Odds are that, by now, you’ve heard of the term “phishing” and how it relates to corporate network security. For those of you who haven’t, a brief explanation of phishing is that it is a type of cyberattack where the attacker attempts to trick someone in your organization into taking an action. This can include:
Back in the 90s, phishing attacks often took the form of the laughably obvious “Nigerian Prince” email, where a random prince would offer to transfer money into the victim’s bank account if they would only share their banking information to launder the funds. However, modern phishing attacks have become much more sophisticated, targeted, and difficult to detect.
How bad is the impact from phishing attacks? According to data cited by Inc.com, “business email compromise makes up almost 50 percent of the $1.4 billion in total losses from internet crime tracked by the FBI.” In other words, business email compromise attacks (a subtype of phishing attacks) alone caused around $700 million in losses in 2018—and that’s just the losses that the FBI was able to track.
The terrifying thing about these attacks is that they target one of the most universal weaknesses in any network security architecture—the people on the network.
So, how can you reduce your risk of a cybersecurity breach from a phishing attack? One method is to use a security education, training, and awareness (SETA) program to educate employees about phishing attack risks so they know what to look for to avoid suspicious emails and messages.
As noted in a SANS whitepaper about security awareness, “While firewalls and other security controls provide a very necessary baseline of protection, they can be rendered useless if a user either deliberately or unintentionally misuse[s] their access or fails to protect resources within their control.” If a malicious actor can trick a user into giving up their account access credentials, they will then be able to use those credentials to carry out further attacks that bypass many major network security protocols.
Employees who have a low level of security awareness are going to be more vulnerable to phishing attempts—especially the more sophisticated spear-phishing attacks that mimic genuine internal communications. Because they’re unaware of the risks, employees who haven’t undergone any type of security education program are less likely to be suspicious of an out-of-the-ordinary request for information.
A couple of the tools that you can include in a SETA program to specifically address phishing risks include:
Putting employees through SETA programs that specifically address the different kinds of phishing attacks that they may face can improve the chances that they’ll recognize a phishing attempt and avoid clicking on the email.
However, security education training and awareness alone isn’t enough. Even with a highly-trained workforce, there’s always the risk that someone in the organization will fall for a phishing attempt. That’s part of the reason why phishing remains a popular cyberattack strategy—there’s almost always someone who can be tricked into falling for the trap.
Strategies for preventing phishing attacks or limiting their effectiveness should not end with security education training and awareness alone. There should be certain cybersecurity policies and business procedures in place to help minimize risks of phishing emails succeeding, such as:
Stopping phishing attacks isn’t easy. Even with a strong SETA program and the right cybersecurity policies and procedures in place, there is always the risk of an attack succeeding.
Need help creating a plan for dealing with a phishing cybersecurity breach? Reach out to the team at Compuquip Cybersecurity today!