Technology Record - Issue 28: Spring 2023

Training employees to recognise suspicious communications will become increasingly difficult as cyberattacks become more sophisticated there is still value in training people to identify suspicious links, reminding them of company protocol to verify requests that will directly impact core operations, and outlining how to report potential phishing attempts.” However, given the sophistication that such attacks could attain, education can only go so far in preventing them. Employees cannot be reasonably expected to spot every single attack they might be targeted with. “It is most important to consider what you are hoping to achieve with training, while also acknowledging no training will stop all threats,” says Blumofe. “Enterprises need to seriously consider what security tools, technology and processes they are going to pair with education and training to best protect their systems.” According to Blumofe, organisations should therefore be looking to contingency plans that will limit the damage that attacks could cause if they were successful. Strategies that value mitigation alongside prevention will be the most effective. “There are tools that can help identify phishing lures and block access to phishing sites, but while such tools are very effective, they are not perfect,” he says. “Organisations should also look at protections – including microsegmentation and zero-trust network access – that can help block the spread of malware if and when it does make it past that first line of defence.” Ultimately, the advent of new methods of cyberattack will require organisations to adapt the way in which they secure every part of their working processes and communication. It will become more important than ever for them to be able to authenticate the source of any communication before taking any action that could be used as part of an attack. “Ask yourself: if someone sent a message to the right person, asking that person to shut down a critical service, claiming to be the chief information officer and demanding urgency, would they do it?” says Blumofe. “It’s all too easy – and even easier now with generative AI – for an attacker to forge such a message and make it very convincing. In fact, the same is true of phone calls and even video calls. It is paramount, therefore, that no critical business process can be triggered by an email, message, phone call, video call, or anything else that cannot be reliably authenticated.” Find out more at: state-of-the-internet/attack-superhighway-adeep-dive-on-malicious-dns-traffic 85 Photo: iStock/fizkes