Solution Provider IDs Six Ways to Thwart Common Cyberattacks
GREEN BAY, Wis. – February 21, 2018 – Do your employees know the difference between legitimate emails and phishing scams? That’s the question SRC Technologies (www.srctechnologies.com), a regional IT infrastructure, data security consultant and managed service provider, is asking midmarket businesses throughout the area – and with good reason. According to security research, 98 percent of cyberattacks today are the result of deceptive social engineering tactics, and email phishing ploys are cybercriminals' preferred method of infiltration.1 Additionally, two-thirds of successfully installed malware originated as malicious email attachments.2 To combat these sobering statistics, SRC announced today its new End-User Security Training Service, offering web-based training combined with simulated phishing attacks to help employees recognize and avoid serious cyber threats.
“The most important thing a company can do to prevent a phishing attack is to turn its employees into human firewalls,” says Paul Jablonski, a security consultant with SRC Technologies. “People need to learn how to recognize a phishing email and what they can do to protect themselves both as individuals and as employees, so they won’t become a cybercriminal’s next victim. The best advice we can give our customers is this: Don’t ever think, ‘It won’t happen to me or my organization,’ because it absolutely can, and at some point, it probably will.”
Experts say phishing attacks play at least some role in most modern data breaches. In 2017, one of the most notable data breaches in the state took place at the Medical College of Wisconsin. In this incident, the protected health information of an estimated 9,500 patients was exposed when cybercriminals gained access to the email accounts of just a handful of employees during a week-long targeted spear phishing attack.3 Unfortunately, according to Wisconsin’s Department of Agriculture, Trade and Consumer Protection, this scenario is all too common: A bicycle manufacturer, a health insurance provider, a general insurance and reinsurance company, a community planning and engineering firm, a water treatment chemical manufacturer, a records management software firm, a plastics manufacturer, a dental services group, and two school districts were all targeted in the last year alone.4 And each of these attacks had one thing in common: employees who didn’t know how to spot a phish-y email and employers who didn’t know how to stop them.
Six Ways to Thwart Phishing Attacks
The SRC Technologies End-User Security Training Service is based on the industry-standard KnowBe4 platform that helps train employees to spot suspicious emails and tests their knowledge with periodic simulated phishing attacks. To help Wisconsin business leaders learn to thwart phishing attacks, SRC’s Jablonski offers these six tips:
- Create a Human Firewall: Cybercriminals are getting smarter and more sophisticated every day, and the only way to combat them is by training employees to question suspicious emails and by arming them with information about the ways criminals use email, websites and social media to engineer their attacks. If an email asks the user to “click here” to reset their password, but it isn’t formatted like others from the same organization, question it. Hover over links and see if they have suspicious URLs or domain names. Training employees to look critically at requests delivered via email before they act on those requests is a must for any corporate security strategy.
- Stop Sharing So Much: Yes, our mothers all told us that sharing is good – but that’s not necessarily true when it comes to social media. Spear phishing attacks are a very targeted kind of attack in which the criminal gathers information about an individual or a company by either lying in wait on a legitimate website in the form of an enticing pop-up ad, or more often, by using what is posted on the victim’s social media accounts to snare them with a sophisticated social engineering-type phishing attempt.
- Common Sense is the Best Defense: Everyone knows you’re supposed to change your password frequently – but that doesn’t apply to your employees, right? Wrong. It’s important to have strong passwords and to change them regularly, and it’s equally important for employees to choose unique passwords they haven’t used in multiple places. To ensure employees are adhering to these standards at work, institute a password policy and enforce it.
- Design a Validation Process: When businesses communicate with their banks via email, for example, it’s easy for a cybercriminal to spoof those communications and ask for a money transfer or other sensitive information. Even if an email looks legitimate and appears to be coming from an authorized source, anyone on the receiving end of such a request should be trained to authenticate it via a second source; if the request came via email, text or call for validation before taking any other action. Following a multichannel validation protocol embeds an extra layer of security into the communication process.
- Update Your Systems: It’s easy to fall behind in operating system upgrades and patches – but it’s important not to do so. Patches and updates eliminate known issues that provide security holes for cybercriminals. Failing to upgrade or implement patches leaves the organization unnecessarily vulnerable to older attack vectors that an upgrade would easily provide protection against.
- Don’t Take Security for Granted: No individual is immune, and no company is completely safe from a phishing attack. Whether your organization is specifically targeted or used as a stepping stone to a larger partner, supplier or customer, it can happen to you. And without the proper employee training, spotting phishing and stopping it in its tracks will only get harder along the way.
Says Jablonski: “It’s up to each of us as individuals and business leaders to learn how to recognize these attacks and avoid them.” But does security awareness training work? According to tests performed after using the KnowBe4 platform, the answer is a resounding “Yes!”
Studies based on a massive data set of six million users across 11,000 organizations demonstrated that security awareness training lowered the percentage of “phish-prone” employees – those apt to engage in “careless clicking” – from an industry average of 28 percent to 13 percent – less than half – within 90 days of beginning the program; after one year, that number decreased to just over 2 percent.1
- Need someone to execute, review and manage your employee security awareness training? Download a datasheet to learn what SRC can do for you: http://ow.ly/Vq2c30ihbuC.
- If you’re looking for a new security model that accepts the guaranteed threat of attack and focuses on a way to address it, explore SRC Technologies’ security offerings: http://ow.ly/jRsv30ih8pe.
- Too busy thinking about profitability, competition, cash flow and sales performance to devote time to IT infrastructure and security solutions? Learn how SRC can help you find the right balance: http://ow.ly/VEAS30ih8KE.
SRC Technologies, a regional managed service provider (MSP) headquartered in Green Bay, Wisconsin, offers IT infrastructure and data security consulting and management to midmarket organizations. For nearly a decade, SRC has focused on exceeding client expectations by delivering targeted, responsive solutions and services that meaningfully improve business performance. Through strategic partnerships with Cherwell, Datto, Dell EMC, Kaspersky, LogicMonitor, LogRhythm, KnowBe4, and EventTracker, SRC ensures client infrastructures are secure, available and operating at peak performance. For more information, visit www.srctechnologies.com.
- Press Release (January 23, 2018): KnowBe4 Unveils New Phishing Benchmark Data and Showcases Most At-Risk Industries
- Verizon 2017 Data Breach Investigations Report Executive Summary
- HIPAA Journal article (November 21, 2017): 9,500 Patients Impacts by Medical college of Wisconsin Phishing Attack
- State of Wisconsin, Department of Agriculture, Trade and Consumer Protection: Data Breaches Archive