“91% of attacks start with a phish, and close to 100% of those use email as the main way to get into your organization.”
These were the words of Mimecast’s director product marketing Dan Sloshberg speaking at IP EXPO Europe in London this week, where he explored the anatomy of successful phishing attacks and how to defend against them.
Anybody is a target so everybody is at risk, he said. Even if you ‘think’ you don’t have any valuable data, “70% of attacks lead to a secondary target, so you might just be the stepping stone.”
Hackers manipulate social media and networking sites such as LinkedIn to really do their homework and research possible victims, and they are becoming a lot smarter with the methods they use to trick people.
According to Sloshberg, while companies are spending more and more on security, in some circumstances money is not being spent in the right places, which leads to companies continuing to fall victim to the same old cyber-attacks.
“If we are going to be putting security layers in place, let’s make sure we’re putting the right type of security in place to have the most effectiveness.”
Protecting against phishing comes down to two key aspects of defense, he continued, with the first being technology.
“Technology is key, but the type of technology needed has changed. A few years ago organizations could rely on things like anti-virus and anti-spam, but that type of security is no longer sufficient to protect against the more sophisticated attacks.”
“Things like URL rewriting, URL scanning, real-time analysis, sandboxing and inspecting the attachment on an email are absolute requirements,” he added.
However, it’s also vital that companies don’t forget about the importance of employee education.
“People are the weakest link in the chain,” Sloshberg argued. “They always have been and always will be. At every opportunity you should be looking at how to make staff more aware of the bad stuff out there.”
If your employees see something suspicious, you don’t want them to just delete it, you want them to report it to the security officer, he added.
To conclude, Sloshberg said that unlike five years ago, protection alone is still not enough; you need a plan of remediation for when the worst happens.
“You’ve got to have a plan so that your organization can continue operating even if it’s breached. Can you remediate and get back to a good state and recover your data to a recent enough version so the business isn’t too adversely affected?”
It’s about more than just detection, it’s about cyber resiliency, he said.