Recent breaches of personal data and email addresses managed by email providers such as Silverpop and Epsilon have renewed fears that spear phishing is becoming more common and more successful.
Spear phishing is not a new threat. The opportunities have been greatly amplified by the volumes of personal and corporate information individuals send; the outsourcing of email service to parties whose security competencies have been seriously undermined; and our continued willingness to blithely hand over whatever personal information is asked of us without exercising individual or corporate due care in determining how that information is protected.
Now, while we may forgive individuals for taking “we take measures to protect your data” at face value, we cannot excuse businesses, especially financials and globals, for being security-challenged.
The few resources that discuss spear phishing mitigation or prevention mostly remix basic phishing best-practices. At e-How and on my personal blog you’ll find recommendations such as these:
- Don’t include too much personal information in your blog or social networking profile.
- Use email whitelists.
- Use antivirus and antispyware software and install all patches and updates issued for that software.
- Don’t respond to mysterious messages that ask for personal information.
- Don’t send personal information via email.
But businesses that contend with large numbers of users and large volumes of email need to raise the security bar, whether they outsource email or manage it in-house:
Implement awareness and training campaigns. Begin by explaining the principles behind the phisher’s most powerful weapon: social engineering. Explain what spear phishing is and the threat it poses to individuals and the organization. Consider hosting online quizzes for your employees. And check to see whether your awareness campaigns are effective or not.
Provide guidelines for your employees. Explain what personal information phishers seek and describe the tell-tale signs of a phishing message to employees. You may want to use my "Anatomy of a Phishing Expedition" article as a template or resource.
Publish a corporate policy. List business information that employees must take care not to disclose in blogs, social networks, tweets, or email correspondence. The list should include such information as organization charts, telephone directories and mailing lists, customer information, and, of course, all personal identity information your company manages. Consider explaining what social networking privacy controls are and how employees should set them to protect themselves and the organization.
Implement a phishing response plan. If spear phishing poses a significant risk to your organization, create a situational response position in your organization where employees can report suspicious URLs or attachments. Aggregate phish emails from these sources as well as from your antispam systems. Your staff may be able to deduce whether your organization is a target for attack by examining URLs or attachments in the aggregate. Work in cooperation with anti-phishing organizations (Spamhaus, SURBL, and others), which may be able to identify the nature and origins of the attack from this data.
If this seems like a lot of work, consider the alternative. Ask yourself whether Condé Nast might have avoided sending $8 million to a scammer over a period of six weeks if it had done a better job of raising spear-phishing awareness.