Phishing: Draining the corporate bottom line

phishing money
Tax Credits (CC BY 2.0)

Quick quiz -- how many of you have not experienced a phishing attack on your organization in the last month? 

I suspect that there are not many hands up. As you likely know, phishing is a pervasive problem for the corporate world, and the problem is growing. One organization I work with has seen a 400% increase in phishing attacks in just the last year. 

I think most people with some knowledge of the information security world understand the gravity of phishing attacks. The results of a recent study indicated that approximately 93% of phishing messages carry ransomware. On top of that, many seek to collect personal information for later use, a practice known as social engineering. 

What many may not realize is the drain phishing attacks place on the information technology team, particularly the information security organization. For organizations with an operational security function, this involves pulling the message out of mailboxes before most users see it, conducting forensic analysis to understand what each message does, reviewing logs to understand what, if any, impact the message had on the organization, blocking links or attachments, and keeping leadership informed. These efforts can leave a major dent in the bottom line. 

If someone acted on a link or attachment, the time spent can rise exponentially. This usually involves a full incident response process, focused on cleaning up any damage, restoring corrupted files, and investigating the possibility of a data breach. Given that HIPAA requires any such attack be considered a breach until proven otherwise, these organizations must approach the investigation process even more completely. 

Phishing is also a drain on overall organizational workload. Many larger organizations now require annual phishing training. Employees must read outside messages with greater care, and must learn to contact IT when they have a suspected message. The hours all employees of an organization spend on activities related to phishing can add up fast. 

To further complicate the impact on the organization as a whole, there is a constant fear of being a victim of a phishing attack that can slow down normal operations. This fear often leads to employees being reluctant to act on a message that is legitimate. I encountered one such situation this week, by employees who received a message confirming their access to a new system they requested. Multiple users thought it might be phishing. This delayed their accessing the system they needed, and required the operational security team to investigate to confirm its legitimacy. 

According to a study by the Ponemon Institute, the average yearly cost to a 10,000 person company for phishing-related activities is a staggering $3.7 million dollars. This includes an average of 4.16 hours per year wasted by each individual employee dealing with phishing. In my experience, that number is low. 

One of my favorite movie quotes was made by the WOPR computer from the movie War Games: “The only winning move is not to play.” Applied to phishing, this underscores the importance of keeping as many phishing attacks out of an organization as possible, and limiting the damage from those that do get through. Here are some suggestions: 

Prevent spam

Using anti-spam software on your email system is a strong defense against phishing attacks. Many phishing attacks are readily recognized and blocked by spam filters.

Training and reporting

Train your employees to spot phishing attacks, and make it easy for them to report suspected incidents. This becomes a valuable part of your early warning system, allowing you to investigate, and where necessary, act on an incident quickly. Services such as PhishMe include a button for Outlook that facilitate easy reporting.

Have a plan

Have a written plan outlining the steps your team will take in responding to phishing attacks. Logging and documentation are a critical part of this, in case an attack later becomes a legal or compliance issue.

Kill the messages

When an attack is confirmed, the highest priority should be to pull the message out of the mailboxes of anyone that received it, before they have a chance to respond.

Analyze and remediate

Once you have removed all possible messages from other users, you need to understand whether any recipients clicked on the link or opened an attachment. Use available logs -- if not available, contact the recipients and ask for details. It helps to have an isolated environment from which you can open the link or an attachment, to determine what, if any, negative consequences occur. Tools such as Wireshark can help you to determine what actions result from responding to the message.

Be cautious, however, to only test a message in a completely isolated environment. Obviously, if you find that a user interacted with a phishing message, you will need to take whatever steps are necessary to clean up any damage.

Block actions

If you determine from the analysis that the message attempts to contact addresses or websites, block access to those destinations from your firewall or web filtering system.

Use threat intelligence

A good way to prevent phishing attacks before they happen is to stay plugged in to threat intelligence feeds. If you can get other organizations to tell you about their phishing attacks before they hit your network, you have a chance to block them before they happen.

The best threat intelligence feeds usually come from an organization focused on your industry. If you cannot find one, check this list of available feeds. Don't forget to return the favor by informing other organizations about the attacks you get.

Maintain metrics

Since phishing prevention and response is time consuming and expensive, you will likely need to justify the costs to your company's management. Keep careful statistics about your phishing attacks, and the time and effort spent responding, and report those numbers to management on a regular basis. 

Bottom line: Preventing and responding to phishing attacks is a costly endeavor, but the consequences of one of your users responding to such an attack will be far worse. Do everything you can to prevent or limit attacks, and respond quickly to any attacks you discover.

Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)