gain credentials and other sensitive
information and typically also install
malware to hunt for other sensitive
data, or, if you are really unlucky, install
ransomware. Third-party contractors
can also mismanage critical organization
or customer data, whether intentionally
or through ineffective IT security and
controls. In fact, third-party involvement
in causing a data breach increases the
per capita data breach cost.
Strategies to Mitigate the Risk
To help combat this threat, aside from
system hardening and email filtering,
organizations should start a security
awareness program to train anyone with
an email address to identify suspect emails
and report them.
Every industry is
vulnerable to a
cyberattack, but certain
industries face higher
data breach costs.
Anthony Munns
Also include a scenario in your incident
response plan for how to identify, report
and quarantine a malware attack. Having
an incident response team and employee
training are factors that decrease the per
capita cost of a data breach, according to
the Ponemon study.
As seen in the
St. Louis Business Journal
online edition
Ready Your Company for
the Next Wave of Phishing
Bill Gogel, QSA, CISA, CBRM, ACDA
According to the 2016 Verizon Data Breach Investigation
Report, reported email phishing incidents have increased
50 percent year-over-year.
Email ph ishing is the most prevalent form of social
engineering — the act of manipulating people into
disclosing sensitive data. Humans are becoming an
easier target than defeating modern security appliances.
Worse yet, the attackers are not going to stop at gaining
credentials or other sensitive information; they typically also
install malware to hunt for other sensitive data.
When security experts conduct requested test phishing
campaigns at organizations, they see a 75 percent click
rate. After users have gone through training, the security
experts conduct a second campaign to see how effective
the initial training was. The click rate dramatically drops to
5-10 percent at that point.
FBCS, CITP, CIRM, CISA
Partner,
IT Audit and
Security Services
Brown Smith Wallace
314.983.1297
[email protected]
Steps to Take to Prevent Phishing
Focus on the following three areas to set a strong
foundation for preventing phishing in your organization:
1. Start with a mature security awareness program. C-level
executives typically have their email addresses published
on their organization’s website, which makes them an
easy target for spear phishing. Anyone with an email
account should go through training on how to identify
suspect emails, how to report them and how IT can help
communicate current threats.
2. Email filtering is a must-have for any company. The
market is flooded with great products, so analyzing the
cost and benefit will most likely work in your favor. If
your organization uses Office 365, you get email filtering
for free — it just needs a little configuration from your IT
department.
3. Have a tested incident response plan. Pretend an email
gets past your filters, a user gets phished, and you have to
limit the impact. Have a scenario in your incident response
plan for how to identify, report and quarantine a malware
attack. Malware works quickly and, according to the Verizon
report, only takes days to do its job.
3