How agencies can step up the fight against phishing
- By Bruce Brody, Kelsey Nelson
- Jul 17, 2020
The current pandemic has magnified vulnerabilities in everything from health care to our economy -- and cybersecurity is no exception. The traditional approach to security has been rendered obsolete. For years, security meant protecting the walls around agency systems, as employees accessed data from their office workspace. Those walls were already falling away, with business information increasingly accessed from phones or home computers -- even coffee shops. Now, with many more government employees working from home, the traditional perimeter has been completely obliterated.
In turn, the attack surface has quickly expanded -- and governments and health care organizations are particularly at risk for phishing emails and ransomware. Hackers may initially gain access through long-unpatched web vulnerabilities, then lie in wait until resources are most stretched, leaving the public sector and health care organizations have no choice but to pay up. To protect themselves, agencies must have visibility into which users are being targeted by phishing attacks -- and tailor their policies accordingly. To gain that insight, they should start by asking three straightforward questions.
1. Who is getting attacked the most and what do they have access to?
Risk overall has increased. But whether it’s related to telework or ransomware, the reality is that the risk is not evenly distributed. The first step to preventing phishing attacks is to understand who in the organization is being targeted by drilling down to the individual level. Which users face the most attacks and what data and systems will be compromised if an attack is successful?
Ideally, agencies will be able to gather attack data into a dashboard, so this information is digestible and actionable. Often, organizations learn that the most targeted users are not who they would expect. Sometimes executives do face the highest attack volume. Other times, people who work closely with them, in more administrative functions, are seen as easier targets with just as much access.
2. What are they getting attacked with?
Knowing the sophistication and type of attack is also necessary to correctly assess a threat’s severity. Right now, there has been an uptick in business email compromise and email account compromise attacks that use phishing attacks to harvest users’ credentials. Credential phishing presents a huge risk, as most phishing links are hosted on compromised but legitimate websites with good reputations. Attackers wait until after an email is already in a user’s inbox before changing the content.
It’s crucial that organizations train their employees on what type of threats are targeting them and teach them to be cautious when clicking on links or opening files from unknown users. As users get better at recognizing threats, it’s also important to have them forward suspicious emails to administrators so the system calculating people’s risk can have even more data about who is being targeted and how.
3. What can we do about it?
This visibility is just a nice-to-have if it’s not acted on, though. Organizations must also set differentiated policies. If a user clicks on a malicious URL and accesses a phishing webpage, multi-factor authentication should be already in place to mitigate the risk of compromised credentials. Similarly, if users are regularly targeted by phishing attacks, organizations should set shorter session times, requiring users to re-verify their credentials before they get access again.
This remedies must be applied in a way that’s not totally disruptive to employees. Combining threat assessments with data from other risk signals can offer even more granular control. Are users signing in from their typical device and location? Are they accessing resources or trying to open documents as they normally do? If everything looks right, fewer security checks are needed. These insights are critical to setting smart policies that enable users to be productive while enhancing an organization’s overall security posture.
The bottom line
The current pandemic has caused many reasons for concern. By proactively asking the right questions with regard to hackers, though, cybersecurity can be less of one. Gaining detailed visibility into who hackers are targeting and what tools they’re using is the first step on the road to security. Acting on that information is the end goal and is non-negotiable in the current landscape.
The bottom line is that the attack surface has expanded, and government and health care workers are particularly vulnerable to phishing. This should serve as the impetus, if it hasn’t already, for implementing granular security controls that protect the most-targeted users without slowing down the rest of the workforce.
Bruce Brody is federal CISO at Proofpoint.
Kelsey Nelson is senior product marketing manager with Okta.