Column

Phishing protection begins with training, antiphishing evangelist

Eric Ogren, Contributor

Law enforcement has demonstrated that it's serious about cracking down on phishers, spammers and other nefarious cybercriminal activity, but now is the time for security organizations to launch an antiphishing program to protect customers and employees from the upcoming wave of attacks that will most certainly mark the holiday season.

    Requires Free Membership to View

SearchSecurity.com:
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Phishing is a nagging social problem that preys on users' trust of established brands and confidence in the Internet. The classic phishing scam consists of a plausibly written email message containing a link to a phish website that looks like the real thing, but is designed to steal passwords and account numbers when the unsuspecting user authenticates. While law enforcement is part of the solution to breaking up phishing rings, IT needs to continuously focus on social countermeasures to fight the strength of phishing attacks.

Technical approaches help, but cannot prevent users from clicking through or being redirected to a phish site. The use of SSL and certificates can help prove to the user that they are at the desired website, but are not much help in telling the user when they are being phished. Security-aware DNS services can help reduce transparent redirects to phish websites and antispam technology is imperative in blocking the bulk of phishing-oriented email, but the sheer volume of attack messages makes it likely that some attacks will break through to user inboxes. Security technology cannot be everywhere and user education is still the key in reducing the success rates of phishing attacks.

Eric Ogren's recent security columns:
Feds push cybersecurity jobs, PCI DSS changes ahead. The federal government plans to fill cybersecurity jobs, the payment industry is studying PCI virtualization best practices and Microsoft offers free endpoint protection software.

Whitelists, SaaS modify traditional security, tackle flaws
 It is time for IT professionals to transform security into a capability that is as dynamic as the attack landscape, says security expert Eric Ogren of the Ogren Group. 

Secure virtual desktop software enables remote client security: Virtual desktops control endpoints and cut costs for an Atlanta-based financial company. The setup helps IT control core essentials and enforce acceptable use policy. 

Even if you have ongoing user education, it's time to give employees and customers at least three antiphishing messages before the holidays. Gift giving of the holiday season and the prospect of launching the New Year with a too-good-to-be-true deal will drive a spike in phishing attacks. A marketing rule of thumb is to "tell, tell, tell" because the listener needs to hear the message three times to be remembered. Spend a few minutes looking at identified phishes to help create an antiphishing educational campaign that reaches its audience via email, video snippets and social communications such as blogs, Twitter and websites.

It is in everybody's best interest to identify and block phishing attacks as quickly as possible, before a customer, prospect or employee falls prey to an attack. Reach out to security vendors and organizations such as the PhishTank to streamline communications when there is a suspected phish. Establish metrics for the number of phish inquiries received, response times to clear and number of phishing complaints to the customer service desk. Protect your business reputation and relationship with users by confirming phishing attacks as rapidly as possible so security vendors can block access. Designate an antiphishing evangelist and offer that resource to employees and customers. The designated person is responsible for tracking phishing attacks against the company, responding to user inquiries about the legitimacy of corporate communications and coordinating policies and procedures amongst security, IT, marketing, customer support and security vendor teams. It is important to have a go-to resource, especially for companies such as online merchants and financial institutions that are commonly phished.

The business model of phishing attacks works because trusting individuals click on a link and enter confidential information that can then be used for financial gain. The strongest recourse is to teach users to recognize the behavior of phishing attacks, to quickly confirm or clear a suspected phishing attack and to continuously evangelize to keep the community aware of the major trends in phishing attacks with recommended preventive actions. Security teams starting now have a chance to protect employees and customers alike for the holiday season and beyond.


Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to eric@ogrengroup.com.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: