Phishing attacks are not like other cyber security risks. Phishing involves intentional deception, impersonation, or persuasion to trick employees into handing oversensitive company information – because employees give the information voluntarily, phishing attacks are difficult to prevent. Firewalls and virus scanners alone are not nearly enough. This quick guide will help you measure and address your risk for phishing attacks.
Phishing frauds depend on deception. They always require direct human involvement. Employee education is the only foolproof way to overcome these threats. Your employees are the most vulnerable point of access – but they are also the first line of defense.
Give employees the tools they need to keep company data (and their own data) secure against potential thieves. A cyber security meeting may only take a few days out of your year, but it can save your company a lot of money compared to the cost of a data breach and associated fees and fines.
Some less tech-savvy employees may have never considered the idea that a hacker might attempt to trick them into giving up information. Focus on awareness, identification, and action. Your training program should answer the following three questions:
1. What kind of data do phishers try to steal? What happens if they steal it?
Phishing targets often include any key, password, pin, or account number. Sometimes the perceived risk level can seem negligible – for example, an intern’s email account might not initially seem to be a high value target, but it could easily contain passwords or instructions for accessing content management systems or other valuable data repositories.
It is important to remind employees that even personal accounts and social media accounts can serve as high value targets. Personal cellphones and laptops are just as vulnerable (if not more vulnerable) to phishing attacks, especially as employees might not be as careful about browsing the Internet or sending emails at home. When a data thief is able to breach one personal account, they are often able to unlock access to a variety of other accounts, especially through “forgotten password” requests.
2. What does a phishing email/webpage look like? How does it differ from the real thing?
Some phishing tactics are very convincing. A fake webpage can look and behave exactly like the real thing – all the way down to spoofed security certificates and other signs of authority. Other phishing tactics prey on the pressure of an imposing time limit: you may have heard news stories about emails claiming to be banks on the verge of shutting down an account, or viruses that lock down Internet browsers claiming to be a government authority seeking identification.
Other phishing tactics are very simple and easy to avert. Employees should be naturally suspicious of misspellings, unspecific headers, strange email addresses, buggy webpages. But whatever you do, make sure that your training specifically emphasizes the danger of a false sense of security: impress on your employees that there is no reliable way to identify a phishing attempt. Implement an efficient ticket/query tech support system so employees can get quick answers to phishing reports.
3. Create an Incident Management Plan
Employees are often hesitant to reach out for help over slight suspicions – especially if it means interrupting their work. Implementing a speedy, efficient, and non-intrusive query system can help employees feel more comfortable about asking for help with a suspected phishing issue. You could create a ticket system that goes to your IT crew (whether managed or in-house) or authorize certain employees to investigate on their own (calling for verification, etc.)
You can reduce the number of minor phishing suspicions by investing in a high quality virus scanner. Some virus scanners keep a database of common phishing domains and email servers, blocking the offenders before they can strike. This does not protect against targeted or sophisticated attacks but it can reduce the number of automated, scattershot attacks common with casual Internet usage.
You can keep your virus scanners, phishing filters, and operating system defenses up to date with a patch management utility. This will also help prevent employees from “skipping” updates – your dedicated IT person can deploy updates to all the company computers at the same time (even laptops!) with one click of a button. Take some time to check out this free trial from Batch Patch to see if automatic patch management is right for your computer network.
Phishing may be an old technique, but it’s just as much a threat to small business today as it ever has been.
(Photo Credit: Mike Licht / Creative Commons)