"Phishing remains one of the most popular forms of hacking," Workday's security product manager Archana Ramamoorthy said recently. Perhaps this shouldn't be a surprise: it is easier to fool a person than a machine.
Ramamoorthy was speaking at Workday Rising Europe, in Barcelona, where she told his audience that "30 per cent of phishing messages and 12 per cent of phishing attachments or links [are] being opened by users."
"But," she added, "there are three common-sense steps to take against phishing attacks and keep users and data safe." These can be summarised as prevention, detection and response.
The best way to protect against phishing is not to be phished in the first place. This can include password managers to generate secure password, and multi-factor authentication (MFA) - even biometrics.
"At-the-door authentication actively encourages behaviour that decreases susceptibility to attack during initial authentication," said Ramamoorthy.
That's only the first phase, though. To continue to strengthen their prevention, enterprises must manage their authentication policies:
"Organisations should understand who their users are, what their roles are and how authentication requirements change across roles. It's important for businesses to understand that policy reviews and updates are critical over time - as security threats evolve and users remain a constant target."
The final layer is called ‘just-in-time' or ‘step-up' authentication, which is required for a short time when a user is accessing highly sensitive information.
When prevention fails, victims must have a plan to detect where and why. Ramamoorthy specifically highlighted unusual login patterns as a giveaway: monitoring IP addresses, usernames and the success or failure of login attempts.
Again, there are multiple phases to detection, and the second is understanding user activity. IT teams, administrators and auditors need to understand how users engage across a system. Context is especially important, and teams must be able to examine specific information around login attempts.
Tiggers for suspicious activity, based on pre-set rules, are also key.
Response and analysis
When an incident has been found, it must be dealt with by containing it and blocking the affected user.
Ideally, organisations should have procedures in place to handle these situations; otherwise they risk an incoherent and/or chaotic response.
Equally important to procedures is a business culture that prioritises security:
"It's...important to create a culture of security, whereby employees are continually given education and training around the tell-tale signs and warning areas around cybersecurity," said Ramamoorthy. "This should involve phishing exercises, with test emails sent to employees to gain an understanding of how many are clicking dubious URLs."
While preventing every attack is unlikely, if not impossible, a proactive approach to detection and response will help to limit their impact.
This is a sponsored post by Workday.
Lack of payload make many phishing emails hard to block, warns Agari
Why try to trick a system when you can just fool the user?
How robust is your phishing tackle?
Spoof URLs look exactly like the real thing thanks to the way top browsers interpret Punycode