Most of us have at some point received an email with a relatively vague message such as, “Could you take a look at this?” and an attachment of some sort. This type of email could come from an unknown contact or even appear to be from a trusted co-worker or friend. However, hiding in the attachment is a piece of malicious code that could take down an entire business.
The landscape of cyber-threats faced by businesses has exploded in the last decade, both in severity and diversity. Security is already extremely important to the success and well being of a business, and the role of a good security posture will only grow as the landscape of cyber-threats continues to evolve. The fastest-growing threat to most businesses is a form of social engineering—hacking based on tricking the users themselves, rather than their computers—called phishing.
Phishing: Threat Summary
Phishing is a type of attack where a user is deceived through email or messaging into exposing information or infrastructure to an attacker. During a phishing attack, the attacker only needs a momentary lapse in the user's judgment to gain access to critical information.
Some phishing attacks aim to plant malicious code on a user's machine as part of a larger infiltration. An attacker could also create a very convincing replica of a website such as Facebook or a management portal the user accesses frequently. Users who have not undergone security training may not know to double-check the web address for email links, and therefore may be more susceptible to this type of attack.
Because this type of attack is so easy to perform compared to more advanced hacking techniques, it is very common and very effective. Close to 85 percent of data breaches occur due to email phishing, and attackers are only learning how to be more sophisticated and successful.
Small and medium-sized businesses are vulnerable
According to security firm Kaspersky, more than 70% of small and medium-sized businesses said they experienced a phishing attempt in the last three months, yet only 38% reported that they apply patches immediately once available.
These statistics even held true for businesses handling extremely sensitive data like healthcare institutions, government entities, law firms, and retailers, all of which had less than 40% of respondents who applied patches immediately once available. Cyberattack attempts, most of which involved phishing, increased in the construction and real estate sector as well.
According to the report, "This slight uptick should not be a surprise, after a quarter of news coverage on attacks inflicted on larger, presumably iron-clad organizations such as Equifax and LabCorp that affected over 150 million victims in the US, as well as increasingly frequent cyber-attacks on US local government agencies and municipalities.
Small and medium-sized businesses are severely underestimating the financial burden associated with a cyber-attack, according to a new survey from cloud security firm AppRiver. In AppRiver's Q3 Cyberthreat Index for Business Survey, the company spoke with 1,083 executives and cyber-security decision-makers at small and medium-sized companies across the US. Nearly 70% of those surveyed thought they would lose less than $25,000 in the event of a successful cyber-attack while more than half said they would lose less than $10,000 in damages.
AppRiver noted that according to Kaspersky, the average cost of a breach in North America is $149,000. Costs associated with data breaches usually include damages, data retrieval, system repairs and upgrades, lost businesses, potential ransom payment, PR and damage control, potential lawsuits and compensation to customers, not to mention a loss of trust which is priceless.
Just 19% of respondents, mostly in the government and healthcare sectors, estimated that losses from a cyber-attack could reach upwards of $100,000. More than half of executives and IT professionals in the survey said they were worried that their employees would fall victim to a phishing attempt.
Defending Against Phishing - User Education
The best element of a good security posture against phishing is continuous user education on correct security procedures and controls. Once a user clicks on a phishing link, there is an extremely high likelihood that they will either proceed to enter login credentials, personal data, or download some malicious code. Ensuring that users know what a phishing attack looks like reduces the likelihood that they will click on that link in the first place.
This is why we, Gray Leaf Technology Consultants, want to cover the importance of not only cyber-security, but people security. We want to ensure the people are properly trained to better protect the business. An Automated Security Awareness Program (ASAP) program will help make your team members your strongest link in the cyber security chain. What ASAP does is tremendous:
- Simulated phishing attacks – but harmless
We tailor specific, and harmless, phishing scams and attacks that would rival real-world hits. Not only does this train employees to become efficient in dealing with phishing scams and attacks, but it will also allow them to learn what to look for and what measures they can take to protect their hardware and the business they work for.
- User training – ongoing and bite-sized
The weakest link, and also the strongest, in any business are the workers. We utilize the world’s largest library of security awareness training in a bite-sized and ongoing format. Instead of a single security annual training event that is tedious and soon forgotten, simple and straightforward training videos are provided monthly and can be watched from the convenience of an employee’s desk at a time of their choosing. In addition, if someone clicks a link on a simulated phishing scam they are immediately redirected to a page that provides hints and tips on how to detect a real phishing scam. “Clickers” are also automatically enrolled in an additional short training video to help them hone the phish detection skills.
- Clear results
Most business have about a third of their users initially fall into the trap of clicking phishing emails. After one year, this can be reduced to under 2%. We install an easy to use “Phish reporting” button on their Outlook or other email client to report if they find a suspected phishing scam – including real ones!
As little as a decade ago, technology was a tool; now it is the central gear. Hacks and data breaches used to be inconvenient, expensive, embarrassing; now they are debilitating, destructive, and sometimes disastrous. From ongoing in-depth training and informational videos to providing a way to easily report phishing scams, positive action on your part to implement an Automated Security Awareness program can protect businesses from getting hooked into a costly mistake.
Be careful out there.