During this digital summit panel, Suresh Chawdhary, head of security & privacy for Nokia, stresses the importance of a layered, multi-pronged cyber security approach to best protect from phishing and whaling. This layer defense mechanism moves away from a one-size-fits-all strategy, ensuring that everyone across the enterprise is well equipped to stay protected against threats.
Finance and HR employees are particularly vulnerable due to their payment processing duties. An email spoofing the head of finance or the CEO may expertly convince an employee to urgently transfer money at the click of a button. The possibility of getting that money back is nearly zero. Additionally, HR has a massive amount of sensitive data at their fingertips. Data is the new oil in the cyber crime industry. All it takes is one slip or a single lapse in judgment for a breach to expose personal data so sensitive—such as credit card and social security numbers—that it creates a lawsuit or enough bad press to devastate an organization.
Examining the big picture and important factors of an organization helps build a plan that fits the company in terms of cost, risk profiles, and the size of the organization. Considerations may include:
A security plan isn’t going to be the same across an organization. Still, there are certain baseline technologies that build the foundation of security—namely an antivirus solution and a personal firewall for every employee across the globe. While email encryption is a nice-to-have for all employees, it is a must-have for people who are prone to whaling attacks, including the C-suite and leadership team. Other departments to keep in mind for customized control mechanisms are finance, HR, legal procurement, and suppliers. It is important to have a combination of proactive and reactive controls when dealing with these hidden enemies.
The obvious goal to a phishing or whaling attempt is an immediate financial gain. However, an advanced persistent threat can do much more damage. In this scenario, a bad actor gains access to an organization’s network by confiscating credentials. Once inside, they can find and extract data while remaining undetected for long periods of time. Of course losing money hurts, but the loss of IP like propriety algorithms or software can be a nail in the coffin.
Suresh estimates that only about half of all organizations have a solid baseline of security, although that estimate goes up to about 80% for middle and large sized companies. Unfortunately, too many companies make significant investment into cyber security reactively. The ROI and business case for a primary, proactive cyber security strategy often isn’t obvious until it’s too late—that is, a breach has occurred. It is a CSO’s job, then, to build and communicate a strong business case around why a security technology investment is worth it.
Also, while training is a worthy and necessary investment, humans are only human, and phishing and whaling attempts will sometimes work. That is why a CSO must argue for build-on reactive honeypot technologies.
Honeypot is a security mechanism that deploys within a network and spots malicious traffic patterns in an out of the network. Honeypot can be set up to divert traffic to particular devices that slow the traffic down and even forensically investigate the source, destination, and the TCP or UDP port numbers. It identifies the types of files and time of the breach as well.
Suresh closes with a reminder for CSOs: they are responsible for not only protecting and safeguarding critical information assets, but also to mitigate these kinds of threats that might be underpinning on certain specifics or functions. Beyond security talent, management and business skills are required.