Everyone from the CFO to the entry-level security newb is susceptible to a phishing scam. Yes, even those who have spent their careers in IT and security can fall victim to these persistent and highly sophisticated scams.
When a client is the recipient of a scam that came from your enterprise, though, the consequence is not only to your network security but also to the public's perception and trust of your business, especially if you are a financial services company.
Bill Ho, cybersecurity expert and CEO of Biscom, was recently a victim of a phishing scam. While Ho said he receives scam emails all the time, this one was different. "It came from someone I’d been working with. A financial services company with whom I would be sharing confidential financial data. That made me think about the relationship with that company," Ho said.
While many security practitioners focused on preventing a breach, few are equally as mindful of the ways in which a breach can tarnish the organization's reputation. Unfortunately, Ho said, "When I think about them or talk to them, there is this thought in the back of my mind about if I work with them, how careful are they going to be with my data?"
Of great concern for Ho was the reality that this wasn’t just a friend or a colleague. "This was a business relationship at a level that required a lot more confidentiality," he said.
Bill Ho, cybersecurity expert and CEO of Biscom
When these potentially disastrous situations do occur, the manner in which a company responds is critical to maintaining their business relationships. "First they need to realize they may never regain that trust; however, like any crisis situation, communication is important," Ho said.
"Phishing," said Ho, "affects more than just your hardware. It can erode trust in clients, vendors, coworkers, partners, and more. Which means a loss in clients, a loss in revenue, and a loss of confidence in said employee from an internal perspective."
To use an analogy, Ho said, "A restaurant that has had its name in the headlines for an E.coli outbreak from contaminated lettuce has likely gone out of its way to sterilize the facility, contact vendors, and manage the public perception of their response to the health concerns." Likely, that restaurant is now the safest place to eat, but are people going back there? When? How long does it take to rebuild that public trust?
Ho said, "If the third party doesn’t feel like you are responding quickly, they lose trust. It's important to be transparent and provide as much information as possible."
He also offered the following points to consider in thinking about detection and incident response:
It’s not so much about prevention as it is detection, so have an intrusion detection strategy. It used to be people wanted to prevent it, but detection results in a much faster response. Detect it early before it causes too much damage. Detection is a shared responsibility across the organization.
Have an “incident response plan” to determine who needs to do what, when, and how. Do this now before an incident so that you know exactly what needs to be done in the aftermath.
When a phishing scam does occur:
Be transparent with your teams, clients, and partners. You don’t want to hide it.
Have a sense of urgency. Be timely about relaying the vulnerability information.
Heed a high level of responsiveness. If people are telling you something’s wrong, it goes a long way to take it seriously and respond.
Once the dust settles, do a forensic analysis to determine where was the entry point? How did we get scammed? How did it affect our systems?
Educate and equip your teams with methods to identify phishing scams. Internal training is key and will likely become a new job requirement for most folks.
- Engineer a smarter, safer workplace with cybersecurity consultations.
This article is published as part of the IDG Contributor Network. Want to Join?