Posted on August 14, 2019 by staff

‘Employees alone can’t protect against phishing’ warns expert


A cybersecurity specialist and penetration tester has cautioned businesses against relying on human instinct to defend against ‘phishing’ attacks.

Phishing, an attempt to obtain sensitive information or persuade a victim to perform an act by pretending to be a trustworthy source, are most common via email.

Speaking at a security event in Manchester, technical director of cybersecurity firm Secarma, Holly Williams, said: “Your users shouldn’t be your business’ first or last line of defence.

“There should be several lines of defence between me sending an email to the user and it being delivered. A user shouldn’t be able to completely derail business operations just by opening an email.”

Williams advised that rather than relying on employee action, businesses should improve the monitoring of their network in order to better deal with subsequent attacks.

“If you know the roles employees are supposed to be performing and improve your awareness of commands being executed across your systems, you can then detect when users appear to be behaving unusually and start implementing behavioural analytics to combat phishing attacks.”

Commenting that phishing attacks play a part in 90 per cent of all data breaches, Williams continued: “Phishing is a go-to for attackers, but there’s confusion over where it sits in the attack chain. The end result of a phishing attack is very often not just something simple like gathering credentials; it’s one part in a larger story to gain access to systems.”

With 97 per cent of people unable to identify a sophisticated phishing email, according to Intel Security research, Williams further emphasised that employee training is essential in recognising the signs of a malicious email, but if businesses are leaving their phishing defence down to human reliability, then they will be far more vulnerable to attacks.

Worst-case scenarios after a phishing attack include significant financial loss, reputational damage and compromised data. In June, Lancaster University suffered a high-profile phishing attack in which student data was stolen and used by criminals to send fraudulent invoices to undergraduate applicants.

A panel of fellow security experts highlighted the increasing sophistication and volume of phishing attacks, and consequently the growing risk to UK businesses. Watch UKFast’s webinar series for more information about securing your business.