Phishing scams can devastate a company’s network if it isn’t prepared, and the increase of BYOD and cloud computing only exacerbate this. We asked an expert panel about how you can protect your network from these attacks.
Stina Ehrensvard
CEO and Founder, Yubico
What are common mistakes you see when it comes to digital security in business?
Roughly 80 percent of data breaches are a result of stolen or phished credentials. However, while this is one of the leading security problems for businesses, only about 10 percent of IT security’s time is dedicated to solving this issue by providing strong authentication options. The two other top problems causing a majority of breaches are using old, unpatched software, and lacking discipline when it comes to restricting file access based on user privilege. If more businesses would direct resources to mitigate these three major risks, they would significantly increase security.
What are best practices for employee education when it comes to phishing?
It is critical to educate users on the importance of two-factor authentication (2FA), and break the stigma of it being difficult or hard to use. Many of the top services you use on a daily basis already have 2FA built into their applications. A majority of these also support FIDO security keys, which are the most effective and easy-to-use defense against phishing, and only require a single touch of the device to securely log in. Also, many leading services that support security keys make it possible for users to register and authenticate as often as they choose. No typing of passwords, no re-typing one-time passcodes, and no need for a user to present their security key every single time they log in.
If your company falls victim to phishing, what are the critical first actions to take?
First, immediately change login credentials for the account being compromised to stop the hacker from getting access to more accounts and data. Then, add two-factor authentication wherever it is possible. It’s also important to change the credentials for any other accounts where you may have reused usernames or passwords, as this is the easiest information to be stolen in a phishing attack.
Companies serious about data security should also consider establishing a clear set of policies and processes to properly disclose any security vulnerabilities, set forth security protocols, and create incident response plans.
Beyond employee education, how can employers minimize risk?
No matter how much training and education you provide to employees, there is always the human element. User error will always play a role in an organization’s security risk profile. The best option is for companies to implement technology solutions that account for this. For example, hardware security keys are built with security and privacy features that protect against phishing and man-in-the-middle attacks even when employees cannot detect they are being targeted.
How do you recommend business owners secure information on multi-cloud platforms?
Layer strong multi-factor authentication with a single-sign on platform to enable high security with a seamless user experience. With these two solutions together, businesses are able to achieve secure access to many cloud-based platforms with a single, protected login.
How has multi-factor authentication modernized digital security?
A majority of breaches today are a result of a remote attack. Multi-factor authentication has made this significantly harder to accomplish by requiring multiple security layers to access an account. This includes methods such as a security key, static PIN, password or fingerprint, combined with a way to generate new, encrypted passcodes for every login. FIDO security keys in particular provide the highest level of account security by requiring access to a physical device to be able to access an account.
Hed Kovetz
Co-Founder and CEO, Silverfort
What are common mistakes you see when it comes to digital security in business?
Many businesses still focus their security efforts on the network perimeter, without realizing that those perimeters are no longer effective. Over the last few years, our networks have been going through significant changes due to IT revolutions like cloud, IoT (Internet of Things) and BYOD (bring your own device). People are bringing their laptops and phones in and out of the office every day, and a single infected device can allow malicious actors to take over the whole network from within, where there are far fewer security controls in place. In this new reality, with countless devices and services all connected to each other without clear perimeters, companies need to rethink their cybersecurity strategy.
What are best practices for employee education when it comes to phishing?
When it comes to phishing, security relies heavily on employee awareness, and therefore training is key. Generating awareness among some employees is easy, but getting to all of them is very difficult. That’s why 90 percent of all data breaches start with a phishing campaign, because it only takes one click by one employee to get the attackers a foothold in the network, from which they can easily spread. Since the effectiveness of different training methods varies between different people, it’s important to mix lectures, reading materials, and some fire-drills — sending a fake phishing email to a group of employees and seeing who opens it and who doesn’t.
By the way, this also allows organizations to find those exceptional employees that actually identify the phishing attempt and report it to IT — they can be the most effective tool for preventing real phishing, and organizations should motivate them and give them an easy way to report future incidents. Turning phishing detection into a game or a competition for the employees can help motivate them.
If your company falls victim to phishing, what are the critical first actions to take?
Companies should immediately notify all employees about the ongoing threat to ensure no additional employees fall victim. Targeted employees should change their passwords, however, they should also be warned against “change password” scams, in which an attacker will send a fake link to reset the password. To avoid this scam, employees should not click on any email links during such an incident, and instead go directly to the app settings to change their password or contact the help desk.
In addition, organizations should have playbooks for enforcing certain security controls immediately upon detection of a significant phishing campaign — such as applying more strict access control and multi-factor authentication (MFA) policies on a larger amount of sensitive assets, so even attackers with stolen credentials won’t be able to cause much damage.
Beyond employee education, how can employers minimize risk?
To secure access to sensitive assets, employers should enforce MFA across all of them. By requiring users to verify their identity using an additional authentication factor beyond a password, such as with a mobile app, a smart token or biometric measures, you can ensure the user is in fact who he or she claims to be before granting them access. Over the past years, MFA has been proven to be the most effective measure against identity-based attacks, and makes stolen credentials useless for the attacker.
How do you recommend business owners secure information on multi-cloud platforms?
