Most of us have clicked on an email that seemed legitimate, but wasn't.
Here are our top phishing prevention tips for best technology practices, employee education and social media smarts.
3 ways to stop 95-99 percent of spear-phishing attempts
1. Inbound email sandboxing
Deploy a solution that checks the safety of an emailed link when a user clicks on it. This protects against a new phishing tactic that I've seen from cybercriminals. Bad guys send a brand new URL in an email to their targets to get through the organization's email security. The other tactic is when they inject malicious code into the website right after delivery of the email URL. This URL will get past any standard spam solution.
2. Real-time analysis and inspection of your web traffic
First, stop malicious URLs from even getting to your users' corporate inboxes at your gateway. Even if you have inbound email sandboxing for your corporate email, some users might click on a malicious link through a personal email account, like Gmail. In that case, your corporate email spear-phishing protection is unable to see the traffic. Bottom line: your web security gateway needs to be intelligent, analyze content in real time, and be 98 percent effective at stopping malware.
3. Employee behavior
The human element is incredibly important. Adopting an employee testing program and do this training on-going basis. The result isn't really employee education or security awareness —it's behavior modification.
5 tips for changing employee behavior
1. Pen-test your organization
Employees are critical to your security success, spear-phishing defense and ability to prevent a data breach. Below are five ways you can turn them into security advocates.
One of the best ways people create new behaviors is by making a mistake and being corrected. It's time to put your black hat on. Select a group of folks from each major department and send them targeted spear-phishing emails using an outside email address. Use only information you can locate on their social media sites (Facebook, Twitter, LinkedIn, etc.). For example, you see they like a local sports team. Send them information about a local happy hour that supports the team. When they click on the link, inform them that they have been phished and communicate best practices in a positive way.
2. Ask marketing for help
Start a partnership with marketing to help you communicate to your employees. Your marketing team specializes in communicating to different audiences to get them to take action. It's time to use their skills. Create a communication plan that both teams can execute against and track what methods are the most effective.
Sign up for CIO Asia eNewsletters.