Protecting your organisation from the effects of undetected phishing emails - Layer Three

Protecting your organisation from the effects of undetected phishing emails - Layer Three

Continuing with our series on cyber security, we’ve already covered Layer One - ‘Making it difficult for attackers to reach your users’ and Layer Two - ‘Helping users identify and report suspected phishing emails’ as part of the National Cyber Security Centre’s guidance helping organisations protect themselves from cyber attacks.

As you’re already aware, the NCSC’s details the 4 layers your organisation should apply to ensure you are as protected as possible:

1. Making it difficult for attackers to reach your users

2. Helping users identify and report suspected phishing emails

3. Protecting your organisation from the effects of undetected phishing emails

4. Responding quickly to incidents

 

This blog is going to look at Layer Three - Protecting your organisation from the effects of undetected phishing emails.

 

What do you do when an undetected phishing email gets through?

Unfortunately we can’t stop every phishing email getting past security checks - some do manage to slip through the net and the following offers guidance in the event of that happening and and how the effect can be minimised.

 

Malware protection

Malicious software or malware as it is more commonly known is a type of computer program that infects computers and devices. In various forms, malware is hidden in phishing emails or websites  and cybercriminals deploy it as a means of exploiting weaknesses and extracting information - usually for financial gain. 

A study last year by specialist business internet service provider (ISP) Beaming, reported that since 2015, cyber crime in the UK has doubled, costing businesses £87 billion (and obviously the figure has gone up since the report was published). It’s not just larger companies who should be worried. Since 2015, the proportion of small companies (with 11-50 employees) reporting themselves victims of attacks has risen from 39-76%. 

 

What can you do to protect against malware?

There are a variety of ways that offer protection and it’s important to ensure that you stop the deployment of malware by maintaining well configured devices/end points - even if the email link is clicked. To find out what is the right protection for your organisation, you need to establish if you’re vulnerable to a specific type of attack because that will dictate the type of defence you opt for. Also consider that some anti-malware software will be needed for some devices and not others. Finally, look at your system from a top level perspective; the way it has been set up will have a bearing on how damaging the malware will be. 

 

Supported software

Using supported software and devices that are constantly being updated with the latest patches is one way of stopping malware getting through.

 

Limit administrator accounts

Only give higher access to those that need it. This preventative measure will minimise the threat of a phishing email getting through and causing damage. Those people given admin status should not be using their account when internet browsing or checking emails.

Useful resource: NCSC - Device Security Guidance

Malicious websites - can I protect my users?

Yes. Many phishing emails contain links that, when clicked will take the user to a website which initiates an attack. If the website is blocked (and most up to date browsers will detect known phishing and malware sites and prevent you navigating there) job done, but do be aware that for mobile it may be a different story.

Whether it’s in house or hosted in the cloud, have a proxy service deployed which will also prevent the clicking through to a suspect website which has been flagged as a potential source of malware or phishing. This is particularly important for organisations within the public sector and the NCSC advises use of the Public Sector DNS service.

 

How to protect your organisation

Ensure you put in place protocols pertaining to authentication and authorisation. Password infiltration is the obvious first step for cybercriminals and they will target those people with access to any sensitive information or assets i.e. those with admin status. Ensure that only those who need that degree of access are assigned and consider a review of the login process. It’s common sense that people with more user privileges will be more attractive to a cybercriminal and the higher up the food chain the target, the greater the degree of damage caused. If people leave or change roles, ensure that their status is updated and do this on a regular basis.

 

Two Factor Authentication (2FA) or Two Step Verification adds that extra level of security whereby another process has to be adopted to allow access to an account rather than a mere password. See our website page: Microsoft multi-factor authentication

 

Password managers are another method of protection since bona fide websites are recognised and those that aren’t will not be autofilled with identifiable information. Another form is single sign on which means that a device recognises the real website and automatically signs into it. Both methods mean that password manual entry becomes a thing of the past and the chances of a user detecting something bogus rises.

Make it harder for cybercriminals to steal a password by using biometrics and smartcards which offer alternative means of login. It’s also crucial that you review and update password policy. Are your people reusing passwords both at home and at work?

 

Consider deploying a good email filter which utilises the power of Artificial Intelligence to analyse correspondence styles and review mailbox data. Behavioural patterns emerge meaning it’s easier to identify an attack.

 

We use ATP/Defender for Office 365 whereby an automatic investigation and response is triggered when a threat to key areas is suspected (note there are alternative options out there such as IRONSCALES, Avanan, Proofpoint etc.). 

 

By way of example and as detailed in the Microsoft 365 Defender interactive guide, “If a malicious file is detected on an endpoint protected by Microsoft Defender Advanced Threat Protection, it will instruct Microsoft Defender for Office 365 to scan and remove the file from all e-mail messages. The file will be blocked on sight by the entire Microsoft 365 security suite.” 

 

This approach prevents a progression of the incident and further assets from being attacked. In addition and even before human investigation is underway, the system uses AI and security playbooks to initiate self-heal protocols and remediation. 

 

If you would like to know more about how we can help your organisation defend itself against email phishing or security in general, please get in touch with our cyber security team. We’re here to safeguard both you and your staff.

 

Other articles in the series:

Layer One - ‘Making it difficult for attackers to reach your users’

Helping users identify and report suspected phishing emails - Layer Two

Email phishing and why your organisation should protect itself

Audit your security with Cyber Essentials

How can we help you?

Microsoft Gold Certified
Microsoft Partner Solutions
Cyber essentials plus
Watchguard one gold
Hp enterprise