grandeduc - Fotolia


Relaxed security lets email phishing sink an organization

Email phishing attacks are often the result of incomplete security. IT pros must follow a strict security protocol to protect organizations from these types of vulnerabilities.

IT creates unnecessary risks if it takes the path of least resistance when it comes to security. There's no other place where the consequences of this can hit harder than email phishing.

Email phishing is when an attacker sends a malicious link or attachment within an email or form of online communication. If a user clicks on the link, a virus can be downloaded and infiltrate the user's private system, stealing login credentials or other valuable information. Attackers target users and vulnerable workstations because they know that their chance of success is extremely high. For the sake of expediency and shifting tasks quickly, users also often take the path of least resistance by clicking before thinking. One bad click can compromise an entire network in organizations of all sizes and levels of security.

Looking at all the areas of security uncertainty, the outcomes associated with email phishing trump other security risks. Still, email phishing is not an insurmountable problem. It's a security challenge that IT must address in proactive and measured ways.

Get a handle on email phishing scams

When IT follows this four-step approach, it can truly reduce the risk of email phishing scams compromising the network.

Communicate the problem: Communication is the first and often most difficult step. Most IT pros are aware that email phishing exists, but many of them have not quantified it in terms of how it affects their particular organization, nor have they properly communicated the risk management tasks they need to accomplish to limit the danger. If IT approaches the threat from a purely technical or security perspective, it will never get the political and financial backing it needs to effectively fight it. There are numerous studies that come out every year from Verizon, Ponemon Institute and other companies that quantify the specific threats and outcomes across various industries. Vendors with products that fight email phishing have good resources IT should consult as well. IT pros should use this information to educate decision-makers in their company so they can make truly informed decisions.

Assess where security currently stands: IT cannot address security risks it doesn't know about. IT knows that email phishing is a problem, but many organizations don't have a protocol in place for dealing with the aftermath once it's unleashed. The only way to establish a protocol is through in-depth email phishing testing. IT pros can perform tests using internal email and web resources. Organizations can purchase email phishing software on a subscription basis from vendors such as Lucy and PhishMe. Admins can also bring in experts to provide a unique approach to the testing.

Regardless of the type of email phishing testing, IT must test the system periodically and consistently. IT should not announce the testing to its users. It should target not just IT and security processes and controls but also the end users themselves. Email phishing tests that block messages at the perimeter or are run through help desk personnel are not enough. IT pros are fooling themselves into thinking that real-world email phishing won't make it to their end users. Anything less than a real simulation is just an exercise in checking the box to say they've done tests and serves no real purpose.

Patch the workstations: Going back to the path of least resistance, attackers know that users are not only gullible but that their workstations are rife with security flaws. From Windows OS patches to Office updates to third-party software, most systems IT tests have at least a dozen or more missing patches. Add the administrator-level privileges that most workstation users have to that, and there is a recipe for easily exploitable flaws that are likely to fly under IT's radar until it's too late.

IT can train people all they want, but if users don't listen, it's doing no good.

Help keep security on the top of users' minds: IT can train people all they want, but if users don't listen, it's doing no good. IT must enforce the proper type of security training in a positive light and on its terms. Remember that security awareness and training is not just an IT issue, it's a human resources issue. And organizations must handle it at a high level. Acknowledge the reality that users are not paying attention to the security policies. The most important thing to remember about users is that they do things for their own reasons, not IT's reasons. IT must use technology, processes and whatever else it takes to ensure that the users and the organization are set up for success.

It's surprising how many organizations are not proactive in system hardening, patch management and email phishing. Given this, it is not shocking how many organizations get hit with email phishing and the consequences. If IT simply targeted those three things alone and mastered them, it could likely eliminate a lot of quantifiable security risks.

Dig Deeper on Enterprise desktop management