7 keys to an effective anti-phishing program

Published
  • March 30 2018, 3:00am EDT

Providers must improve defenses to beat phishing attacks

Through 2020, email-related phishing probes will remain the primary method of advanced targeted attacks to get data from healthcare organizations and other entities, according to Gartner. Effective mitigation of inbound phishing attacks compels chief information security officers to take a multipronged approach that spans technical, procedural and educational controls. Gartner surveys the damage that can be done and ways to mitigate the threat.

Increasing volume and sophistication of phishing attacks are resulting in real financial damage to organizations in both downtime (such as ransomware attacks) and direct financial fraud (such as wire transfers). Phishing content does not always include a malicious payload, making phishing emails increasingly difficult to detect. Phishing attacks against employees have expanded beyond email to include social media, instant messaging, SMS and voice communications.

Fighting back

Don’t rely on passwords alone for authentication. Phishing attacks frequently target users with access to sensitive data, and attempt to capture passwords in order to impersonate corporate officers. Passwords should not be considered sufficient for anything other than the lowest-risk applications.

Content Continues Below

Take a new fresh look at email

Upgrade to the latest version of your secure email gateway (SEG), and request a policy audit from the SEG vendor to ensure that the most effective security controls are enabled and correctly tuned.

Adopt filtering technology

Deploy URL filtering (that uses URL proxying and time-of-click analysis), attachment sandboxing, and content disarm and reconstruction (CDR). Ask incumbent SEG vendors to improve notification to end users of suspect emails that cannot be blocked or quarantined.

Gateway security

Ensure proper desktop and Web gateway security is in place to avoid infections from malicious attachments and URLs.

Content Continues Below

Enforce higher-trust authentication

At a minimum, this should include all system administrators, users that handle sensitive information and users with remote access to corporate resources.

Conduct focused training

Implement real-time anti-phishing training, and expand the program to cover social engineering via multiple communication channels, not just email.

Check internal controls

Strengthen internal process controls on financial transactions and other procedures that mitigate the risk of misguided employee actions motivated by phishing content.