6 minute read
tbtech magazine August Edition
Smishing: Overcoming a two-fold threat with a four-prongedsolution.
As the threat landscape continues to evolve, new types of cyberattacks are coming to the fore. SMS phishing, or ‘smishing’, rose exponentially last year with incidents doubling in the US, while these attacks reportedly grew by 700% in the first six months of 2021 alone.
Advertisement
Smishing is a lucrative way of obtaining private data, such as banking information and other credentials, as users can be more trusting of text messages, or at least less vigilant when checking their messages (as opposed to emails) for potential scams.
‘Smishers’ are also particularly targeted in how they leverage basic information about their victims to deceive them into believing it has come from a trusted source.
Smishing: Overcoming a two-fold threat with a four-pronged solution.
SMISHING IS A TWO-FOLD THREAT
Organisations are only just waking up to the threat of phishing, which is now being seen as one of the biggest routes for ransomware attacks faced by global businesses, according to a recent Gigamon survey. However, smishing presents yet another business-critical cyber risk that many are underestimating. Employees are more likely to click on a malicious link via text, and especially so on personal devices. Considering we live in an age of hybrid working and Bring Your Own Device (BYOD) strategies, smishing not only poses a significant threat to individuals, but also their workplace.
Personal phones often do not have the same levels of security installed on them compared to devices issued by organisations and are naturally more likely to be used outside of working hours, and in a more relaxed environment when guards are down. However, if they are connected to company email accounts, internal servers or an intranet, it is not hard for a threat
actor to pivot into the corporate network and quickly penetrate sensitive company data or critical IT infrastructure.
The smishing threat is therefore two-fold, comprising both a technology and a human factor. Firstly, personal devices are easier targets for cybercriminals who can pivot from personal phone to corporate network in minutes. Secondly, employees targeted via text message out of hours are unlikely to have cybersecurity and the protection of their organisation front of mind. They are therefore more likely to fall victim to a smishing attack, that could affect their whole company, without realising.
FOUR PILLARS FOR A COMBINED SMISHING SOLUTION
This two-fold threat requires a four-pronged solution. When it comes to cybersecurity, there’s no single ‘silver bullet’ organisations can implement to combat security threats. A combined solution always offers the most comprehensive protection, and this
is the same for smishing. The four key pillars that organisations can implement to support and protect both devices and users from smishing attacks start with a device-centric approach. This should comprise constant device monitoring by security teams and be supported by Mobile Device Management (MDM).
It’s crucial that security teams are constantly monitoring and updating all devices within an organisation. With the majority of cyberattacks occurring as a result of a security controls failure or an unpatched security vulnerability, it’s vital that security teams stay on top of the assets connected to their network. However, this is a mammoth task and one that can be aided by ensuring MDM software is installed on all mobile devices used within an organisation, both companyissued and
personal. Crucially, any company allowing BYOD strategies should look to introduce a mandatory policy insisting all personal devices receive a blend of
cybersecurity controls, such as password-protection applications, a secure VPN and role-based access to enterprise data and email.
To accompany these two pillars, an approach oriented towards people is also recommended, combining mobile device security best practice with cyber awareness and training. Adopting purpose-built mobile device security is crucial to detect and protect against malware. Best practice should include guidance around which applications are safe to download and the importance of avoiding public Wi- Fi networks. However, while basic iOS and Android security and best practice guidance may stop accidental downloads of malware, there are no security controls on mobile operating systems that can prevent a user from sending their data to a hacker.
This is where cyber awareness training comes in. To address the human issue presented by smishing, adopting a security first mindset across the entire organisation is key. Staff training
coupled with smishing simulations should be conducted frequently to reinforce the importance of strong cyber hygiene. Furthermore, the results of training programmes should be monitored, with additional training and support given to staff who are struggling. Not only does this help to improve cybersecurity awareness, but also promotes a supportive and collaborative environment, versus one of blame and finger pointing that can often accompany an organisation falling victim to a data breach.
LOOKING AHEAD
The smishing threat is showing no sign of abating any time soon. As long as it continues to be a lucrative method of attack, cybercriminals will continue to target mobile devices and users who are too willingly handing over private data and compromising the organisations they work for. All is not lost, however. The good news is that a combined device and user-centric solution, bringing together four key pillars of cybersecurity, presents one of the best options to safeguard staff and
organisations from smishers. Ultimately, smishing is an issue of trust; employees sometimes being too trusting in the texts they receive and employers needing to be able to trust them to always keep cybersecurity front of mind. And for those occasions where a hacker does fall the cybersecurity net and launches a successful smishing attack, working with a trusted security partner can make all the difference. Not only can they assist with reactive support, helping to reduce downtime and limit the severity of an attack, but a security partner can also provide proactive advice to bolster an organisation’s cybersecurity strategy.
Working with a partner, ensuring devices secured, monitored and continuously updated, and supporting employees more to become cyber aware and better trained to identify smishing attempts, all collectively helps to deter bad actors and improve the threat landscape.
By Lawrence Perret-Hall,Director at CYFOR Secure.