• United States




Phishing scams erode trust and compromise brand

May 06, 20164 mins
Backup and RecoveryComputers and PeripheralsData Breach

The ever popular attempts to infiltrate a network through phishing scams can negatively impact more than just enterprise security

Everyone from the CFO to the entry-level security newb is susceptible to a phishing scam. Yes, even those who have spent their careers in IT and security can fall victim to these persistent and highly sophisticated scams.

When a client is the recipient of a scam that came from your enterprise, though, the consequence is not only to your network security but also to the public’s perception and trust of your business, especially if you are a financial services company. 

Bill Ho, cybersecurity expert and CEO of Biscom, was recently a victim of a phishing scam. While Ho said he receives scam emails all the time, this one was different. “It came from someone I’d been working with. A financial services company with whom I would be sharing confidential financial data. That made me think about the relationship with that company,” Ho said.

While many security practitioners focused on preventing a breach, few are equally as mindful of the ways in which a breach can tarnish the organization’s reputation. Unfortunately, Ho said, “When I think about them or talk to them, there is this thought in the back of my mind about if I work with them, how careful are they going to be with my data?”

Of great concern for Ho was the reality that this wasn’t just a friend or a colleague. “This was a business relationship at a level that required a lot more confidentiality,” he said.

Bill Ho, cybersecurity expert and CEO of Biscom

When these potentially disastrous situations do occur, the manner in which a company responds is critical to maintaining their business relationships. “First they need to realize they may never regain that trust; however, like any crisis situation, communication is important,” Ho said.

“Phishing,” said Ho, “affects more than just your hardware. It can erode trust in clients, vendors, coworkers, partners, and more. Which means a loss in clients, a loss in revenue, and a loss of confidence in said employee from an internal perspective.”

To use an analogy, Ho said, “A restaurant that has had its name in the headlines for an E.coli outbreak from contaminated lettuce has likely gone out of its way to sterilize the facility, contact vendors, and manage the public perception of their response to the health concerns.” Likely, that restaurant is now the safest place to eat, but are people going back there? When? How long does it take to rebuild that public trust?

Ho said, “If the third party doesn’t feel like you are responding quickly, they lose trust. It’s important to be transparent and provide as much information as possible.”

He also offered the following points to consider in thinking about detection and incident response:

  • It’s not so much about prevention as it is detection, so have an intrusion detection strategy. It used to be people wanted to prevent it, but detection results in a much faster response. Detect it early before it causes too much damage. Detection is a shared responsibility across the organization.

  • Have an “incident response plan” to determine who needs to do what, when, and how. Do this now before an incident so that you know exactly what needs to be done in the aftermath.

  • When a phishing scam does occur:

    • Be transparent with your teams, clients, and partners. You don’t want to hide it.

    • Have a sense of urgency. Be timely about relaying the vulnerability information.

    • Heed a high level of responsiveness. If people are telling you something’s wrong, it goes a long way to take it seriously and respond.

    • Once the dust settles, do a forensic analysis to determine where was the entry point? How did we get scammed? How did it affect our systems?

  • Educate and equip your teams with methods to identify phishing scams. Internal training is key and will likely become a new job requirement for most folks.

  • Engineer a smarter, safer workplace with cybersecurity consultations.

Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author