I just read in Computer Weekly and Computing about the BBC’s method of dealing with phishing attacks. The articles were based on a keynote presentation by David Jones, Head of Information Security at the BBC at InfoSec.
His experience of how challenging it is to protect users and the network from phishing reflects comments I hear from many organizations.
I was struck by this in particular: “To combat future attacks, Jones said the BBC has created a flag pole. "This enables us to say we have a phish attack and we can block the phishing attack domain, then set a search to delete phishing messages from inboxes." While such an approach works on desktops and laptops, Jones said it is still necessary to in touch with mobile users, as mobile devices are generally outside the control of corporate IT.”
This ‘monitor, identify and purge’ method to phishing protection has been the de-facto approach for most IT teams. As his comments suggest, it's expensive, complex and time consuming. Also it’s not a complete solution as it doesn’t always cover mobile as we see here. This is a rapidly growing problem with the proliferation of mobile devices sitting on the average network or email system today. For many of us our mobile might even be our primary email device.
But the good news is that you can protect yourself from this threat and before the attack reaches your end users. It doesn’t have to be this hard (or expensive). Please excuse the blatant plug but this is exactly the kind of problem we set out to fix with our own phishing service announced last week – Targeted Threat Protection. It stops the phishing problem organizations are currently battling in its tracks.
Targeted Threat Protection means phishing emails that clear the email gateway have their links rewritten and Mimecast checks the webpage every time the link is clicked by the user. If it’s clean the user goes straight to the site and if not, it’s blocked. And this happens every time it’s clicked because many phishing attacks may start with clean webpages only changing them later to malware hoping to catch a later or second click. And importantly, this protection extends to every device they use to access their corporate email – mobile or desktop, corporate or BYOD.
The IT team can be alerted automatically that they have phishing mail on the network helping them get an early warning of threats. But they can relax knowing that, users are protected even if they ignore their training or instinct and decide to click on the link in the email.
And it’s a service on the Mimecast cloud so no local hardware, installs or updates required. The IT team enable it centrally from their Mimecast administration console.
I also see that Mr Jones went on to talk about the importance of user training – I couldn’t agree more. You need technical protection matched with end-user training. This is partly why we’re building reporting tools into the administration console so the IT team can see whose clicking malicious links, adapt security profiles or initiate training to reduce a future threat from risky online behavior.
So the bad news – the phishing threat (and spear phishing in particular) is growing and it’s real. The good news – cloud email security services like those from Mimecast mean you can protect yourself without adding yet more complexity and cost to your infrastructure.
Anyway plug over.