Whether your sensitive systems are hosted over multi-cloud platforms or in a single, on-premises datacenter, you must secure access and authentication to these systems, and ensure only authorized personnel can access them. Migrating applications from on-premises datacenters to the cloud or to multi-cloud environments creates new security challenges because traditional security controls that were used to protect on-premise infrastructure and applications are typically ineffective once the system is migrated to the cloud.
This requires business owners to reevaluate their security controls before migrating systems and exposing them to undesired threats. Companies should look for unified security solutions that can protect all assets across hybrid and multi-cloud environments, rather than using siloed tools and policies for each resource and environment.
How has multi-factor authentication modernized digital security?
A new generation of agentless and proxyless MFA solutions now allows companies to seamlessly secure access to any system or resource, including those that couldn’t be protected until today, without requiring any software agents, inline proxies, or code changes on the protected system.
Unlike traditional MFA solutions that are implemented system by system and are often difficult to deploy, agentless authentication solutions are easy and quick to implement because they don’t require any modifications to individual assets. For the first time, agentless MFA solutions allow companies to secure access to sensitive systems like homegrown and legacy applications (including proprietary financial and healthcare systems), critical IT infrastructure, file systems and databases that contain sensitive information, IoT devices, SCADA servers, and more. This new generation of authentication solutions also leverages artificial intelligence to make intelligent, risk-based policy decisions, and prevent attacks in real-time without impacting legitimate users.
Lise Lapointe
CEO, Terranova Security
What are common mistakes you see when it comes to digital security in business?
Overreliance on technology. People tend to forget that the human risk can leave an organization just as exposed as a technological gap. Up to 90 percent of breaches stem from employees tricked by phishing and other scams. Training, especially executive-backed training, is key.
What are best practices for employee education when it comes to phishing?
Train, phish, evaluate, and repeat. Reinforcement makes the message stick. The risks evolve, your campaigns should too. Try out new types of phishing scams. Target everyone, executives too! Follow up phishing simulations with just-in-time training. Lastly, analyze your results over time and benchmark with a comparable set of peers.
If your company falls victim to phishing, what are the critical first actions to take?
While I hope this never happens to you, you’d want to identify which data and devices may have been exposed. Have the victim change their compromised account credentials. Disconnect affected devices from the network. Analyze the phishing email and prevent it from spreading to other users, and always consult legal.
Beyond employee education, how can employers minimize risk?
Employee education goes hand-in-hand with technical controls to detect and respond to phishing attempts (i.e., a multi-layered email-filtering solution to stop and quarantine suspicious emails). We also recommend securing browsers, deploying multi-factor authentication, and subscribing to a service that monitors the use of your brand.
How do you recommend business owners secure information on multi-cloud platforms?
Partner with reputable vendors and review their security, privacy, and compliance policies and practices. Understand how your data flows within and across multi-cloud platforms. To reduce the risks of account compromise and data leakage, train your managers and employees alike on the safe use of cloud-based storage and collaboration tools.
How has multi factor authentication modernized digital security?
MFA has provided a much-needed extra layer of security to strengthen password-based authentication systems. It’s reduced the risk of digital identity theft and unauthorized access using compromised credentials, a leading cause of security breaches.
Jason Asbury
President of ThreatAdvice, NXTsoft
What are common mistakes you see when it comes to digital security in business?
Most often, mistakes are tied to the administrative components of the security program, as the very best technology isn’t effective if it isn’t implemented correctly or properly managed. Lack of strong third-party vendor agreements holding vendors accountable for security matters is very common. Finally, the lack of having a remedial security training program in place occurs far too often.
What are best practices for employee education when it comes to phishing?
It is very important to regularly phish all employees to keep their awareness level high. Phishing employees is most effective when it is followed up with comprehensive training that teaches the employees how to identify and avoid risk. Additionally, it’s very important to test employees after they’ve taken courses in order to gauge comprehension.
If your company falls victim to phishing, what are the critical first actions to take?
It is critical to notify your IT department as soon as a compromise is suspected. It is also critical to shut down network access to suspected devices. User account passwords should be changed and, even though they already should be protected, system backups should be ensured for integrity. Most attacks can be minimized if swift action is taken to limit the spread of infections.
Beyond employee education, how can employers minimize risk?
Risk is best mitigated when multiple layers of protection are applied, as this helps to ensure attacks don’t spread easily throughout an organization. Consider protections like mult-ifactor authentication; endpoint management software to ensure patches and controls can be applied quickly across the organization; network segmentation to prevent the fast and easy spread of malicious content; and strong security and incident event monitoring software.
How do you recommend business owners secure information on multi-cloud platforms?
Multi-cloud platforms have one common denominator and that is the devices that access them. It is essential to secure and protect computers, tablets, and mobile devices that have access to multiple platforms. Multi-factor authentication controls paired with strong passwords are a must for securing cloud platforms. It is also very important for businesses to thoroughly review and test cloud providers to ensure strong controls are applied.
How has multi-factor authentication modernized digital security?
Multi-factor authentication has been around for a long time and it is easier than ever to implement because now employees can carry their tokens in the form of their phones. Of course there are other applications, such as fingerprint and retina scans. One area of authentication that is often overlooked is access to systems from within an organization’s network, as multi-factor authentication is often not applied internally. Accordingly, we see more attacks that are successfully implemented and propagated from within.
Staff, [email protected]