7 keys to an effective anti-phishing program
Providers are inundated with carefully crafted hacker emails and must increase the sophistication of their defenses.
Providers must improve defenses to beat phishing attacks
Through 2020, email-related phishing probes will remain the primary method of advanced targeted attacks to get data from healthcare organizations and other entities, according to Gartner. Effective mitigation of inbound phishing attacks compels chief information security officers to take a multipronged approach that spans technical, procedural and educational controls. Gartner surveys the damage that can be done and ways to mitigate the threat.
Increasing volume and sophistication of phishing attacks are resulting in real financial damage to organizations in both downtime (such as ransomware attacks) and direct financial fraud (such as wire transfers). Phishing content does not always include a malicious payload, making phishing emails increasingly difficult to detect. Phishing attacks against employees have expanded beyond email to include social media, instant messaging, SMS and voice communications.
Don’t rely on passwords alone for authentication. Phishing attacks frequently target users with access to sensitive data, and attempt to capture passwords in order to impersonate corporate officers. Passwords should not be considered sufficient for anything other than the lowest-risk applications.
Take a new fresh look at email
Upgrade to the latest version of your secure email gateway (SEG), and request a policy audit from the SEG vendor to ensure that the most effective security controls are enabled and correctly tuned.
Adopt filtering technology
Deploy URL filtering (that uses URL proxying and time-of-click analysis), attachment sandboxing, and content disarm and reconstruction (CDR). Ask incumbent SEG vendors to improve notification to end users of suspect emails that cannot be blocked or quarantined.
Ensure proper desktop and Web gateway security is in place to avoid infections from malicious attachments and URLs.
Enforce higher-trust authentication
At a minimum, this should include all system administrators, users that handle sensitive information and users with remote access to corporate resources.
Conduct focused training
Implement real-time anti-phishing training, and expand the program to cover social engineering via multiple communication channels, not just email.
Check internal controls
Strengthen internal process controls on financial transactions and other procedures that mitigate the risk of misguided employee actions motivated by phishing content.