How do you spot a malicious email?
How do you support the staff member who didn’t spot the tell-tale signs, clicked on the link and downloaded malware or ransomware to your network?
Or, what are you doing about those emails requesting login credentials or that you urgently need to pay an invoice to what turns out to be a criminal’s account?
And how do you stop it happening again?
Today, 91% of all breaches start with an email.
This is a shocking statistic which underlines the sheer scope of the threat that phishing, spear phishing and whaling attacks pose to organisations today.
Not only is the threat widespread; the threat is growing. The number of organisations that had experience a business-disrupting ransomware attack increased 26 percent during 2018, compared to the previous year. It now stands at 53 percent.
Furthermore, successful attacks have serious implications including, direct financial loss, reputational loss and all the associated costs of general downtime.
Unfortunately, social media makes it much easier for cyber criminals to research the background of senior leaders and even to see the relationships with suppliers and supply chain partners. This information makes it much easier for attackers to create highly targeted attack emails which appear to be from existing partners or contacts.
This type of spear phishing and whaling attack vector pays off because of the potentially bigger rewards – in terms of the enhanced access that these senior players may have to systems, intellectual property, other data and, in the worst cases, their access to financial systems/ decision making.
And while the business risk and business losses are considerable, one of the biggest issues around spear phishing and whaling attacks is the fact they can be incredibly embarrassing for the senior management team who are targeted.
Often, the criminals will work their way up the chain in order to build credibility and are getting smarter as to how they go about it. An example of this is sending their emails during commute times when they know the receiver will be checking messages on a phone which can make a spoofed address harder to spot.
The best way to protect your business and people is training on how to spot a potential attack as well as other aspects of good cyber practice.
It may be desirable to educate your senior leaders first, since they are most likely to be most at risk. If there is flexibility and resources in house, you may wish to take a cascading approach to filtering this knowledge through your organisation.
However, a more effective approach is to create a programme that will educate and test the knowledge of every member of staff within your organisation. This means incorporating online, automated training about how to spot a phishing attack and educating your staff about other aspects of cybersecurity and their role in protecting your business, too.
We use the approach of sending out a spoof “phishing” email. If a member of staff clicks on the link, instead of downloading malicious code, they receive a short video which reminds them of the dangers of clicking on suspicious links. You can then send further learning emails to their inbox as required – automatically – and track the effectiveness of the training across the whole of the organisation.
By attuning staff to the potential threat in this way, you are able to turn a vulnerability into one of your biggest strengths. People are now the weakest link in any security infrastructure but with good training they can become some of the strongest links.
Given that the number of attacks is on the rise and that they are becoming more sophisticated, it’s important for your business to invest in this type of training for staff. It’s also really important from a staff point of view as well; as an employer, you have a responsibility to help them protect their own reputations as well as that of your business.
For more information, find out about our human firewall training or contact a member of the Grant McGregor team today on 0808 164 4142.