Phishing: zero trust security and catching new threats

Scammers launch thousands of phishing attacks every day and they’re often successful. The FBI’s Internet Crime Complaint Centre reported that people lost $57 million to phishing schemes in one year in 2020. This is a persistent, costly and escalating issue.

Nearly three-quarters of organisations have fallen victim to a phishing attack in the last year and more than half have suffered from IT talent shortages according to Ivanti, the automation platform that discovers, manages, secures, and services IT assets from cloud to edge. It says its recent phishing survey found the global shift to remote work has exacerbated the onslaught, sophistication and impact of phishing attacks. Ivanti surveyed over 1,000 enterprise IT professionals across the US, UK, France, Germany, Australia and Japan. 

Eighty percent of respondents said they have witnessed an increase in volume of phishing attempts and 85 per cent said those attempts are getting more sophisticated. In fact, 73 per cent of respondents said that their IT staff had been targeted by phishing attempts, and 47 per cent of those attempts were successful. 

Smishing and vishing scams are the latest variants to gain traction and target mobile users. According to recent research by Aberdeen Research and Strategy company, attackers have a higher success rate on mobile endpoints than on servers – a pattern that is trending dramatically. Meanwhile, the annualised risk of a data breach resulting from mobile phishing attacks has a median value of about $1.7M, and a long tail of value of about $90M.

Spear fishing has also gained popularity in recent years according to cyber security company Kaspersky. Spear phishing is an email or electronic communications scam targeted towards a specific individual, organisation or business. Although often intended to steal data for malicious purposes, cybercriminals may also intend to install malware on a targeted user’s computer.

Fashion retailer Ted Baker says it receives 4,000 cyber security threats every week. Ted Baker's Chief Information Officer says over 200 of these threats are targeted attacks and include spear phishing emails devised to reach high-level executives, and cyber campaigns that seek to steal competitive insights or intellectual property.

Ted Baker has partnered with AI cyber security company, Darktrace to identify and interrupt cyber threats before they escalate into full-blown compromises, including Darktrace Antigena, Darktrace’s Autonomous Response product, which is able to respond to ransomware within one second of suspicious behaviour emerging. 

Leon Shepherd, Ted Baker's Chief Information Officer, says: “Within seconds of out-of-the-ordinary behaviour emerging, Darktrace AI forms an understanding of whether an attack is underway or not, and can interrupt that activity before our security teams are able to.

“With Autonomous Response, I know the AI is always ready to jump in on our behalf at machine speed, giving my team more time to focus on higher-value tasks.”

Powered by Self-Learning AI, Darktrace technology works by developing an understanding of what is normal behaviour for each user and device within an organisation, and neutralises malicious behaviour by enforcing this normal ‘pattern of life’. Crucially, this means that day-to-day business is not disrupted.

Zero trust security 

Ivanti believes zero trust security is the answer for organisations to overcome the sudden increase in security threats and regain the upper hand against bad actors.

Ivanti’s Chief Security Officer Daniel Spicer says: “As organisations across all industries have shifted to distributed work environments, it is no longer the task of security teams to manage access to data and systems from a specific location. Rather, employees are accessing work-related information on their personal devices from locations all over the globe, making it significantly more challenging for IT personnel to track and verify each and every connected device. Because of this shift, bad actors have evolved their phishing attacks and are now focusing their efforts on employees’ personal mobile devices and as our survey results showed, are finding great success with this approach. Hackers have also been leveraging botnet infections to harvest legitimate email to create more convincing phishing attacks that are highly effective. This is concerning, as phishing attacks often evolve into ransomware attacks. 

“Your company’s security lies in the cyber hygiene of employees, he adds. “That’s why user experience should be a core focus of any security strategy. As remote work establishes itself as the new normal, ensuring that best practices are as simple as possible to complete will make or break your security efforts. And a zero trust approach can provide organisations with the best of both worlds.”

Zero trust security requires organisations to continually verify any and all devices that are connected to its network every single time with zero exceptions. As part of a zero trust strategy, organisations should leverage machine learning to conduct continuous device posture assessment, role-based user access control, and location awareness before granting access to data. Organisations should also automate routine security updates – thus eliminating the risk of employees delaying necessary security patches and other updates and invest in mobile threat detection software that can detect and thwart issues in real time. 

Calvin Gan, Senior Manager with global cyber security company F-Secure’s Tactical Defense Unit says stopping phishing attacks is an unrealistic ambition, but reducing the success rate of an attack is definitely doable. 

“Having a thorough understanding of the attacker’s goal (cyber kill chain) and deploying multi-layered defence or tools (multi-factor authentication, zero trust policy, mailbox scanner, phishing email reporting tool) for each activity would mitigate the risk of having information stolen. Investing in a holistic security awareness training and simulation exercise which includes practicing a response plan in case of an attack, would allow an organisation to respond, instead of react, when an attack is happening,” he says. 

The modern threat landscape has transformed entirely  and as new avenues and opportunities for phishing scams arise, bad actors will continue inventing new attack tactics, hoping to outsmart your organisation’s employees and make them take the bait. As a result, organisations can no longer rely on traditional security protocols to protect themselves in the work-from-anywhere environment. After all, the Ivanti survey found that one third (34%) of those surveyed blame the increase on phishing attacks on a lack of employee understanding and even fewer (30%) said 80-90% of their organisations had completed security training offered by their companies. 

Ivanti says by implementing a zero trust security strategy,  including implementing multi factor authentication, automating security updates and more organisations will be better equipped to mitigate these threats as they arise and protect their business-critical systems and information. 

“Neither your employees nor bad actors intend to go back to the way they used to work. It’s time your security strategy adapts to the modern business landscape, too,” says Ivanti’s Spicer.