Av Ed Rowley, Fileld Product Manager, M86 Security

According to an article on ‘The Register’, Phishing attacks are at a two-year high (http://www.theregister.co.uk/2009/09/28/phishing_fraud_trends/). This is hardly surprising in an environment where email is so widely accepted it is almost considered old-fashioned and where the proliferation of social networking websites and user-generated content on the internet means that we are less suspicious of forwarded links. The misuse of instant messaging, Twitter and hacked ‘legitimate’ websites have all contributed to the problem: anything that becomes popular on the internet is quickly hijacked by tech-savvy cybercriminals and is used to separate unsuspecting victims from their cash or their confidential information that they can subsequently sell on.

It is no longer sufficient to check for threats solely at the email gateway. Consider an unthreatening email that contains a link to a well-known website: there is no reason to block it. Unfortunately, that website has been recently hacked and is now hosting malicious code. Elsewhere in the office a user receives an email to a website with some funny videos and another employee receives an instant message with a link to scandalous news relating to their favourite TV Star. In both cases, there is a chance that they will actually be directed to some malicious code.

A Secure Web Gateway, then, must be a priority for any company serious about security. Web filtering products should no longer be considered a tool for ensuring users do not spend all day looking at inappropriate sites or managing their own eBay businesses. Instead, a true Secure Web Gateway, used in conjunction with an email gateway, offers a great deal of flexibility and control over what comes into and what leaves an organisation as well as controlling access to inappropriate and dangerous sites.

Organisations need to ensure that they have coordinated protection in place to address a coordinated threat. They also need to educate their users train them to look for the tell-tale signs of a potential threat. The same applies for when users are browsing the Internet or using instant messaging tools.

A clear acceptable use policy (AUP) and ongoing training are an important part of an overall eSecurity strategy that is backed up by technology. After all, people are both the targets and the victims of most cybercrime.