The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), and Multi-State Information Sharing and Analysis Center (MS-ISAC) issued new guidance: Phishing Guidance: Stopping the Attack Cycle at Phase One.
It provides generalized guidance for all organizations, as well as guidance tailored for small- and medium-sized businesses.
In its section on guidance for small- and medium-sized businesses (SMBs), it first suggests companies “implement a standard anti-phishing training program and require employees to review phishing training materials. Additionally, conclude the program evolution with a training check that certifies that the employee has retained all the information outlined in the training program.”
It further suggested they identify network phishing vulnerabilities. “Federal organizations are encouraged to participate in CISA’s Phishing Vulnerability Scanning assessment service.”
It also urged companies to enable multi-factor authentication (MFA), stating, “Activating a strong MFA is the best way that small businesses can protect their internet facing business accounts from phishing related threats.”
Further, it states, “Additionally, CISA, NSA, FBI, and MS-ISAC recommend SMBs implement the technical solutions below to prevent phishing related compromises:
- “Implement strong password policies to authenticate users. These passwords must adhere to a password strength policy which requires minimum character length, numbers, special characters, and case sensitivity, along with prohibiting users from recycling previously used passwords.
- “Implement DNS filtering or firewall denylists to block known malicious sites.
- “Implement anti-virus solutions to mitigate malware and to stop malware from executing if a malicious hyperlink or attachment from an email is opened.
- “Implement file restriction policies that prevent malicious high risk file extensions e.g., .exe or .scr from being downloaded and executed. These types of files are unnecessary for daily operations and should be heavily restricted on standard business accounts.
- “Ensure that software applications are set to automatically update so that network software is always upgraded to the latest version. This helps to prevent malicious actors from exploiting vulnerabilities within an organization’s network software.
- “Enable safe web browsing policies so that employees can only access websites that are needed for daily business operations. These policies also prevent users from visiting malicious websites that often contain malware that can either harvest user credentials or deploy additional malware to damage organizational systems.
- “Implement a secure virtual private network (VPN) with MFA enabled.
- “Reference the Federal Communications Commission’s (FCC) Cybersecurity Planning Guide. The guide includes information on ways small businesses can improve their overall cybersecurity posture.”
Additionally, it suggested small businesses consider migrating to managed cloud-based email services from reputable third-party vendors.
“Migrating from on-premises mail systems to trusted third-party cloud-based mail providers is beneficial for customers because providers regularly patch and update their systems. Providers also commonly perform robust email traffic monitoring and anti-phishing malware services,” the guidance stated.