At a recent Black Hat conference in the US, nearly half the delegates who were polled about phishing scams said they were not confident their company’s executives could spot one. So, dear reader, how confident are you that your senior managers could spot a phishing scam?
There are a number of technologies available to help deal with email-borne scams. It’s fair to say none of them are 100% effective and some scam emails will get through. This puts a reliance on the email recipient to handle the scam email in the most appropriate way, and where training and education for the user comes in. So what are the most effective techniques today?
Businesses with their own email server or system can heavily reduce the volume of scam or phishing emails getting through to user inboxes by using an email scanning system typically placed in front of an email server. This could be acloud-based service, such as Message Labs,AVG Cloud Care or Symantec Email Security.cloud, or an in-house system, such as Mail Scanner, Sophos XG Firewall orGFI Mail Essential.
Our experience is that some of the cloud-based services do let through some spam emails that would typically be caught by an on-site engine. For many organisations, a cloud-based service is a good first choice for technical control, as it does not rely on the organisation having to maintain the system. Some cloud-based services can be configured to allow individual user access to review and control any quarantined emails against their own email address – for example, delete, release or block – and thus the pressure on in-house support staff is reduced.
Individuals and businesses that buy their email service from a second or third party – for example, their internet service provider, Microsoft 365, Google and other internet-based hosting companies – should look to ensure the email service is supplied with comprehensive email protection such as spam or phishing protection, or antivirus software.
The value of PC-based email protection is questionable. It may well provide a long stop, but the antivirus product running on the PC should provide protection without needing to be integrated with the email product. Microsoft discussed this back in 2008 in relation to Outlook Express.
On spam detection, PC-based products are useful where there is no front-end protection, such as at ISP level, but they will rely on being fully maintained, up-to-date and typically won’t be as good as a cloud-based service. However, many of the products available for the PC provide a complete suite of facilities, including antivirus, URL checking and spam filtering, and are still a valuable additional technical control.
With the technical controls in place, you need to train and educate users on spotting emails with malicious intent, as well as knowing what to do should something go wrong. Remember that such an exercise is not a one-off. It must be supported and reinforced on an ongoing basis.
The message in any training and education is that failure will typically lead to potentially significant financial loss. In early 2016, our company helped a mid-sized company, with about £3m in turnover, that was hit with ransomware . In this case, an email from an unknown supplier with a PDF invoice was opened. It took two days and approximately 60 resource hours to fully recover the IT and data. The overall cost ran into thousands of pounds.
The message of not opening emails from unknown sources, or unexpected emails or attachments, is key, but those messages must be reinforced by identifying the potential for financial loss or potential PR disaster. These are messages that senior managers and board directors can understand, because they generally won’t understand technical gobbledygook.
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.