By Paul Jablonski, Security and ITSM Consultant
Spotting a phishing (spoof) email is not as easy as it seems – which is why so many well-meaning employees accidentally expose their companies to data breaches simply by clicking on a malware-laced attachment or responding to an unauthorized request for sensitive information. In fact, security experts say 98 percent of cyberattacks today are the result of deceptive social engineering tactics that trick email users into accidentally giving cybercriminals access to otherwise well-protected data.1
To combat this problem, you’ve got to turn your employees into human firewalls – and that starts with training. Don’t ever think, “It won’t happen to me or my organization,” because it absolutely can, and at some point, it probably will.
In fact, experts say phishing attacks play at least some role in most modern data breaches. In 2017, one of the most notable data breaches in the state took place at the Medical College of Wisconsin. In this incident, the protected health information of an estimated 9,500 patients was exposed when cybercriminals gained access to the email accounts of just a handful of employees during a week-long targeted spear phishing attack.2
Unfortunately, according to Wisconsin’s Department of Agriculture, Trade and Consumer Protection, this scenario is all too common: A bicycle manufacturer, a health insurance provider, a general insurance and reinsurance company, a community planning and engineering firm, a water treatment chemical manufacturer, a records management software firm, a plastics manufacturer, a dental services group, and two school districts were all targeted in the last year alone.3 And each of these attacks had one thing in common: employees who didn’t know how to spot a phish-y email and employers who didn’t know how to stop them.
While not a substitute for user training, the following tips offer some good advice on thwarting phishing attempts that are relatively easy to implement.
- Create a Human Firewall: Train employees to question suspicious emails.
- Stop Sharing So Much: Beware! In ultra-targeted spear phishing attacks, cybercriminals use what is posted on the victim’s social media accounts to snare them.
- Common Sense is the Best Defense: Create strong passwords, change them regularly, and don’t re-use them in multiple places.
- Design a Validation Process: If you receive a request for money or sensitive information via email, text or call the sender for validation before taking any action.
- Update Your Systems: Patches and updates eliminate close known security holes, so it’s important to stay up to date.
- Don’t Take Security for Granted: No company or individual is completely safe from a phishing attack – it can happen to anyone at any time – but end-user security training does increase your odds of stopping an attack in its tracks.
Interested in learning about SRC’s End-User Security Training Service? Download a datasheet to find out what SRC can do for you. If you’re looking for a new security model that accepts the guaranteed threat of attack and focuses on a way to address it, explore our security offerings. Too busy thinking about profitability, competition, cash flow and sales performance to devote time to your IT infrastructure and security needs? Learn how SRC can help you find the right balance, then contact us for a free consultation.
- Press Release (January 23, 2018): KnowBe4 Unveils New Phishing Benchmark Data and Showcases Most At-Risk Industries
- HIPAA Journal article (November 21, 2017): 9,500 Patients Impacts by Medical college of Wisconsin Phishing Attack
- State of Wisconsin, Department of Agriculture, Trade and Consumer Protection: Data Breaches Archive