Phishing scams started around the late 90’s, and have continuously evolved since. The latest forms of phishing include the traditional phishing, spear phishing, CEO frauds, and Business Email Compromise (BEC). One of the worst outcomes of phishing is the ransomware attack, where the hacker steals/encrypts confidential enterprise data, and extorts money to return it to the enterprise. Ransomware has become a million dollar industry in itself.
Enterprises working in software development in India are not yet adequately equipped to deal with these security threats, and thus, unsuspectingly fall prey to such scams that severely affect the revenue and reputation of their brand entities.
Why Are Most Cyber Security Capabilities Not Effective?
1. Enterprises are not confident about their security measures
Most enterprises admit that their security awareness and countering measures are not up to the task, due to lack of knowledge about types of phishing and ransomware attacks. Ransomware such as Golden eye target a section of employees, who would unwittingly click their phishing links – say a resume link to a German speaking HR that downloads a malicious Ransomware when clicked. Such Ransomware asks for contact links and Bitcoin payments to decrypt the encrypted company files.
2. Enterprises are not ready to spend extravagantly on security
Preventing and countering advanced phishing and Ransomware requires security solutions that are expensive. Large organizations can still afford them as the cost per employee decreases considerably, while small organizations are always at risk as they mostly opt for free versions of security solutions or do not subscribe to any security solutions. However, few enterprises realize that the money spent on an effective security management solution can help save a lot of extra expenditures in terms of loss of present and future revenue and reputation.
4. Users are the weak link
Even if the enterprise recognizes the immediate need of a robust security solution, the users (employees) often succumb to the lures of email links used by phishing, CEO fraud/BEC, and ransomware attempts. This is because enterprises do not focus on providing regular security awareness training from subject matter experts. In addition to the training, it is necessary to have regular the surprise testing to measure the awareness levels of the employees. This is not happening in more than 50% of enterprises at present.
5. Organizations are not exercising due diligence
The increasing trend in enterprises is to have a hybrid hosting architecture – with regular data being stored on the cloud and critically confidential data being stored on-premises. If backup copies of all data are not taken by the security solution, there remains no option but to pay up to Ransomware apps in case the data is stolen.
No testing after security awareness training
Security awareness training has been reduced to the mere formality that takes place once in a year in most enterprises. Also, these trainings are not followed up by testing, which would enlighten the enterprises about the present awareness levels of the employees.
No checks on higher level transactions
Top management level data and financial transactions are not subjected to security checks requiring a two-factor authentication. This makes them vulnerable to CEO Frauds, and BEC scams, via email.
No BYOD implementation
It has been documented that a majority of enterprises still do not have stringent BYOD policies, to check on personal apps like editors, used by the employees to modify company data. The company data should be encrypted and segregated so that it cannot be accessed by apps other than those in the enterprise application suite, and that too after role-based authentication.
On the other hand, cyber criminals and their organizations are ahead of the development curve as they come up with upgrades for attacking the latest technologies. Unlike their Indian software development counterparts, they are well funded and generate handsome revenue by holding confidential business data to ransom.
How to tackle these shortcomings?
1.Enterprises should appreciate security risks that the phishing, spear fishing, CEO fraud, and other scams realistically pose to their data.
2.Regular audits (testing) should be conducted to determine the security awareness of the employees.
3.Stringent BYOD policies and other mobile workplace solutions should be used to provide excellent Mobile Application Management and Mobile Device Management.
4.Systems spread across cloud and on-premises hosting, and developed on various platforms should be kept updated to their latest versions and kept backed up at regular intervals.
5.Anti-malware/anti-Ransomware solutions should be subscribed to on a SaaS basis to ward off security attacks.
6.All data on the device and shared data over the network should be encrypted. This results in data-centric protection that ensures that the hackers cannot use the data even if they manage to steal it.
7.Tracking and monitoring which links employees click through their emails help identify potential threats using behavior analytics.