Remote work brings new challenges to the hiring process. These interview questions can help you gain insight into a candidate’s communication skills, initiative, and more
Remote security: 5 common myths about phishing scams
Phishing scams are rising in the time of COVID-19. With expert help from IT leaders and security pros, we debunk 5 misconceptions
Myth 4: IT already has it covered
This is a misnomer that IT pros and non-technical folks alike can labor under: We’ve already got security tools and policies in place. We’ll be fine.
Brian Wilson, CISO at SAS, notes that email security – as with other areas of information security – is an “unending” game of cat-and-mouse.
“Many employees believe that IT has email security locked tight, but the evolving nature of fraud schemes and cyberattacks means there is no silver bullet,” Wilson says. “Some email security strategies – such as attachment sandboxing, for example – have evolved, but even stealthy malware can evade those detections.”
Matt Wilson of BTB Security agrees: Don’t let the security measures you’ve already got in place lull you or your users into overconfidence. “Many organizations also believe that security tools will stop every phishing attempt,” he says. “No tool boasts a 100 percent success rate, so messages with malicious intent will make it into your platform. Train your users on this mindset.”
Indeed, a researcher at Cofense recently published a blog post documenting how a COVID-19-related phishing campaign bypassed two popular secure email gateway tools. Such tools are used to prevent users from clicking on malicious links or opening malicious attachments, but the attacker was able to get past that line of defense.
Wilson, the SAS CISO, also points out that phishing’s fundamentally simple nature is part of why it works, even with strong security tools, training, and policies in place.
“At the end of the day, a simple PDF attachment, using no malicious code but linking to a common cloud-based file-sharing site, will trick some unsuspecting users into sharing their corporate credentials,” SAS’s Wilson says. “All it takes is a well-crafted site.” He notes that it has gotten easier and easier for scammers to build those well-crafted sites, too.
Myth 5: There's nothing more we can do about phishing
On the contrary, there’s plenty to do, including a return to the basics, with the realities of our current crisis top of mind.
Consistent, strong communication with your employees remains critical: Gamblin advises you to remind people of the general threats as well as any that may be likely to target your particular business or industry. And there’s no time like the present for an organizational refresher on the basics of good security hygiene.
“Remind employees that they should never click on emails from unknown senders, encourage them to always double-check the sender’s email address, and have them verify any emails that appear to be sent from leadership but contain odd requests,” Gamblin says. He advises using a different communication method – such as a phone call, slack, or instant message – for such verification.
Lean on your existing security practices, but don’t take them for granted: “While attackers are certainly taking advantage of the pandemic and finding new ways to reach end users, responsible organizations should’ve already implemented a security awareness program to some degree,” says Wilson from BTB Security. “Employers need to reinforce that program with an emphasis on maintaining vigilance and encourage engagement of IT, InfoSec, or whomever the appropriate department may be within the organization. The formula remains fairly straightforward – don’t open suspicious messages, don’t click links from unknown senders, and no one is just going to give you a free gift card or N95 masks unsolicited.”
Re-examine password hygiene: It’s critical to mitigate phishing and related security risks. Wilson from SAS notes that some of your users almost certainly reuse passwords, which can create a domino effect if they fall prey to a scam. He recommends discouraging employees from using a corporate email address as a login credential of their personal services (such as a Netflix account.) He also recommends that people use a password manager: “These can help eliminate direct password re-play concerns should an employee’s corporate credentials get phished.”
While a password manager might not prevent someone from, say, being duped into sending money to a fraudster, it can go a long way to prevent credential leaks that give attackers an entryway into your organization’s systems.
“The most simple recommendation is to use a password manager and never manually enter passwords on sensitive websites,” says Pitt from Juniper Networks. There are two reasons why: “If an email has used a keyboard logger – installed malware that tracks keypresses – then the automatic entry of a password manager will prevent it from working correctly, blocking passwords from being captured. A password manager will also store the URL for the correct website – i.e., store irs.gov and not irs.gov.fake – making it so that when you auto-enter the password, it will pop up a security warning and then open a new window (preventing tracking) and redirect automatically to the correct website.”
Final tip: Encourage people to report security mistakes
Wilson from SAS leaves us with some unique advice: Make clear to people that it’s OK to make mistakes, including falling for a phishing scam. Otherwise, they might not report possible issues or breaches because they fear punishment.
“Create an environment of trust. Make sure employees know that it’s okay to be tricked by these scams. It can happen to anyone,” Wilson says. “The key is for them to report suspicious activity or any missteps right away, so the IT team can take action. We’d much rather employees tell us in the moment than we find out later.”
[ Learn the do's and don'ts of cloud migration: Get the free eBook, Hybrid Cloud for Dummies. ]