With recent reports identifying phishing as one of the most persistent and prevalent issues in the realm of cyber security, it is important to not only understand the level of risk your organisation faces, but also how best to mitigate this risk.
Phishing scams have been around for quite some time now but they are showing no signs of slowing down any time soon. On the contrary, they are constantly evolving. In Q4 2016 there was a 45% increase in Business Email Compromise (BEC) attacks in comparison with Q4 of 2015. This means that cyber criminals are banking more on exploiting the human factor within your organisation vs deploying Trojans and automated cyber-attacks.
So how can you protect your business against a phishing attack?
It may be a cliché at this point but it’s true, your employees are your best defence when it comes to general cyber security and protecting your organisation from a phishing attack. We recently witnessed the colossal WannaCry ransomware attack. This attack highlighted how a simple phishing email, clicked on by an unsuspecting employee, can be all it takes to unleash a major cyber-attack which can quickly infect an entire network. This attack demonstrated just how vital your human firewall is within your wider security system. Therefore, investing in top quality cyber security eLearning on how to spot suspicious emails and what steps to take when you’ve fallen victim to a phishing scam is super important. Similarly, you could invest in simulated phishing exercises for your organisation using our sophisticated MetaPhish product.
It goes without saying that for an organisation to be protected as much as is possible from a phishing scam, it is necessary to employ different types of security. It may seem like a hefty investment now but doubling or tripling your cyber protection methods could save you a lot of time and money in the long run! High quality spam guards and UTMs, purchased from reputable names in the market, are a must for any organisation looking to combat phishing attacks as the majority of these scam emails will get caught in the nets. However, as some of these emails are highly sophisticated, it is important to be aware that spam guards alone are not the ultimate answer and employee awareness training is crucial also.
You should have a clear and secure register of what information is sensitive and should not be disclosed. You should also limit the amount of employees with access to this data in order to minimise the risk that it will be leaked or handed over to cyber criminals via a phishing email. Clear guidelines should be put in place to instruct employees on how they should handle important company information. It is also a good idea to implement policies based on these guidelines that create awareness company wide and demonstrate that your employees are in the know.
In order to minimise risk, it is worthwhile considering the implementation of a policy which states that all sensitive information, for example company bank details, may only be communicated securely via phone or using https websites with secure payment facilities, never via email. Ensuring that your employees are aware that email is a risky medium through which to provide access to sensitive company information is key to lowering the risk involved, as you can’t be sure of who is on the other end of an email. When bank transfers are requested via email (as is common with sophisticated spear phishing attacks) it is best practice to always call the person involved directly and double check that this request came from them. Implement this as a common practice and you will reduce your risk significantly.
The saying here at MetaCompliance is ‘Passwords are like pants’ and it’s true.
Change your passwords and log in details regularly and don’t leave them lying around! The more frequently you change your login details for company accounts, the less chance hackers (who have perhaps gained access to your accounts in the past) have of returning time and time again to glean more information. Similarly, having only one set of log in details for all company accounts is a bad idea! Just think, would you have only one master key which grants access to any room in your organisation? In the unfortunate circumstances that a hacker does gain access to an account using details gained from a phishing email, you can be guaranteed that he will use the same details to try and hack your other accounts. Don’t make it any easier for them!
Do you have any other methods of protecting your business against phishing attacks? Or is there any other enterprise approaches to these types of cyber-attacks you could see being introduced in the future.