Phishing emails that attempt to steal sensitive information or defraud funds are a growing threat to small businesses – and the root cause of roughly 90% of business cyber attacks.
Educating your staff to be wary of clicking on a suspicious email is arguably one of the simplest and most effective cyber-security practices for small businesses. But how should you approach this?
Nobody is Immune
There’s no telling when or where a phishing email will arrive at your business, and any single compromised computer might be a cyber-criminals ‘way-in’ to the company – so a good place to start is the idea that it is everyone’s responsibility to watch out for suspicious emails.
Phishing email traffic is estimated to have increased by around 65% last year, and approximately 30% of those phishing emails get opened by IT users.
You’re the CEO of a global multi-national conglomerate? Then you’re MORE, not less likely to be targeted. Such ’Spear Phishing’ attacks are often highly specific to key individuals, aiming squarely at users with privileged information, responsibility over finances or higher levels of access.
Email awareness applies to anyone and everyone with access to email, so training efforts to make your company secure need to apply up and down the hierarchy.
Getting hands-on with real examples of phishing emails is the single best way to immunise your team against being caught out. Cybersecurity companies increasingly recognise the ‘human’ factor as the most critical ’threat vector’ – put simply, there’s (ultimately) no substitute for human intuition about what might be suspicious.
Show your team key warning signs to look out for – suspicious email addresses in the email header, bad grammar, or links to dodgy URLs that display when you hover your mouse pointer over them.Fortunately ‘Fake bank’ or ’Nigerian Oil Minister’ type scams have become quite notorious over the last decade, so even the least tech-savvy user will soon catch on to the idea that if an email seems odd, it’s worth checking before clicking or typing-in any sensitive details.
Lineal have published examples of some particularly dangerous phishing emails we’ve encountered, here.
Defeatism is Expensive
Studies suggest many IT users increasingly feel that cyber-security breaches are inevitable, and that there’s ‘nothing they can do.’ This security ‘fatigue’ is partly the fault of cybersecurity providers, who have bombarded companies with this idea.
Avoid this mindset. Yes, 76% of companies reported being the victim of a phishing attack in 2017, but 24% did not. Those exemplary organisations will (at least partly) be making their own luck with good working practices, cybersecurity training for users, and strong IT security.
Defeatism also ignores that not all cybersecurity breaches are created equal – a breach could result in a negligible cost to recover a single PC, or cripple a major organisation worldwide, as NotPetya ransomware did to Maersk Shipping in 2017. Under GDPR, the scale of the fines issued by the Information Commissioner’s Office are directly related to the severity of the breach.
The lesson is clear: limiting your organisation’s exposure to attack also limits the potential ‘scale’ of the damage. Never surrender!
Do Your Part
It’s helpful to be able to show you’re also investing in your users’ safety at work – that you’re leading by example. Fortunately, there are many ways to reinforce end-user security when using email:
Cloud-based email hosting services (such as Microsoft Office 365) include multiple layers of spam filter as standard, which prevents the end-user ever coming into contact with a considerable volume of suspicious communication, and usually represents greater security than would be typical for your own on-site Exchange Server.
More secure antivirus providers (such as ESET) maintain their own lists of suspicious websites likely to be imitations used for phishing important credentials (such as bank details) and blocking these when encountered.
Email filtering services, such as the excellent Barracuda, are an inexpensive security bolt-on to work email that can dramatically cut down on each person’s day-to-day exposure to dodgy emails. Barracuda Phishline is also available as an automated training service – building a program of dummy phishing emails that can be used to raise awareness among your staff. Clever!