Press Release

Businesses are still failing to respond efficiently to phishing attacks

Spear-phishing attacks are rising steeply in both frequency and complexity, increasing companies chances of being hacked

Global information security consultancy MWR InfoSecurity warned today that most companies do not have efficient security processes in place to respond to phishing emails which are often the pre-curser to specific attacks where a company can be seriously hacked.

“Spear-phishing attacks against organisations are nothing new, but they are rising steeply in both frequency and complexity,” said Guillermo Lafuente, a Senior Security Consultant at MWRspecialising in Social Engineering attacks.

“These attacks start with an innocent looking email that appears to come from a trustworthy source but have evolved to the extent that often neither the individual nor the organisation are even aware that an incident has occurred until it is too late and confidential data has been stolen.”

He added: “They are mainly designed to deceive employees, who are still seen as the ‘weakest link’, but we noticed that many companies do not have efficient internal incident response procedures in place to alert their staff about the threat.”

MWR has identified a number of key processes that should be functional for an organisation to be able to resist these external threats, including the length of time before a phishing email is recorded as an incident and having effective out-bound email filters implemented to prevent the leakage of sensitive data.

Guillermo Lafuente said: “For example, companies should be able to respond to a phishing attack within 15 minutes of receiving the malicious email. Efficiency at the early stages is crucial, however, many of them fail to react within the recommended time frame.”

Worryingly, phishing attacks are also commonly employed as an element of APT (Advanced Persistent Threat) due to their high success and low detection rates, and the ease by which an attacker can target a large estate of users within an organisation.

Employees are then deceived into providing sensitive information or into performing actions such as downloading malware that could give an attacker access to the victim’s computer and even compromise the company’s entire IT network.

For these reasons, MWR have launched Phish’d, a fully Managed Phishing Assessment service designed to maintain a heightened level of security awareness across an organisation, thus reducing the likelihood of employees clicking suspicious links within emails, and helping improve incident response timings.

James Moore, the Lead Developer of Phish’d at MWR InfoSecurity, said: “One of the benefits offered by Phish’d is the ability to track susceptibility across different departments, offices and geographical regions where a company operates – allowing organisations to identify those areas where their training and security budgets can be best spent for maximum effect.”

Christina Randell, Head of Managed Services at MWR, said: “Phish’d provides organisations with a thorough analysis and sets out recommendations aimed at improving their security posture, both from personnel and infrastructure perspectives. This will help to ensure that in the result of a real-world attack the business can react quickly and effectively.”

Note to editors:
RSA reported that in 2012 the UK economy lost £405.8m to phishing attacks; an increase of over 25% of the £304.4m lost in 2011. The report stated that phishing attacks globally each month, compared with 21,500 per month in 2011.

Follow @mwrphishd on Twitter.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.