Cybersecurity starts with implementing perimeter network security configurations including firewall access rules, encrypted wireless networks, antivirus/antimalware and other traditional IT security best practices. However, it also involves implementing an effective IT Security program consisting of security policies and procedures. In addition, following a structured approach to cybersecurity such as the NIST Cybersecurity Framework which provides leading industry standards, guidelines, and best practices for managing cybersecurity risks, ensures a holistic cybersecurity implementation. As noted above, the biggest cyber threats today are no longer through traditional methods, but rather through social engineering. State of the art defense practices focus on implementing security practices designed to prevent against social engineering attacks such as Phishing.
Since email is the most common method for social engineering attacks, preventing these threats from reaching users is the first and most important step. Advanced email security platforms, which filter and identify fraudulent emails, are designed to protect against phishing attacks by scanning inbound emails for fraudulent website URLs before a user clicks on the link and opens it in a browser. In addition, attachments are opened in a virtual environment prior to a user being able to access it. Finally, the email content is scanned for potential impersonation attempts, commonly known as “CEO Fraud”.
Even the most advanced email security platforms are not 100% successful, and as attackers become more sophisticated, some malicious emails will get through to users. For such situations, implementing ongoing organization wide Security Awareness Training is a critical part of cybersecurity. Security Awareness Training includes simulated phishing security tests to determine the percentage of end-users that are Phish-prone, so that additional user education can be provided to those individuals. These highly effective, frequent, and random Phishing Security Tests provide several remedial options in case a user falls for a simulated phishing attack, including training videos, quizzes, etc. Security Awareness Training specializes in making sure users become familiar with the mechanisms of spam, phishing, spear phishing, malware and general social engineering tactics, so that they are able to apply this knowledge in their day-to-day job.
While having complex password requirements is a good practice, it is not effective if a user unknowingly relinquishes their password to an attacker. In the event that a user does get compromised by a phishing attack, the last line of defense is Two Factor Authentication. This practice has become widespread amongst financial institutions and other online services. It is easy to use and ensures that an unauthorized person does not gain access to your account even if they know your password. Two Factor Authentication requires two methods to verify your identity. Typically, this consists of a username and password as the first method, and then a second authentication request to confirm your identify such as a code sent via text message, app notification, or email for approval. Two Factor Authentication adds a second layer of security to keep user accounts secure even if a password is compromised.
Given the significant increase in socially engineered cyber-attacks, email security, user education and password protection should now be a standard cybersecurity configuration in every organization. It is important to underscore that these three methods of prevention are most effective when implemented together to mitigate the risk of a successful cyber-attack.
Written by: Payam Pourkhomami, President & CEO, OSIbeyond