A phishing pandemic – Part II
By Cameron Abbott, Rob Pulham, Michelle Aggromito and Rebecca Gill
In part 1 of this blog, we highlighted the increase in phishing scams in light of the global COVID-19 pandemic. In this part 2, we discuss some practical tips that organisations can implement to mitigate the heightened risks of falling prey to such scams.
So, where to begin? You may have seen a recently published alert on the K&L Gates Hub: Responding to COVID-19 series, which provides high level ideas and tips for organisations when implementing remote working procedures for their employees. In particular, organisations should consider implementing:
- administrative controls, such as information classifications to reduce access to confidential information on a “need to know” basis only, and reviewing such controls and guidelines to address any security issues;
- physical controls and procedures to protect unauthorised access to systems, such as reminding employees that organisation information cannot be downloaded onto their personal devices or cloud services; and
- technical controls, such as firewalls, antivirus software, intrusion detection and encryption protections. Oversight technologies, such as requiring two-factor authentication and using a Virtual Private Network, can provide additional security for the systems. Several quite severe breaches suffered by our clients could have been avoided just by activating two-factor authentication.
In addition to the controls identified above, organisations should specifically consider using internal security tools that access, log and monitor activities within the organisation’s network, including when data is accessed or exfiltrated externally from its networks. These tools include content filters, SIEM solutions, endpoint detection and response solutions, and honeytokens. Guarding the fenceline is one thing, but monitoring within is essential these days where it only takes one mistake by an employee to expose your systems.
Importantly, the above controls mean little if human error steps in. As such, we strongly recommend that organisations remind their employees of simple procedures that they themselves can implement to protect themselves, and their employers, from phishing scams. These include being aware of online requests or phone calls for personal information, checking email addresses or links by hovering the mouse over the URL to determine where they lead to, and watching out for spelling, grammatical mistakes and generic greetings which are common attributes of phishing email scams.