If you are a CTO charged with maintaining the security of your organisation’s network, you will already be well aware of phishing attacks. Phishing represents a huge threat to the online security of individuals and organisations alike. In fact research suggests that 95% of all successful cyber-attacks start with phishing.
Given the scale of the threat, combating phishing attacks is one of the priorities of the UK’s National Cyber Security Centre, and they have just published new guidance for organisations on how to protect your organisation against email phishing threats. The guidance is aimed at organisations of all sizes, in all sectors and has been produced in collaboration with CPNI, government, academia and industry.
Here are some of the NCSC’s tips:
Don’t let your email addresses be a resource for attackers
Attackers ‘spoof’ trusted emails, making their emails look like they were sent by reputable organisations (such as yours). Make it harder for email from your domains to be spoofed by employing the anti-spoofing controls: DMARC, SPF and DKIM, and encourage your contacts to do the same.
Reduce the information available to attackers
Attackers use publicly available information about your organisation and users to make their phishing (and particularly spear phishing) messages more convincing. This is often gleaned from your website and social media accounts (information known as a ‘digital footprint’).
Understand the impact of information shared on your organisation’s website and social media pages. What do visitors to your website need to know, and what detail is unnecessary (but could be useful for attackers)?
Filter or block incoming phishing emails
Filtering or blocking a phishing email before it reaches your users not only reduces the probability of a phishing incident; it also reduces the amount of time users need to spend checking and reporting emails.
Check all incoming email for spam, phishing and malware. Suspected phishing emails should be filtered or blocked before they reach your user. Ideally this should be done on the server, but it can also be done on end user devices (i.e. in the mail client). Your filtering/blocking service might be a cloud-based email provider’s built-in service, or a bespoke service for your own email server.
Respond quickly to incidents
All organisations will experience security incidents at some point, so make sure you’re in a position to detect them quickly, and to respond to them in a planned way. Knowing about an incident sooner rather than later allows you to limit the harm it can cause.
Having a security monitoring capability can pick up on incidents your users are not aware of, although this is not suitable for all organisations as it is very resource intensive. As a starting point you can gain visibility of your systems/networks by collecting logs. For those with enough resources, and a strong security need, this can be expanded into reactive monitoring against known threats.
To collect this information, you can use monitoring tools built into your off-the-shelf services), build an in-house team, or outsource to a managed security monitoring service. The amount you collect and store will depend on your budget, the volume of logs, and how much you are able to analyse. Cloud storage can prevent storage capacity being a limiting factor.
The full NCSC guidance is available online. If you want more advice or would like to consider implementing a managed security monitoring serve please give me a call and I would be delighted to help you as we have helped many other clients with the same concerns.
Sonny Sehgal
Head of Cyber Security
