Technology has brought in new terminology. Phishing is no doubt the most used word when one reads about web safety. In 2019 alone, the USA was the most affected by this attack. Nearly 65% of the organizations were a victim of phishing attacks.
Despite the constant awareness campaigns and regular training given to employees as per reports, nearly one-third of the targets falls prey to the phishing attack. More people are active internet users today and potential target for hackers.
The Covid-19 pandemic saw the whole world's lifestyle change. Shutdowns meant people were working remotely from home. There was the loss of jobs, and businesses reported losses with scaled-down workforce. The retail business became more online, and people spent more time transacting on the digital platform. This period also cybers criminals on the prowl, looking for easy income and unsuspecting targets through phishing techniques.
The vulnerability of organization's IT systems was exposed and attacked due to remote working of employees where the system security was weaker. Hackers’ groups from various countries targeted the desperate population with pandemic-themed lucrative offers such as fake financial loans from Banks and fake Jobs from HR consultants. The other objective of phishing was to get users' personal information whose bank accounts were targeted and funds siphoned off.
Despite people being aware of security threats from hackers, they keep making basic hygiene mistakes when it comes to protecting their passwords or responding to unknown links in emails and SMS’s.
Why are phishing tests necessary?
Hackers usually brute force into an account where passwords are weak or the employee is casual in their approach. They also target employees on social media and get account details like email id and phone numbers. Once they know the corporate background, it becomes easier for them to break into the system. Another way is to steal the credentials by sending malicious links from where they get the login credentials and enter the system undetected. To avoid this kind of attack, phishing tests are crucial to identify the threat landscape.
With many employees continuing to work remotely, it is essential to ensure that the individuals’ systems are secured from attacks. This means ensuring strong passwords and 2-factor authentications. IT departments or third-party cybersecurity service providers have access to Password management. They conduct regular drills to spot weak passwords or employees falling prey to second-factor authentications at odd hours or when suspicious logins happen from unknown devices.
Another reason why tests need to be done is when there is a technology change in the event of a worker's device changes from the office system to a personal device. Also, the software available on the individual device may be vulnerable as employees tend to mix personal and official activities when working from home.
There is also another time when organizations should be conducting phishing tests, and that is when there is a migration of data from on-premises to a cloud platform. Similarly, when developers upload new applications into the cloud platform, it needs a penetration test to check any vulnerabilities.
Conducting Phishing tests
No matter how much one is alert, hackers are always one step ahead. They keep changing their strategies, target new victims and even change their locations and group’s name. This is requires organizations to prepare ahead of phishing attacks. Apart from educating the employees and running training programs, another exercise is to run a phishing test. One can use free phishing tools like Gophish that is an open-source framework, or use paid ones like Infosec IQ and LUCY. These tools test an organization's exposure to phishing and enable the IT security team to take remedial action.
Organizations running phishing tests can either alert the employees about the exercise or conduct it as a surprise measure. This approach has its pros and cons. When one performs the test secretly, it gives an accurate picture of the gaps in the system. The downside is that employees may feel a lack of trust from the IT department even though it is good for their security. The advantage of informing users of drill tests beforehand is that it will be viewed as a learning lesson rather than failure at their end.
The drawbacks of conducting regular phishing tests are that it gives the employees a false sense of security. If the drill reports come out with no breach in the system, then there are chances that system users can become complacent.
Each phishing test result must be analyzed and documented so that corrective steps are taken. The reports also serve as a reference point for the Security team to conduct different phishing exercises in future in order to simulate different modes of strategies used by hackers. Organizations that have outsourced cybersecurity management to third-party service providers need to get regular compliance reports on identity management access for threat assessment.
How to set the process for phishing tests?
Organizations needs to define the parameters for testing. There are various tactics phishers use to target their victims. One is the social engineering trick, where hackers pretend to be the boss or colleague when sending emails. IT security team should ideally team up with department Heads and determine what ways a real phisher would use to target a victim.
Secondly, there must be a clear process for reporting any phishing attempts to the IT department. It is a good idea to forward the malicious mail to the IT team to take steps to block them from targeting other victims in the future.
Despite all the security measures and routine drills, phishing will not stop. Hackers will continue to look for new opportunities to attack. It is estimated that a certain profile of the workforce will continue to remote work once the pandemic is over. Phishing simulations are a good defense strategy and need to be continued irrespective of operational challenges at workplace.