Odds are that, by now, you’ve heard of the term “phishing” and how it relates to corporate network security. For those of you who haven’t, a brief explanation of phishing is that it is a type of cyberattack where the attacker attempts to trick someone in your organization into taking an action. This can include:
- Opening a link to a malicious website;
- Downloading malware from an email attachment;
- Surrendering sensitive information or login credentials to the attacker; or
- Transferring money to a bank account or approving a phony invoice.
Back in the 90s, phishing attacks often took the form of the laughably obvious “Nigerian Prince” email, where a random prince would offer to transfer money into the victim’s bank account if they would only share their banking information to launder the funds. However, modern phishing attacks have become much more sophisticated, targeted, and difficult to detect.
How bad is the impact from phishing attacks? According to data cited by Inc.com, “business email compromise makes up almost 50 percent of the $1.4 billion in total losses from internet crime tracked by the FBI.” In other words, business email compromise attacks (a subtype of phishing attacks) alone caused around $700 million in losses in 2018—and that’s just the losses that the FBI was able to track.
The terrifying thing about these attacks is that they target one of the most universal weaknesses in any network security architecture—the people on the network.
So, how can you reduce your risk of a cybersecurity breach from a phishing attack? One method is to use a security education, training, and awareness (SETA) program to educate employees about phishing attack risks so they know what to look for to avoid suspicious emails and messages.
How Do SETA Programs Reduce Phishing Attack Risks?
As noted in a SANS whitepaper about security awareness, “While firewalls and other security controls provide a very necessary baseline of protection, they can be rendered useless if a user either deliberately or unintentionally misuse[s] their access or fails to protect resources within their control.” If a malicious actor can trick a user into giving up their account access credentials, they will then be able to use those credentials to carry out further attacks that bypass many major network security protocols.
Employees who have a low level of security awareness are going to be more vulnerable to phishing attempts—especially the more sophisticated spear-phishing attacks that mimic genuine internal communications. Because they’re unaware of the risks, employees who haven’t undergone any type of security education program are less likely to be suspicious of an out-of-the-ordinary request for information.
What Elements Should You Put into a SETA Program to Counter Phishing, Specifically?
A couple of the tools that you can include in a SETA program to specifically address phishing risks include:
- Simulated Phishing Emails. Some SETA programs leverage fake phishing attacks to see who in the organization will fall for them and who will not. This helps to both establish a baseline for security awareness throughout the organization and raise awareness of phishing specifically.
- Monthly Cybersecurity Awareness Updates Featuring Phishing Attack Examples. One way to learn is to highlight real-world examples of other phishing attacks. By showcasing the real-world impacts of other phishing attacks, the threat of phishing attacks can be kept front of mind for employees.
Putting employees through SETA programs that specifically address the different kinds of phishing attacks that they may face can improve the chances that they’ll recognize a phishing attempt and avoid clicking on the email.
However, security education training and awareness alone isn’t enough. Even with a highly-trained workforce, there’s always the risk that someone in the organization will fall for a phishing attempt. That’s part of the reason why phishing remains a popular cyberattack strategy—there’s almost always someone who can be tricked into falling for the trap.
Other Strategies for Preventing Phishing Attacks
Strategies for preventing phishing attacks or limiting their effectiveness should not end with security education training and awareness alone. There should be certain cybersecurity policies and business procedures in place to help minimize risks of phishing emails succeeding, such as:
- Passing All Invoices Through a Verification Process. Adding a process for verifying invoice numbers and accounts payable can do wonders to prevent illicit charges. While not always practical for larger organizations, making sure the personnel who are authorized to disburse payments know which vendors the company uses, reach out to decision-makers via a secondary communication method, and/or double-check destination bank account info against recorded data for a vendor prior to approving a disbursement can help stop money fraud phishing attacks.
- Applying Multifactor Authentication to User Accounts. For phishing attempts targeting user account information, applying multifactor authentication (MFA) tools can keep malicious actors from simply stealing a password and logging into your network. By requiring additional verification measures such as device authentication tokens and/or biometric data in addition to user passwords, MFA tools can massively improve network security.
- Minimizing User Account Privileges to Only What They Need. Another method of limiting the effectiveness of phishing attacks designed to steal account credentials is to limit what those account credentials can do. By limiting user privileges to the bare minimum needed to fulfill their job function, you can limit what attackers can do with those accounts if they’re ever compromised.
Stopping phishing attacks isn’t easy. Even with a strong SETA program and the right cybersecurity policies and procedures in place, there is always the risk of an attack succeeding.
Need help creating a plan for dealing with a phishing cybersecurity breach? Reach out to the team at Compuquip Cybersecurity today!
