Risk Assessment Analysis of Phishing

Risk Assessment Analysis of Phishing

Risk Assessment of Analysis of Phishing

Over the last several years, both large and small businesses have become increasingly vulnerable to practice known as phishing. Simply put, this is when a business or its employees will receive fictitious emails that are designed to illicit select information such as: credit history, Social Security numbers, date of birth or financial information. In most case, it will often involve scam artists claiming that they are from a particular business such as: a bank, insurance company or credit card company. For a business, these emails are often sent, looking like they are from legitimate companies that they have a relationship with (i.e. banks / insurance companies). At which point, there will be a URL address that will redirect the person to a fake website, where they can enter their information. It could also involve scam artists sending emails to employees of large corporations, in an attempt to gain access to sensitive information. ("Phishing," 2010) in either situation, it is imperative that all businesses determine how they are vulnerable to: various phishing techniques. To achieve this objective requires: conducting an organizational risk assessment. Where, there will be an emphasis on what elements need to be implemented into the assessment. This analysis will provide the greatest insights, as to how all business can assess their underlying vulnerabilities to phishing.

Key Elements of the Organizational Risk Assessment

There are several key elements that must be included in any kind of risk assessment the most would be: identify possible targets, examine how the threat can be mitigated and consistently testing the system for various vulnerabilities. When identifying possible targets, you want to examine those departments / positions that would most likely be the attempted victims of a phishing email. During this process, you want to look at all internal and external vulnerabilities that could give criminals information (such as: the email addresses of key personnel listed on the web site or the various titles / direct telephones numbers to those departments with sensitive information). This is important step, because when are you looking for various vulnerabilities, you are mirroring some of the same procedures that scammers will use to obtain information. (Jones, 2005)

Next, you want to create various strategies that can significantly reduce, the different vulnerabilities that have been discovered. This means that you must train employees how to identify various forms of phishing. At the same time, you must implement some kind of security procedures that will place a restriction, on how personal information is distributed. For example, employees could be trained in spotting various kinds of fictitious emails. However, when they run across an email like that is requesting information, there would be a procedure where the company will call the customer at the telephone number on file. This is significant, because it will improve the vigilance of: employees involving various phishing related emails. If for some reason, one happens to go through, no information can be released until you contact the customer at the telephone number they provide. This will prevent phishing, by having an initial process for detecting vulnerabilities and having some kinds of checks / balances in place. (Goldman, 2009)

Once you have an effective procedure, you want to begin testing the underlying risks related to phishing. This is where you would have a team of security consultants, who would test the staff for various vulnerabilities using the latest techniques / scams. Over the course of time, this will help to ensure that the staff understands the various techniques and it will help to identify any new kinds of vulnerabilities. At which point, the chances decrease, that any kind of sensitive information will be compromised due to phishing. (Goldman, 2009)