No matter how boring or clichéd this might sound, policies and procedures are the pillars successful organizations are built on. They provide guidance in daily decision making, help streamline processes and ensure compliance with regulations. In cybersecurity, InfoSec policies extend some critical benefits to protecting the business from internal and external threats, setting the stage for a sound security culture and helping to create a foundation for a truly resilient organization.
Phishing is a really big deal in cybersecurity. By the Feds own account, 90% of cyber-attacks start with phishing, and because no form of cyber tool can prevent humans from being curious or manipulated, it’s important that organizations make it clear what they expect from employees when it comes to phishing attempts. Cybersecurity is a broad topic and there are multiple security policies organizations can establish based on their risk tolerance, business requirements or industry they’re in. For businesses to effectively combat phishing they should be sure to include the following elements in a comprehensive cybersecurity policy:
1) Acceptable Use Policy
Every organization must have an acceptable use policy (AUP) that every new employee agrees to and signs as part of the onboarding process. Acceptable use policies are more generic in nature and include best practices such as locking screens upon leaving a desk, protecting passwords, not clicking on unexpected file attachments or URLs that appear suspicious, and more. The AUP should specifically include general phishing-related guidelines that eventually link to a more detailed policy document on phishing. AUP should also include a section that addresses employee monitoring. Especially if you’re running simulated phishing tests, it’s important that workers be notified of testing in advance. Review results to determine if they need more training.
2) Phishing Mitigation Policy
Since phishing and social engineering are responsible for the vast majority of successful attacks it’s critical to have a dedicated policy around phishing. The policy should include detailed rules and guidelines around phishing and the consequences of being phished. For example, if someone inadvertently gives a hacker unauthorized access to company systems the attacker could potentially launch a denial-of-service attack, exfiltrate data and cause reputational issues. They could steal proprietary IP, customer data or other sensitive info that can result in business losses, penalties or even prosecution. Start by including definitions of spear phishing, ransomware, social engineering, CEO fraud, business email compromise, smishing and vishing.
Provide examples, explain how a con can be executed in different ways, such as calling and impersonating a key executive, creating a fake profile on social media, or sending an instant message or SMS with a malicious URL. Teach them to report any suspected phish. Remind employees they will not get in trouble for reporting potential to the organization and make it easy for them to do so by adding a phish alert button to their inbox. Let workers know that you provide security awareness training, any vendors that will be involved, how they will be trained with material such as quizzes, simulated phishing scenarios and table-top exercises.
3) Incident Response Policy
A stitch in time, saves nine. A swift counter-response to a phishing threat has the potential to significantly minimize downtime and the damage it can cause to a business. Such an action requires timely coordination between various departments. The larger or the more distributed the organization, the more complicated this process can be. This is where an incident response policy comes in — a documented set of rules, procedures and responsibilities the organization can follow in the event of a phishing attack or data breach.
The policy may include things like processes that help identify the nature and scale of the phishing incident, key contacts and next steps, recommended actions and procedures for containment and remediation; a detailed root cause analysis on why and how people were phished; guidance on follow-up activity such as offering more training for those who were phished and company-wide education for employees around the latest attack methods.
Remember the battle against phishing cannot be won using policies and procedures alone. Organizations must use a defense-in-depth approach; that is, a combination of policies and procedures, technical controls and security awareness training to combat phishing. Essentially, the more you invest in employee empowerment and readiness, the further along you will be to cyber resilience.