Spear phishing attacks are especially insidious. An attacker targets an employee in an attempt to trick him into releasing confidential data.
These attackers may use your public directory to identify a likely target and send him an “urgent” request ostensibly from a higher-up. An employee who thinks he’s fulfilling a legitimate request can release confidential data before anyone has a chance to prevent it.
There are several techniques that can help prevent embarrassing, and expensive, data loss.
First, every company should educate their employees so that they understand data security. For example, confidential data should never be sent via email. Users should also be aware that email addresses can easily be faked (called spoofing), so any unusual request for data should be verified in person. Employees are the first line of defense against spear phishing attacks.
However, there is always a chance that an employee will be tricked by one of these attacks, so it’s important that you have other lines of defense in place.
Because spear phishing attacks are usually delivered through email, ensure that your company email provides security measures like encryption, address verification, and two-factor authentication.
Encrypting your data will ensure that unauthorized people can’t access it even if they do manage to acquire a file. All confidential data should be encrypted, and employees should be taught how to use encryption technology.
Email address verification will alert, or prevent delivery, of emails from addresses that differ from what they claim to be. Because spear phishing attacks typically rely on spoofed email addresses, this is a critical step in securing company data.
Finally, two-factor authentication will prevent unauthorized access to company email or resources even when a user’s password has been compromised. Because two-factor authentication requires a second authentication, like a pin that is generated by a separate device or texted to a user’s phone, a hacker will still be unable to access the user’s account.
It’s important to work with a security professional to assess individual company needs and find and fix vulnerabilities. Please contact us to arrange for a consultation.
