How Do I Minimize My Organization’s Risk Of Falling Prey To Phishing Attacks?
If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
Written by Phil Cardone
Posted onJune 19, 2019
Modern phishing and social engineering attacks are a major threat to businesses these days. Even a single unaware employee is enough for a cybercriminal to take advantage of through email to gain access to your company’s data, finances and more. Because phishing is a significant threat to small and midsized businesses, it’s essential to protect your organization and users against them.
What Can Your Leadership Do? 8 Prevention Steps
These steps must dovetail closely together as part of an effective prevention program.
1. Identify Your High-Risk Users
These include C-level executives, HR, Accounting and IT staff. Impose more controls and safeguards in these areas.
Review social/public profiles for job duties/descriptions, hierarchal information, out of office detail, or any other sensitive corporate data.
Identify any publicly available email addresses and lists of connections.
2. Institute Technical Controls
Automated password and user ID policy enforcement
Comprehensive access and password management
Whitelist or blacklist external traffic.
Patch/update of all IT and security systems.
Manage access and permission levels for all employees.
Review existing technical controls and take action to plug any gaps.
3. Set A Security Policy
Every organization should set a security policy, review it regularly for gaps, publish it, and make sure employees follow it. It should include such things as:
Not opening attachments or clicking on links from an unknown source.
Not using USB drives on office computers.
Password management policy (no reusing passwords, no Post-it notes on screens as password reminders, etc.)
Required security training for all employees.
Review policy on Wi-Fi access. Include contractors and partners as part of this if they need wireless access when on site.
4. Develop Standard Procedures
You should have measures in place to:
Block sites that are known to spread ransomware.
Keep software patches and virus signature files up-to-date.
Carry out vulnerability scanning and self-assessment using best practice frameworks such as US-CERT or SANS Institute guidelines.
Conduct regular penetration tests on Wi-Fi and other networks to see just how easy it is to gain entry.
Use Domain Spoof Protection.
Create intrusion detection system rules that flag emails with extensions that are similar to company emails.
5. Cyber-Risk Planning
Develop a comprehensive cyber-incident response plan and test it regularly. Augment the plan based on results.
Executive leadership must be well informed about the current level of risk and its potential business impact.
Management must know the volume of cyber incidents detected each week and of what type.
Understand what information you need to protect: Identify the corporate “crown jewels,” know how to protect them and who has access.
A policy should be established as to thresholds and types of incidents that require reporting to management.
Cyber-risk MUST be added to existing risk management and governance processes.
Best practices and industry standards should be gathered and used to review the existing cybersecurity program.
Consider obtaining comprehensive cybersecurity insurance that covers various types of data breaches.
6. Training For All Users
No matter how good your prevention measures are, breaches are inevitable. User education plays a big part in minimizing the danger so start here:
Train users on the basics of cyber and email security.
Train users on how to identify and deal with phishing attacks with new-school security awareness training.
Implement a reporting system for suspected phishing emails.
Continue security training regularly to keep it top of mind.
Frequently phish your users to keep awareness up.
7. Continuous Simulated Phishing
Run an initial phishing simulation campaign to establish a baseline percentage of which users are Phish-prone.
Continue simulated phishing attacks at least once a month, but twice is better.
Once users understand that they will be tested on a regular basis and that there are repercussions for repeated fails, behavior changes. They develop a less trusting attitude and get much better at spotting a scam email.
Randomize email content and times they are sent to different employees. When they all get the same thing, one employee spots it and leans out of the cubicle to warn the others.
8. Stay Aware of Red Flags
Security Awareness Training should include teaching people to watch out for red flags. Here are the most common things to watch out for:
Awkward wording and misspellings
Slight alterations of company names such as Centriffy instead of Centrify or Tilllage instead of Tillage
Spoofed email addresses and URLs that are very close to actual corporate addresses, but only slightly different
Sudden urgency or time-sensitive issues
Phrases such as “code to admin expenses,” “urgent wire transfer,” “urgent invoice payment” and “new account information” are often used, according to the FBI
8 More Tips To Share With Your Users
1. Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information. If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.
2. Be cautious about opening attachments or clicking on links in emails. Files and links can contain malware that can weaken your computer’s security.
3. Tell your users to be especially wary of emails that:
Are from unrecognized senders.
Aren’t personalized or use a name you aren’t typically called by.
Ask you to confirm confidential or financial information over the Internet.
Make urgent requests for information
Try to frighten you into acting on a request.
4. Don’t provide personal or confidential information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.
5. Do your own typing. If a company or organization you know sends you a link or phone number, don’t click. Use your favorite search engine to look up the website or phone number yourself. Even though a link or phone number in an email may look like the real deal, scammers can hide the true destination.
6. Make the call if you’re not sure. Don’t respond to any emails that request personal or financial information. Phishers use pressure tactics and prey on fear. If you think a company, friend or family member really does need personal information from you, pick up the phone and call them yourself using the number on their website or in your address book, not the one in the email.
7. Don’t send sensitive information over the Internet before checking a website’s security. Pay attention to the Uniform Resource Locator (URL) of a website. Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net). Secure websites have a lock icon on the browser bar and an “https” instead of “http.”
8. Never download files or open attachments in emails unless you know they’re secure (even if you know the sender).