(G)On Phishing

As reported in the Times (https://www.thetimes.co.uk/article/university-secrets-are-stolen-by-cybergangs-oxford-warwick-and-university-college-london-r0zsmf56z), external cyber attacks on British universities have doubled in the past two years.  Cyber criminals based in Russia, China and other competing economies are using common techniques to access protected systems and steal proprietary information.

Regardless of the technology in place, the most common cause of a cyber breach remains an organisation’s employees.  A wrong click or download opens a door into your systems, and cyber criminals are keen to take advantage. Phishing emails have developed over the years, graduating from badly worded missives and obviously fake website links to a much slicker offering with more enticing ‘bait’.  Modern scams are professional, with beautiful graphics, spoofed email addresses and plausible wording. 

Tactics have also been upgraded.   In addition to the generic scattergun version (broad, unsolicited missives trying to get your employees to click on a link, or download a file), we have added “spear-phishing” (the same, but this time targeting a specific organisation),  and “cat-phishing” (targeting individuals at specific organisations via social networks by pretending a romantic interest).

So what can you do to protect yourself?  There are, of course, a variety of technological methods to help lessen the threat: anti-virus, monitoring software and operating systems should be kept up to date and fully patched.   However, no system is fool-proof, so staff training and awareness is the key.  Training needs to be appropriately tailored, relevant to employees' day to day work, and interactive to help it ‘stick’.  Regular internal marketing, in the form of posters, internet reminders and even competitions in which teams must spot and report IT-department generated phishing emails help to keep the knowledge fresh.