How to Protect Yourself from Costly Phishing Attacks
Phishing has been around nearly as long as email itself. It’s not only become one of the biggest threats when it comes to data breaches and malware delivery, it has also branched out to include social media and text phishing as well as email.
In 2018, 83% of people globally received phishing attacks in some form or another. It’s estimated that each employee receives approximately 4.8 phishing emails during a five-day work week. All it takes is one to get fooled to accidentally infect a network with malware or cause a major data breach.
Phishing has only become more sophisticated over the years, with emails now looking completely identical to those from legitimate companies and employing the use of personalisation, using people’s names and company names to trick the recipient into opening a malicious file or following a link to a dangerous website.
While many companies do protect themselves through managed IT security services like antivirus and spam protection software, others only have minimal protection, which is why nearly 30% of emails make it past default security.
The average annual cost to a small business due to a data breach is ₤3,650.
Costs from data breaches and malware infections can plague an organisation for years after the initial attack. Losses come from:
- Lost productivity
- Emergent costs dealing with the breach
- Lost business
- Damage to reputation
- Data privacy compliance penalties
To properly safeguard your business from falling victim to a phishing attack takes ongoing vigilance and a multi-layered approach that takes on phishing from multiple angles.
Tips for Defending Against Phishing Attacks
In a phishing attack example provided by the National Cyber Security Centre, they illustrated why it’s so important to employ a multi-layered defense when it comes to phishing.
They tell the story of a financial sector company with 4,000 employees that suffered a malware attack, and this is how one email got through that installed malware on their system:
- 1,800 phishing emails were sent to employees
- 1,750 were blocked by email filtering, leaving 50 that reached inboxes
- 36 of the 50 were either ignored or reported by users
- The remaining 14 emails were clicked on by users
- 13 of the user devices were properly updated and patched, rendering the malware ineffective
- 1 device was not updated, and it was infected with the malware
As you can see, each layer is vitally important and plays a different role in protecting your systems against malware. Here are tips for protecting your company against malware with a multi-layered approach to data security.
Stop Phishing Emails from Getting to Users
Keeping the emails from getting to user inboxes in the first place is your first line of defense. Applications like Mimecast help block spam and phishing emails from making it to your employees and also provide protections for malware and virus detection.
Mimecast can keep as much as 99% of spam from getting to your users, which not only protects you from phishing attacks it also increases productivity because your employees won’t have to waste time sifting through junk email to get to legitimate messages.
This security tool also includes protections like email sandboxing and detection of zero-day attacks and spear-phishing.
Block Malicious Websites After a Link is Clicked
Another important protect you need for emails that do make it through a spam filter is what’s known as web filtering, which blocks access to dangerous websites even after a link has been clicked.
Some email spam applications, like Mimecast, also include this capability, giving you multiple layers of security in a single tool. Web filtering is useful not only to warn users of malicious sites and stop “drive-by downloads” of malware, but you can also block access to any non-work appropriate sites.
Conduct Ongoing Training with Employees
Your users are the main target of phishing emails. Cybercriminals count on tricking a person into thinking an email is legitimate, so training your users on how to detect phishing and staying vigilant about it is key.
Cybersecurity training on phishing should be conducted regularly so users are aware of the newest threats out there. For example, one of the types of phishing that has become more prevalent recently is an email that looks like an Office 365 invitation to share a file using a legitimate OneDrive file URL. But the URL leads to a fake login page designed to steal credentials.
Different types of phishing threats are emerging all the time, which is why ongoing training is important to keep users aware of new tricks being deployed in phishing attacks.
Create a Cybersecurity Action Plan
If a user thinks they may have accidentally downloaded malware, the steps taken immediately afterwards can help reduce the risk of that malware infecting other devices on your network.
Put into place an action plan that employees can follow if they suspect malware or if they’ve clicked on it and believe their computer may be infected. It can include directions such as:
- Report any emails that are suspicious to (name/email of where to report).
- Immediately disconnect your computer from the network if it’s thought to be infected.
How Strong are Your Defenses Against Phishing Attacks?
Do you have all the layers in place to help catch phishing attacks and prevent them from causing a data breach or malware infection? Enable Technology can help you deploy solutions that can ensure you’re covered and safeguarded sufficiently.