In reading the title of this post, IT folks all around the world are shouting at the top of their lungs; "Amen!".
While perhaps not a profound statement for the IT community, it is however a true statement that phishing is not an IT risk, but it is a Business risk. Phishing is about social engineering or the use of trickery and deception through the utilization of technology as a delivery platform to coerce your employees into e-mailing mass HR or customer data, give up their password, or send money to the criminal posing as a company executive, government official or a vendor. Therefore it is the social engineering aspect that needs to be addressed, but rarely is. Hence, why Phishing is very effective, very profitable, and the volume and complexity of attacks are growing at a rapid pace.
The security software and appliance providers keep upping the ante with the latest technology tools (now AI) to detect or block phishing e-mails, but at the end of the day, this is just a holding action, not a sustainable solution as it is not 100% effective. The root cause is still sitting one foot in front of the keyboard. It is your employees and contracted staff that make phishing attacks possible. And this is where the least amount of budget and time are spent on reducing your organization's risk of being phished.
Security experts have been debating for years about how effective security awareness training, mock phishing exercises, the security posters hung in the break room, and posting security tips on your organization's intranet site are. And to be honest, perhaps the jury is still out on having any scientific data on that, but what is the alternative? Do nothing? We've seen first-hand with recent data breaches how well that works.
Perhaps the secret formula is a balanced approach of tools, training, and procedures to combat this business risk. At the end of the day, if you have tools that scan e-mails for suspicious activity, you train your employees on what phishing e-mails look like, give them an avenue to report them (be included in the security process), and hold mock phishing exercises with a teachable moment built in to educate, plus have well communicated procedures on not e-mailing mass data without approvals, or not sending wires without phone verification, or that the CEO (who probably doesn't remember your name) is never going to ask you to "kindly" pick up some iTunes gift cards at the store, then perhaps your organization has a shot at thwarting the Phishers.
Be Secure!!!
@TJMProfessional
No comments:
Post a Comment