While cloud security, ransomware, and an expanding Internet of Things (IoT) keep CISOs awake at night, their employees face a constant threat: credential phishing. Security-conscious enterprises are increasingly putting identity and access management at the heart of their security strategy to mitigate this risk.
As attackers move away from surveillance, credential phishing and Business Email Compromise (BEC) attacks rise. According to Abnormal Security’s “Q3 2021 Email Threat Report,” credential phishing grows in popularity, rising from 66 percent of sophisticated attacks in Q4 2020 to over 73 percent in Q2 2021.
Knowledge is power when it comes to phishing. Businesses often underestimate the impact of phishing on their operations, assuming that their current defense mechanisms will suffice. Here are four common myths concerning credential phishing that companies should be aware of:
Consumers, Not Businesses, Are The Focus
To begin with, most people assumed that phishing was only a threat to consumers. Yes, most phishing attempts still aim to get access to a customer’s bank account. However, financially motivated attackers perceive significant value in hacking into POS systems or stealing Intellectual Property (IP) and selling it on the black market.
Employees are also taking advantage of enterprise connectivity, responding to personal emails and clicking phishing links while connected to the enterprise network. Phishing occurs at all hours of the day and night, albeit the volume of clicks that lead to malicious URLs is substantially larger on weekdays.
Employees often use the same passwords for their corporate and personal accounts, making companies vulnerable to these attacks. Hackers have also discovered that by gaining access to an employee’s account, they can access the company’s networks.
Phishing has evolved to target SMS messages, cloud storage sites, and social networking as attackers have become more aware of the modern workplace.
The demarcation between personal and work is a blur in today’s mobile, Bring-Your-Own-Everything workplace, leaving the organization susceptible to the indirect risk of the individual digital behavior of their employees.
Employees Can Be Taught to Avoid Clicking
Employees are becoming more aware that they should not click or open any link they see on the internet or in an email, implying that businesses are betting on rising knowledge of the problem. Training can help to lower the number of employees who make mistakes. However, training may not cover the most challenging phishing lures to avoid.
For example, Business Email Compromise (BEC) is highly tailored to the employees, and the purpose of the attacker is to dupe the employee into performing valuable financial transactions. An attacker can gain access to sensitive organizational data by compromising the internal email accounts of executive leaders using stolen credentials.
Businesses Just Require Perimeter Security Controls
Traditional detection and blocking solutions used to be sufficient since companies operated behind a firewall scheme with centralized perimeter control. However, as the industry shifts to cloud-based systems, with more users and passwords for the company and personal usage, a firewall like this is no longer effective enough to protect against attacks. Malicious domains can evolve to bypass legacy defenses, resulting in a never-ending game of false negatives and positives for domain blockers.
The way forward
Sophisticated social engineering approaches will have a non-trivial success rate, regardless of how effectively organizations train their employees. Businesses need to increasingly prioritize identity and access management in their security strategy to handle this risk.
They should put Single Sign-On (SSO) and Adaptive MFA in front of business-critical applications in the cloud, on-premise, or mobile as a first step. They will not only improve the employee experience by removing password management across applications, but they will also boost their authentication. They can gradually implement these changes in the organization by implementing smart policies that only require step-up authentication in the most dangerous situations or for their most privileged users. IT will benefit from the ease of administration and fewer tickets that centralized identity management with SSO and MFA provides.
For more such updates follow us on Google News ITsecuritywire News