The risks associated with phishing are often underestimated. Many still believe that the consequences are limited to having to change a few passwords, scan their network, or even have a comprehensive security policy.
However, as we will see, phishing can have a very broad impact, and risk management must therefore be adapted accordingly.
Definitions
Let's start by defining risk management and phishing in two sentences:
IT risk management involves knowing, analyzing, and measuring internal and external risks to prevent and mitigate threats that can affect a company's activities.
Phishing is a technique used by cybercriminals to entice you to disclose sensitive personal information through fraud or deception.
By definition, phishing attacks are considered external risks, meaning they are not controllable by your organization.
Risks associated with phishing
The risks associated with phishing are numerous for companies but also for employees who fall victim to the attack:
- Financial impact that can sometimes be very significant
- Reputational impact
- Legal impact
- Social impact (depression for the victim)
- etc.
According to statistics from the company Avanan, 1% of emails are phishing emails, equating to nearly 5 emails per employee per week. Considering that nearly a third of phishing emails bypass the default security system, the threat is very much present.
Regarding the attacks, 2 out of 3 phishing attempts use a malicious link, and more than half contain malware.
Phishing Risk Assessment
The difficulty in managing risks associated with phishing primarily lies in the risk assessment, which is conditioned by a proper understanding of the threat. Once the danger is clearly identified, calculating its criticality allows for the necessary steps to be taken to reduce the risk.
In the case of phishing, the risk is always associated with an intangible asset (without physical substance), and this risk is generally much more challenging to assess than a tangible asset.
Take the example of an employee who has their computer stolen while traveling. It's easy to understand that if the said employee is an intern who has just started at the company, with limited rights and access to the company's network, the financial consequence of the theft is limited to the cost of the computer.
However, if the employee is a member of the executive committee and has no data protection system in place on their computer, the risk is much greater since one can imagine that internal or even confidential documents might be disclosed.
To assess the risks associated with phishing, we will consider the various steps typically used:
- Analysis of consequences
- Frequency or probability analysis
- Assigning a financial value in relation to the consequences and probabilities of risks
As mentioned above, the severity depends on the affected employee but, most importantly, on the information obtained by cybercriminals during the attack.
The consequences analysis is used to estimate the likely effects of identified hazardous events. It can be qualitative or quantitative.
Probability can be calculated based on the company's history of phishing attacks or the results obtained from simulations conducted by the IT department. Be aware, the attack history does not necessarily reflect future events.
Reducing Phishing-Related Risk
To lessen the impact of a phishing attack, your company must take the following steps:
- Develop a protection plan against phishing with a system to measure effectiveness over time: phishing campaigns, smishing, awareness, conferences, etc.
- Expand your employees' knowledge by offering specific and on-demand training
- Identify key personnel (CISO, CIO, etc.) then assign and communicate their responsibilities
- Implement a system for reporting phishing attacks and train employees on its use
- Invest in a system capable of identifying suspicious emails
Remember, it's impossible to be 100% protected against a phishing attack; there will always be risks involved. However, it's entirely possible to minimize the residual risk by adopting the right reflexes and implementing the measures described above.
Among these security measures, raising employee awareness is particularly effective. Invest in your overall cultural awareness to turn your employees into genuine active elements of your defense.
We know very well, in cybersecurity, the human factor is the main vulnerability. Cybersecurity is therefore everyone's business, and the acculturation process must start with a comprehensive and systematic awareness of employees.