The available attack surface in almost all organizations is much more expanded than it was just a few years ago. The myriad of cloud services that people utilize, the mobile and personal devices that are accessing corporate data, and the countless applications in play mean that threat actors can tap into an organization’s network at any number of access points. In short, today’s traditional cybersecurity and network security protocols are simply inadequate against the sophisticated phishing attacks we’re currently seeing.
SlashNext commissioned an Osterman Research white paper that explored today’s threat landscape and new methods organizations can use to address phishing, business email compromise (BEC), account takeovers, and other related security threats. In this blog post, we’ll dive into the first five recommendations from that white paper. Be sure to come back for the final five!
- Focus first on the board
Decisions in most larger organizations come from the top down. Without the board and senior executives fully understanding the security risks and the potential financial implications of an attack, it will be harder to fund necessary security protocols.
2. Understand the risks
Unfortunately, many do not. There are always a few decision makers who truly believe they fully understand the risks that they and their organization face. The Osterman white paper noted that a survey by Symantec found seven percent of respondents believe account takeovers are a key risk. The reality is that account takeover activity is implicated in 42 percent of security risks. In a survey Osterman conducted for the white paper, they found that 33 percent of organizations have been impacted by account takeover threats during the past year.
3. Take a risk-based approach to security
Take a strong look at people who are the greatest risk for BEC and phishing attacks and then apply adaptive controls for that group. One example might be the folks in marketing whose job it is to research and explore social media. For this group, an organization could isolate their browsing experience to prevent their devices from being compromised.
4. Analyze what’s currently in use
There are, more than likely, many applications, cloud solutions, mobile apps, personal devices (BYOD), accessing corporate applications and data that is flying under the security team radar. This “Shadow IT” can pose serious risks, since security teams are unaware of what should and should not be allowed access. Thorough and ongoing audits should be performed on a regular basis so that security teams can determine every device and application being used across the enterprise.
5. Train users properly
We’ve blogged repeatedly about the fact that humans are the weak link in the network security chain. Now, a growing number of organizations are understanding the importance of providing comprehensive security awareness training for their employees. Today, technology-based solutions alone are not enough. In fact, Osterman found in past research that the ROI for security awareness training can be substantial, especially for larger organizations.
Don’t forget to come back and read the second part of this discussion in a future blog. In it we will reveal Osterman’s remaining five recommendations. But if you can’t wait, you can download the Osterman white paper here to see the complete list.
In the meantime, be sure to check out our Real-Time Phishing Threat Intelligence and Targeted Phishing Defense solutions that can see beyond the legitimate website to identify what might lie in wait. Start a free 15-day trial of Real-Time Phishing Threat Intelligence or contact us for a demo of our Targeted Phishing Defense to see how you can protect your organization.