Virtualization Technology News and Information
Article
RSS
Phished Out - How to prepare your organization for Phishing Attacks

By David Baggett, Founder and CEO of INKY

Out of the many types of cybersecurity attacks and hacking techniques, phishing continues to lead as the most commonly used attack vector on organizations across the industry. As active participants in the fight against phishing, we spend a lot of time answering questions and educating organizations on how to prepare for, combat, and altogether avoid successful phishing attacks. 

I've collated some of the common themes that we are asked about into three key questions and answers that I hope will help you prepare your organization for Phishing attacks.

What are the most common phishing attack vectors that organizations need to be mindful of? 

This question comes up a lot as organizations struggle to find their footing. The most common attack types we see today are focused on executive impersonation and spear phishing. In other words, deliberately targeting an individual within an organization who has buying power or the ability to make a financial decision. 

The challenge you have organizationally is that the once anonymous hallways of corporations can now be pieced together with a few press releases and some LinkedIn trolling. In 30 minutes, I can figure out your CEO, your rough market cap, your C-Suite, your finance department, and even your vendors. The recent pilfering of $150m dollars from Facebook and Google being an excellent example of this. The reality that you face as a corporation is that every email user is a possible conduit for phishing driven chaos.

Why is today's security awareness training not meeting the need of detecting phishing attacks? 

If you think back to your first day on the job, maybe it was 6 months ago, or a year, or 2 or 3, and consider your orientation training, try to remember every detail of what was shared?

Often security awareness training is a once and done activity that happens during the hiring process; unfortunately, employees are typically more concerned about getting their email working on their Phone than they are about understanding the intricacies of their new companies' security processes. 

The other extreme is phishing simulation software, while it can be an interesting tool for a CISO to gauge the awareness of his/her email user community, it doesn't really help in identifying the zero day/unknown phishing attack and human error is almost impossible to avoid or train for.  New email scams pop up almost weekly, are very sophisticated and undetectable to the human eye.  My preferred approach to phishing training is to have an in-line process that identifies the authenticity (or lack of) for every email that comes in, this approach conditions users so that they become accustomed to is what a good email and a bad email looks like.

What resources should organizations ensure they have to be safer and more secure? 

To ensure email security in your organization, I recommend that the email security gateway be placed in front of your mail server. That said, be warned, email security gateways come in all shapes and sizes, and as you decide which one to buy, I would suggest considering the following areas as you make your purchasing decision. 

Find an SEG capable of preventing zero-day attacks. In other words, does it have AI algorithms that are not simply processing yesterday's news but are actively applying intelligence to understand the difference between a new threat and an old one.

Also, it's important to consider an SEG that has some kind of computer vision capability. Many of the phishing attacks that I see today are crafted using the livery, graphics, and icons of popular brands. 

The last thing to consider when selecting any SEG is that it should be employing machine learning. As it is fed new information, it should be learning and growing its database in perpetuity. Many SEG's rely on manual feeds and outdated Bayesian algorithms that are better suited for spam detection and filtering not as true anti-phishing software. 

Conclusion

Being aware that phishing is a problem is a great first step, making the right decision on how to prepare your organization is the second. Hopefully, the topic I've covered today are of use to you, we have some great resources on our website at INKY.com, we'd love to have you visit!

##

About the Author

David Baggett 

David Baggett is Founder and CEO of INKY.  INKY's flagship product, INKY Phish Fence, uses computer vision and machine learning techniques to identify and block phishing emails. Phishing is arguably the biggest problem in cybersecurity today, driving over $1.5B/year of theft and extensive PII and credential theft. Prior to INKY, Dave was co-founder and COO of travel search provider ITA Software, where he oversaw software development, operations, and customer relations, expanding the company to over 500 employees. Google acquired ITA for $700M in April 2011. Dave has a B.S./B.A. in Computer Science and Linguistics from the University of Maryland, College Park and a S.M. in Computer Science from MIT. Dave also volunteers as a member of the US Department of Energy Secretary Advisory Board on AI.

Published Thursday, October 31, 2019 12:17 PM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
top25
Calendar
<October 2019>
SuMoTuWeThFrSa
293012345
6789101112
13141516171819
20212223242526
272829303112
3456789