To address the risks associated with phishing and next-generation malware, Osterman Research recommends a variety of actions that any organization should undertake:
Understand the risk that your organization faces: The critical first step in developing a best practices approach to security is to understand, at least at a high level, the risks that an organization faces. Many decision makers do not sufficiently appreciate these risks because they are too busy, they don’t have enough budget, or they have not focused enough on the growing number of risks they face. Consequently, Osterman Research recommends that security decision makers study the growing variety of security risks in detail and realize that they represent a serious threat to their organization. While this sounds simplistic, too many decision makers take a defensive approach, waiting until bad things happen until they take action, when they should be much more proactive in order to prevent them to the greatest extent possible.
As just one example, organizations must monitor the risk levels associated with their data assets, corporate systems and other tools that users may employ in response to regulatory requirements, advice from legal counsel, recent data breaches, cybercriminal activity and other factors. For example, a database might contain non-sensitive data that can safely be accessed using only a username and password. However, a change in an organization’s offerings or a new industry regulation may mean that sensitive data will be added to the database, thereby increasing the risk of inappropriate access of that content store.
Understand the breadth of tools that might be used (and maybe shouldn’t be): There are a number of capabilities that employees use that can create significant risks. For example:
- Personal Webmail accounts that users employ when the corporate email system is down or when they need to send files that are too large to be sent by the corporate email system.
- Consumer-focused file sync and share tools that give users access to all of their files from any platform, but that typically do not scan content for malware or other threats.
- File-transfer tools that are designed to send very large files independently of the corporate email system, and so do not get scanned for malware.
- Personally owned smartphones or tablets that can be the target of mobile malware.
- Social media tools that can be used to send corporate content or that can allow malicious content to enter an organization via short URLs or malvertising links.
- Employees’ home computers, which often are shared by family members who download non-secure content, and for which anti-virus defenses are often out-of-date.
- The growing variety of mobile apps, cloud-based applications and other tools that can subject corporate data to infiltration by malware or expose sensitive data to exfiltration by cybercriminals.
Conduct a complete internal audit: Organizations need to conduct a thorough audit to understand where all of their data is located, who has access to this data, the specific legal and regulatory obligations to which this data is subject, the identity of the data stakeholders, and other relevant information. This is essential in order to build a map of sorts that will help decision makers to understand the security risks they face and how to prioritize their resources in closing the security gaps that exist.
The next blog post will offer some additional recommendations. If you’d like to download our recently published white paper that explores these issues, you’re welcome to do so here.