Phishing hazards go well beyond users alone

Most of the advice surrounding phishing prevention is warning users of the dangers and encouraging them to use caution when browsing or opening emails. But one of the biggest risks for a phishing attack won’t be fixed by these commonsense approaches.

Anti-phishing security firm Duo recently evaluated the security of nearly two million connections to its two-factor authentication process as part of its 2016 Trusted Access Report. The findings showed that many of these devices weren’t secured in crucial ways that could make phishing attacks more successful.

Out-of-date browsers

The biggest problem may have been the vehicle users were using to access the web. A quarter of users were browsing the web on an outdated version of Internet Explorer (that is, a version prior to Windows 10). According to Duo, that exposes users to more than 700 known vulnerabilities, many of which would be exploited in a phishing attack.

Other browsers failed better, but not by much. According to the study, users weren’t always on the most up-to-date version of each browser. Google’s Chrome browser had the highest percentage of users on the most recent version at 82%. That was followed by:

  • Firefox (66%)
  • Internet Explorer and Edge (58%), and
  • Safari (49%).

While not all of the updates these browsers receive are phishing prevention (or indeed, even security-related), some of them are. And keeping browsers up-to-date is one of the best and easiest steps a user can employ to stay secure online.

Flash, Java problems

IT pros know Java and Flash have a complicated relationship with Internet security. These programs are often needed for running applications (especially older ones), but they’re also key gateways used in attacks. Serious vulnerabilities discovered (and likely not-yet discovered) in these programs have led many organizations to disable them altogether.

But for some, that’s not an option. According to the study, only 22% of users have Java installed in on their computers. Meanwhile, 80% of users still have Flash installed.

The problem: Many of these users’ versions of the software are out-of-date. Sixty percent are using an out-of-date version of Flash, and 72% are using out-of-date versions of Java.

Best strategies moving forward

Even if your systems are up-to-date and fully patched (and hopefully they are), this report doesn’t quite let you off the hook. This was a study of users who used a particular two-factor authentication service as part of their jobs. And that doesn’t necessarily mean they used work equipment to log on.

In other words, IT probably has never seen and may not know about the devices that users were putting work systems at risk with.

So what can you do to make sure users aren’t harming your security?

  1. Encourage updates. Windows 10, despite some of its flaws, is a good option for safe browsing. Its updates come automatically, unlike previous versions that relied on users accepting and installing updates themselves.
  2. Ban Java and Flash. Eliminate these programs on work computers as soon as possible. Most agree that the risks aren’t worth the benefits.
  3. Refine your BYOD policies. Make sure users know not just what they can do with personal devices, but also what the minimum requirements for these devices are.