Phishing—or the practice of sending emails that appear to be legitimate in order to gain access to information as part of a scam—is a serious cyber security problem. According to CSO Online, 56% of IT professionals named phishing as their top cyber security threat. However, phishing attacks aren’t just targeted against businesses or individuals. Public sector agencies are at risk, as unscrupulous individuals target personal information, sensitive government data, or other protected data. Here’s an overview of how public sector agencies can fight phishing.
The Risks of Phishing
Forrester analysts recently reported on one case where phishing attacks targeted the public sector. As they note, “Diplomatic networks carry some of the world’s most sensitive information: communications between world leaders, key technical intellectual property, trade strategies, and military plans. A recent report by anti-phishing vendor Area 1 Security reveals that a three-year-long cyber attack led to the successful breach of the European Union’s diplomatic communications network.” Phishing attacks can have a range of goals, but all it takes is a single error to give criminals the information they need to hack into your network and do significant damage. In other words, if they can deduce an area of weakness, they can exploit it until it pays off.
When a phishing expedition is successful, the costs can be high—and public agencies may not be doing everything they can to prevent issues. As Forrester notes, “Many organizations focus their cyber security strategy on threat detection and buying tools to detect the most advanced threats. Email security, and therefore anti-phishing, then typically becomes a lower priority and is usually delegated to junior staff. As is evidenced by this cyber attack, which was allegedly conducted by one of the most sophisticated threat actors in the world, the simplest attacks can have the most damaging outcomes.”
6 Steps You Can Take to Prevent Phishing Attacks
- Conduct security training: Training your employees on the basics of phishing attacks and what they can do to prevent it may be one of the most effective frontline activities your agency can take. By providing training and context that prevents an employee from clicking on a link in an email from someone they don’t know, for example, or from entering credentials into a website they haven’t verified, you head off the problem before it can take root. Make anti-phishing training a mandatory part of your foundational cyber security training, and periodically revisit the key concepts on at least an annual basis.
- Run test scenarios: Your agency can have all the training and technology in place to prevent phishing—and missteps can still happen. Consider running test drills where a member of your IT security team sends a false phishing email. Does your team put their knowledge to work, or do they fall victim? The goal here isn’t to punish anyone, but to identify weak spots that need support. If tests reveal gaps, it may mean that you need tighter data controls or to refresh training.
- Embrace double authentication: Many scams, especially those aimed at the public sector, try to get credentials that provide access to confidential information. When your systems are protected with double authentication, users are required to have an authorized device, such as a mobile phone, that can receive a code. Entering a user name and password isn’t enough to gain access—and attempts at access where double authentication credentials aren’t used can be a signal that something has been breached.
- Deploy anti-virus and anti-malware programs: Adding a layer of defense to your network in the form of anti-virus and anti-malware programs can help. These software programs monitor incoming emails, website visits, and other forms of network activity for potential threats and isolate them before they’re deployed. Regularly test these programs, and scan the health of your network for potential vulnerabilities.
- Practice strong password security: Passwords are often the key to phishing attacks. Encourage your employees to develop secure passwords, and to use different passwords for different systems. In addition, regularly require that passwords be changed. Finally, tools like a password manager can eliminate the need to enter credentials, thus lowering the chances of this type of scam being successful.
- Install email security platforms: Email is a common format for phishing attacks. Specialized email security programs can help reduce the risk. Consider a platform with features such as email filtering and quarantining, internal sender verification, and even the ability to use intelligent tools to scan for patterns that suggest phishing may be at play. Microsoft offers a cloud-based email filtering service, ATP, to help with advanced threat protection.
Phishing runs big risks for government agencies. Being prepared, having strong policies in place, investing in training, and prioritizing anti-phishing infrastructure are key steps that every public agency should take. Don’t wait until the information your agency protects is at risk. Take smart steps today to ensure that you’re protecting data at every point of communication.