely derail business operations just by opening an email.”
Williams advised that rather than relying on employee action, businesses should increase visibility on their internal network to better deal with subsequent attacks.
“If you know the roles employees are supposed to be performing and improve your awareness of commands being executed, you can then detect when users appear to be behaving unusually and start implementing behavioural analytics to combat phishing attacks.”
Commenting that phishing attacks play a part in 90% of all data breaches, she continued: “Phishing is a go-to for attackers, but there’s confusion over where it sits in the attack chain. The end result of a phishing attack is very often not just something simple like gathering credentials; it’s one part in a larger story to gain access to systems.”
With 97% of people unable to identify a sophisticated phishing email, Williams further emphasised that employee training is essential in recognising the signs of a malicious email, but if businesses are leaving their phishing defence down to human reliability, then they will be far more vulnerable to attacks.
A panel of fellow security experts highlighted the increasing sophistication and volume of phishing attacks, and consequently the growing risk to UK businesses. Last year, 14 billion phishing emails were sent – two for every person on the planet.
Stephen Crow, Head of Defensive Securities and Compliance at hosting firm UKFast, explained, “We’ve seen the complexity of phishing attacks increase dramatically in the first half of this year. Fake chains are being created between board and senior directors asking staff to perform tasks and act fast.”
“Often employees are scared to question the request if it has come from higher up,” he added.
“There are lists of email addresses you can purchase online or even obtain for free. It’s a numbers game for hackers: the more you send out, the more likely you are to catch somebody.”
Advice to businesses concerned over the increasing number and convincing nature of fake emails is to limit the assignment of admin privileges, particularly for SMEs where one person could be responsible for multiple tasks or roles, to lower the number of employees with access to sensitive data who are more of a target for threat actors.