Raise your hand if you know someone who’s fallen for a phishing scam.
The ordeal often requires a few hours, several emails to tech support to regain control of the account, and finally, the reversal of credit card charges.
Now imagine this happening to a colleague’s work email address. As an IT professional, you might have onboarded them into the company’s network, trained them on best practices, and worked with them regularly in the past. Now, their email is a sieve, leaking private company data. Hackers may publish material non-public information, damaging your company’s reputation with customers and the public. The employee may even face disciplinary consequences.
But it didn’t have to be this way.
This story is part of The Tactic, a series that shares productivity methods for companies.
With hybrid work schedules becoming permanent for many companies and sensitive data spread to anyone with a device, security hygiene is more critical than ever for large companies. With this changing work ecosystem in mind, there are tactics worth a revisit by every security and IT leader this fall. As employees come back from their summer holidays and settle into the busiest time of year, refreshed security practices could save a company.
1. Consider opt-in phishing tests or multi-factor authentication.
Determine if you want to conduct opt-in phishing training or tests for your team.
Andreas Grant, a network security engineer and founder of Networks Hardware, advocates for a risky-sounding measure but one that he says creates a culture of security among employees: Phishing tests.
Here’s how Grant advises phishing tests be conducted: “Once or twice a month, employees will receive a phishing email as a test. Whoever manages to see through the scam can be rewarded for their effort. This way, we get to keep things fun for both the employees and the security department. Moreover, as these tests are performed monthly, we can make everyone aware of the latest phishing styles. It’s a new style every month to keep everyone on their toes.” (Grant suggests GoPhish as a resource for conducting such tests, but the market is full of options.)
However, multi-factor authentication—like requiring the use of an authenticator app on your device after you enter your password—is sometimes recommended instead of organizing such phishing expeditions.
Phishing tests have their prominent critics—and with good reason: Creating a division between the security team and the rest of the employees is a possible result.
Sean Cassidy, Head of Security at Asana, writes against the idea in a 2020 essay. In “Phishing Simulations Considered Harmful,” Cassidy asserts that they “are often unrealistic, bypass real phishing controls, and raise more resentment than awareness.”
Cassidy suggests that leaders “offer opt-in phishing training and let your employees decide what they need.”
Deceptive phishing scams, as IT leaders know, use legitimate links in email messages, modify brand logos, and present images of text instead of the actual text. (The use of images circumvents rudimentary text scanning methods by email service providers that look for harmful or deceptive content.)
“Phishing scams are currently the favorite attacking weapon for cybercriminals.”
“Phishing scams are currently the favorite attacking weapon for cybercriminals,” Grant tells Asana. “This is the attack that requires our utmost attention.”
In whatever form they take, phishing attempts may always be criminals’ favorite campaign, as they rely on age-old tactics of subterfuge and with a little social engineering to pull off the con. (The FTC’s press releases about phishing scams go back a decade.)
Phishing remains a huge problem: The Verge reports this month that the “0ktapus” targeted phishing campaign has affected more than 130 organizations after the targets received a deceptive text message.
2. Practice zero-trust policies
The concept of “zero trust” is built into many security software and protocols—but it’s not everywhere. In short, zero trust is defined as a policy that requires authentication—often a password plus a second authentication method—before every critical step in a process. Even if an employee logs into their office’s local wifi network, they still must authenticate themselves before using various company apps. Location doesn’t matter with zero trust.
“Implementing zero-trust security is the answer to keeping hybrid and remote work secure. The network trusts the devices provided, and nothing else,” Eric Florence, a cybersecurity consultant and writer for Security Tech, tells Asana.
3. Develop risk-reduction procedures
While prevention is critical to securing a company’s data, there’s just as much value in knowing what to do when prevention efforts fail. The reality for many companies is that it’s not a matter of if but when a company suffers a data breach. When employees know what to do after a data breach, IT leaders can reduce the leak and plug it much faster, says one IT expert.
“Many firms, especially large ones, will suffer a security breach at some point; it’s only a question of when,” says Travis Lindemoen, Managing Director of Nexus IT Group, a firm that recruits IT professionals. “With the same diligence that is put into preventing attacks, businesses should also be prepared to mitigate the damage caused by data breaches.”
These sort of reactive procedures—to put it another way, contingency plans—shouldn’t be an afterthought, advises Lindemoen. FTC guidance for businesses that have suffered a data breach suggests these actions: Work to prevent further data breaches by securing the vulnerability and notify the affected parties and law enforcement. If your breach included health records, in some cases, you must inform the FTC and the media.
Have a suggestion for a tactic that’s worked for you? Email firstname.lastname@example.org.