Reduce the Risk of Phishing Attacks on Your Company

Posted by Stephen Ferrell
Stephen Ferrell

Cyber Security professionals have perhaps the most challenging job in information technology. Often their work is done quietly, out of sight and out of mind, until of course, a security breach occurs, then the cybersecurity professional becomes front and center. Email security  is one of the biggest challenges facing organizations today.

The Challenge

The challenge for cybersecurity professionals is to categorize and assess risks accurately, firewalls, vulnerability scanners, security information management, and security event management are all woven together to create a risk-based security barrier. While technological safeguards can be highly effective at reducing security risks, the hardest security element for the cybersecurity professional to manage is often the human element.

Every employee with an email address within your organization is a risk to your business. How those employees react to a phishing attempt can be critical to the success or destruction of your business.

Historical Solutions

Reducing the risk of phishing attacks on your company has historically followed three paths, awareness training, simulation, and email filtering. Together these three tools can undoubtedly reduce risk, but is the risk to your business as low as is reasonably possible (ALARP)?

The ALARP principle will be familiar to cybersecurity professionals who are using failure modes effects analysis (FMEA) risk assessments or other risk models to assess their cybersecurity landscape. The Information Systems Audit and Control Association (ISACA) introduced a specific certification CRISC (Certified in Risk and Information Systems Controls) to try and encourage and grow a competency around information security risk management.

The Reality

How though can we account for the potential risk posed by each email user within our organizations? The truth is we can't, being able to legislate and prepare for the possible actions of countless associates with different technical skills, diverse knowledge, and experiences, and limited or no aptitude for sniffing out fraudulent emails presents the cybersecurity professional with the most difficult of challenges.

Awareness training is often the first point of contact that the cybersecurity team has with the email user community. Awareness training typically takes the form of a training video or a slide show, presenting the trainee with multiple scenarios to choose from to see their reaction to a potential phishing attempt. Indeed, awareness training may be a useful tool for reducing phishing risks, but it is entirely reliant on the memory, understanding, and technical aptitude of the trainees. Further awareness training is often delivered at a specific point in time, perhaps once a year but usually, it occurs once, when an employee begins employment. Legacy employees and those with tenure may not have been exposed to any training at all for years if at all.

Simulation of phishing attacks has also become a popular way of trying to reduce the risk of phishing attacks on businesses. Simulation involves installing a third party application that allows the cybersecurity professional to create a false phishing attack and measure its impact on the organization. The actual effectiveness of this type of tool is hard to measure. It is impossible to come up with phishing scenarios that accurately reflect a likely or potential attack. The results of one phishing simulation vs. another are complicated to correlate, demographic differences, technical aptitude, and general email competency are varied and do not guarantee a homogenous response simulation to simulation. A further and often unintended consequence of phishing simulation is that the email user community can become so focused on risk mitigation that they lose their confidence in being able to spot fact from fiction, and IT’s inboxes can quickly become clogged with 'is this real?' requests.

SPAM and Malware filters are perhaps the most ubiquitous of all the common phishing risk mitigators. SPAM filters use statistical analysis to assess and filter out junk email and big net phishing attacks. These types of filters are looking for the awkward tell signs of junk mail and spam. Adequately configured, they can be a highly useful tool at keeping the trash out of your mailbox. Malware filters work similarly using various algorithms to assess the attached files to try and isolate and remove those that are a potential virus or ransomware carrier. While spam and malware filters are undoubtedly useful tools for reducing the risk of phishing attacks, they are often ineffective against the nuanced and handcrafted phishing attacks of today. Last year the collective failure of the filters, training, and simulation tools can be counted in the billions.

The Solution

The INKY Phish Fence platform takes an entirely new approach to awareness training, instead of delivering it at an annual seminar, we provide our protected email users with in-line awareness training in each email they receive – now that’s email phishing protection. When an INKY protected email arrives, it is supplemented by a non-intrusive color-coded banner that contains a direct and concise analysis of each message as they come in. In effect, every email becomes a teachable moment. INKY Phish Fence conditions users to understand the difference between legitimate emails, potential phishing attacks, and those that are undoubtedly nefarious.

INKY's Phish Fence solution doesn't require simulation because each email is assessed in real time. IT has the option to send red banner emails to the email users as an education and awareness tool or to filter them off into a quarantine pool for later risk evaluation by IT.

INKY's Phish Fence is the best email phishing security, and is designed to filter spam and malware. But that's just our second nature; our first is our ability to filter out and identify the subtleties of brand forgery attempts, the nuances of CEO impersonation, and the underpinnings of spear phishing attacks.

INKY is a next-generation phishing risk reduction platform, where machine learning, artificial intelligence, and computer vision combine to reduce your phishing attack risk to zero.

Take the INKY Phishing fitness test today and let us prove it to you.

INKY – Phight Phish

Topics: anti-phishing solution