• United States




Phishing: Draining the corporate bottom line

Mar 10, 20176 mins

Quick quiz — how many of you have not experienced a phishing attack on your organization in the last month? 

I suspect that there are not many hands up. As you likely know, phishing is a pervasive problem for the corporate world, and the problem is growing. One organization I work with has seen a 400% increase in phishing attacks in just the last year. 

I think most people with some knowledge of the information security world understand the gravity of phishing attacks. The results of a recent study indicated that approximately 93% of phishing messages carry ransomware. On top of that, many seek to collect personal information for later use, a practice known as social engineering. 

What many may not realize is the drain phishing attacks place on the information technology team, particularly the information security organization. For organizations with an operational security function, this involves pulling the message out of mailboxes before most users see it, conducting forensic analysis to understand what each message does, reviewing logs to understand what, if any, impact the message had on the organization, blocking links or attachments, and keeping leadership informed. These efforts can leave a major dent in the bottom line. 

If someone acted on a link or attachment, the time spent can rise exponentially. This usually involves a full incident response process, focused on cleaning up any damage, restoring corrupted files, and investigating the possibility of a data breach. Given that HIPAA requires any such attack be considered a breach until proven otherwise, these organizations must approach the investigation process even more completely. 

Phishing is also a drain on overall organizational workload. Many larger organizations now require annual phishing training. Employees must read outside messages with greater care, and must learn to contact IT when they have a suspected message. The hours all employees of an organization spend on activities related to phishing can add up fast. 

To further complicate the impact on the organization as a whole, there is a constant fear of being a victim of a phishing attack that can slow down normal operations. This fear often leads to employees being reluctant to act on a message that is legitimate. I encountered one such situation this week, by employees who received a message confirming their access to a new system they requested. Multiple users thought it might be phishing. This delayed their accessing the system they needed, and required the operational security team to investigate to confirm its legitimacy. 

According to a study by the Ponemon Institute, the average yearly cost to a 10,000 person company for phishing-related activities is a staggering $3.7 million dollars. This includes an average of 4.16 hours per year wasted by each individual employee dealing with phishing. In my experience, that number is low. 

One of my favorite movie quotes was made by the WOPR computer from the movie War Games: “The only winning move is not to play.” Applied to phishing, this underscores the importance of keeping as many phishing attacks out of an organization as possible, and limiting the damage from those that do get through. Here are some suggestions: 

Prevent spam

Using anti-spam software on your email system is a strong defense against phishing attacks. Many phishing attacks are readily recognized and blocked by spam filters.

Training and reporting

Train your employees to spot phishing attacks, and make it easy for them to report suspected incidents. This becomes a valuable part of your early warning system, allowing you to investigate, and where necessary, act on an incident quickly. Services such as PhishMe include a button for Outlook that facilitate easy reporting.

Have a plan

Have a written plan outlining the steps your team will take in responding to phishing attacks. Logging and documentation are a critical part of this, in case an attack later becomes a legal or compliance issue.

Kill the messages

When an attack is confirmed, the highest priority should be to pull the message out of the mailboxes of anyone that received it, before they have a chance to respond.

Analyze and remediate

Once you have removed all possible messages from other users, you need to understand whether any recipients clicked on the link or opened an attachment. Use available logs — if not available, contact the recipients and ask for details. It helps to have an isolated environment from which you can open the link or an attachment, to determine what, if any, negative consequences occur. Tools such as Wireshark can help you to determine what actions result from responding to the message.

Be cautious, however, to only test a message in a completely isolated environment. Obviously, if you find that a user interacted with a phishing message, you will need to take whatever steps are necessary to clean up any damage.

Block actions

If you determine from the analysis that the message attempts to contact addresses or websites, block access to those destinations from your firewall or web filtering system.

Use threat intelligence

A good way to prevent phishing attacks before they happen is to stay plugged in to threat intelligence feeds. If you can get other organizations to tell you about their phishing attacks before they hit your network, you have a chance to block them before they happen.

The best threat intelligence feeds usually come from an organization focused on your industry. If you cannot find one, check this list of available feeds. Don’t forget to return the favor by informing other organizations about the attacks you get.

Maintain metrics

Since phishing prevention and response is time consuming and expensive, you will likely need to justify the costs to your company’s management. Keep careful statistics about your phishing attacks, and the time and effort spent responding, and report those numbers to management on a regular basis. 

Bottom line: Preventing and responding to phishing attacks is a costly endeavor, but the consequences of one of your users responding to such an attack will be far worse. Do everything you can to prevent or limit attacks, and respond quickly to any attacks you discover.


Robert C. Covington, the "Go To Guy" for small and medium business security and compliance, is the founder and president of Mr. Covington has B.S. in Computer Science from the University of Miami, with over 30 years of experience in the technology sector, much of it at the senior management level. His functional experience includes major technology implementations, small and large-scale telecom implementation and support, and operations management, with emphasis on high-volume, mission critical environments. His expertise includes compliance, risk management, disaster recovery, information security and IT governance.

Mr. Covington began his Atlanta career with Digital Communications Associates (DCA), a large hardware/software manufacturer, in 1984. He worked at DCA for over 10 years, rising to the position of Director of MIS Operations. He managed the operation of a large 24x7 production data center, as well as the company’s product development data center and centralized test lab.

Mr. Covington also served as the Director of Information Technology for Innotrac, which was at the time one of the fastest growing companies in Atlanta, specializing in product fulfillment. Mr. Covington managed the IT function during a period when it grew from 5 employees to 55, and oversaw a complete replacement of the company’s systems, and the implementation of a world-class call center operation in less than 60 days.

Later, Mr. Covington was the Vice President of Information Systems for Teletrack, a national credit bureau, where he was responsible for information systems and operations, managing the replacement of the company’s complete software and database platform, and the addition of a redundant data center. Under Mr. Covington, the systems and related operations achieved SAS 70 Type II status, and received a high audit rating from the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency.

Mr. Covington also served as Director of Information Technology at PowerPlan, a software company providing software for asset-intensive industries such as utilities and mining concerns, and integrating with ERP systems including SAP, Oracle Financials, and Lawson. During his tenure, he redesigned PowerPlan's IT infrastructure using a local/cloud hybrid model, implemented IT governance based on ITIT and COBIT, and managed the development of a new corporate headquarters.

Most recently, Mr. Covington, concerned about the growing risks facing small and medium business, and their lack of access to an experienced CIO, formed togoCIO, an organization focused on providing simple and affordable risk management and information security services.

Mr. Covington currently serves on the board of Act Together Ministries, a non-profit organization focused on helping disadvantaged children, and helping to strengthen families. He also leads technical ministries at ChristChurch Presbyterian. In his spare time, he enjoys hiking and biking.

The opinions expressed in this blog are those of Robert C. Covington and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author