In the cybersecurity awareness field, we frequently talk about how to avoid falling victim to phishing attempts, but does your team know what to do after a phishing attack has occurred?
Despite the best efforts of your security and networking teams to build a strong fortress of defense, every now and then, something malicious might get through those boundaries. If a phishing message lands in the inbox of an unwitting employee who opens the email message and clicks on the dangerous links within, you need to be ready to act quickly.
Response Steps After a Phishing Attack
- Take a deep breath – this is not the time to panic.
- Activate your incident response team and procedures.
- Investigate the phishing email and collect all of the details in the header and any attachments.
- Meet with anyone who clicked on the phishing email to get all the facts.
- Search your firewall logs for anything suspicious, IPs, URLs, etc., and make sure nothing leaves your organization going to those IP addresses.
- Make sure all of your logs are retained; they will be key in the event you need to work with law enforcement to further investigate the attack.
- Notify all your staff of the event. This is a learning opportunity for all employees to know that it can happen to them.
- Make sure all of your employees change their passwords.
How to Prepare in Advance of an Attack
Of course, these action steps only work if procedures and training are put in place in advance. Take inventory of your internal and external resources – both IT and training – and determine how best to set up an incident response plan for your organization. We suggest these common denominators for all organizations, no matter the industry or company size:
Establish clear lines of communication
Have a designated team, email address and hotline number so the employee can report a security incident after a phishing attack. Most larger organizations have an incident response team in place, but smaller organizations might only have one or two individuals who manage IT. Everyone must know the role they play in incidence response.
Having a communication plan is also critical. It can make all the difference in your organization’s ability to recover after an attack. Take these proactive steps now to ensure quick and clear communication when an incident occurs:
- The security awareness team should continuously send out messages to all personnel stating, “if you see something, say something,” so employees know to act quickly.
- Create a hotline number, and make it easy to remember. For example, use an extension that includes 911, like 9611, that employees can easily relate to an urgent response.
- Have a well-publicized email address to report incidents, which also should be easy to remember. For example: email@example.com.
- Continue communication about your incident response procedures, including newsletters, posters and security sheets with the above-mentioned information on how to report incidents.
- Go a step further and create mouse pads or other useful schwag with the contact information shown clearly.
In the case of a malware attack, email might not be your best mode of reporting because you do not know if the malicious email has opened a door, and the bad guys are inside watching everything you do. Forensic investigations, for example, may use an “out of band” network to ensure they are not being monitored during the investigation and recovery.
Purchase insurance for ransomware
The problem with a phishing attack is that it can easily become a ransomware event. Do you know if your organization has cyber insurance? If not, you need to find that out before you have an incident to be prepared to activate that policy after a phishing attack. If you don’t have a cyber insurance policy, have your legal team inquire about the cost and make a determination if it’s in your company’s best interest to purchase a policy.
Administer phishing simulations
The best way to create your security-ready army is to train your employees to be your last line of defense. Phishing simulation training provides your employees with simulated phishing attacks to see how they respond. Further, it helps you formulate a risk score for your organization. Do your employees click on the email and also links within? Are these individuals providing sensitive information to potential hackers? Are they reporting the phishing attack to your incident response team?
Train your staff to avoid phishing
Some organizations conduct phish testing but fail to provide remedial training after users click on a malicious email or provide sensitive information. In these cases, companies miss a crucial step in educating and preparing their employees for a real attempt. If you don’t train your users after they click on one of these campaigns, how do you expect them to change their behavior?
Employees must be trained on what to look for when opening emails and attachments within. In addition, it is imperative that your employees are trained to report anything suspicious immediately and that you have trained staff to respond to incidents quickly.
Security Awareness – Before and After a Phishing Attack
It is so important for security executives to understand that security awareness training is much more than checking a box. Security awareness is a journey with no destination, meaning that security should be an ongoing focus. Training your employees once doesn’t make them impermeable forever.
Contact GLS to learn more about phishing simulation and security awareness training for your employees.