Are You A Big Corporate Phish?Are You A Big Corporate Phish?

Depending on whose numbers you follow, it's estimated that companies spend billions each year creating and maintaining valuable data sets. IDC currently estimates the figure to be about $7 billion each year — a number that's expected to double by the year 2006. These intricate business intelligence systems gather information from multiple sources and disseminate it in a useful form across all business units within an organization.

To protect that information and the rest of the organization, VeriSign estimates that enterprises spent about $12 billion last year on security software, services, and devices. So it's shocking to learn that one of the biggest threats facing enterprises right now is something as seemingly simple as phishing scams.

Phishing, the social-engineering practice of faking emails, Web sites, and now instant messages for the sake of gaining confidential information, is costing companies more than a billion dollars each year, according to the Gartner Group. And it's no wonder. The Anti-Phishing Working Group (APWG) tracked 1,197 unique phishing attacks in May 2004.

And phishing seems to be taking a new direction. Over the past year, consumers of banking and financial institutions have overwhelmingly been the victims of phishing scams. Now enterprises are being victimized. "It's becoming more and more of a corporate issue," says Chad Hunt, FBI Special Agent, Cyber Crimes Unit.

Hunt cites one example: A corporate employee receives an email that seems to come from Microsoft about a patch that needs to be downloaded. "There are a lot of business users [who] might get that and think, 'Wow, this is from Microsoft. I know my corporate IT wants me to keep my system patch levels up-to-date because they said that's a big risk for companies nowadays.'"

"So a lot of well-intentioned, well-meaning employees might actually fall for this, thinking they are helping their IT departments," Hunt says. What's downloaded is actually a keystroke logger that gives the phisher access to usernames and passwords. Once they have this information, the phisher can waltz right past unknown user detection systems and access proprietary information.

The risk goes beyond corporate data. The amount of responsibility an organization must bear if an employee falls for a phishing scam inside the corporate intranet or extranet is still unclear. "This is a big issue because a lot of people are doing business through the Internet, and it's so common for them to use the same usernames and passwords [internally and externally]," says Dave Lineman, president and CEO of Information Shield.

Says Shawn Eldridge, chairman of the Trusted Electronic Communications Forum (TECF), a group formed to help fight phishing scams, "This is just the reality of an electronic commerce society — we're very tied together, and we all use the same information. This is why phishing has spiraled out and is affecting other companies instead of just being a banking and financial services issue."

Don't Get Hooked

So what to do? Eldridge recommends, "The first thing is making privacy and security a macro perspective for organizations." Meaning, approach security in the same manner as you would approach a marketing campaign. Make it consistent across all lines of business.

Information Shield's Lineman says, "Really the next and most logical place to start is around the area of policies and procedures. And obviously the first thing you'd like to do is create a set of policies, standards, and procedures that are part of an overall security management framework, not a one-time deal. Establish an environment of control."

Finally, employee education about threats, procedures, and security issues is key. "Phishing is a great example of how it's a combination of the people and technology together that create risk for information security. Our first instinct is to apply a technology solution. And while that's a valid approach, we often ignore the people element."

Jerri L. Ledford is a freelance business and technology writer.