Even with the nonstop news coverage of data breaches, malware attacks, and the affect of ransomware on network and email security, it seems that UK IT security pros don’t realize that these problems are overwhelmingly caused by malicious emails! The mimecast survey of 600 global IT security pros from the US, the UK, South Africa, and Australia. Almost two-thirds of them regard email as a serious threat to their business and the same percentage feel unprepared for such attacks. In comparison, figures solely of respondents from the UK were 10% and 27% respectively.
According to the respected SANS Institute, successful phishing attacks could result in serious implications such as:
In other words, phishing can cost the company a lot of money. And employees who fall for the scam can lose their job. Two examples suffice.
The CEO of FACC Operations GmbH, an Austrian aircraft parts manufacturer, was fired after the company lost €40.9 million (£31 million) to a whaling attack. A whaling attack is also known as a C-level fraud and BEC (business email scam). It involves targeting high level executives with forged emails asking for payments to be made to third parties. Although FACC managed to recover €10 million, the net loss wiped out its profits for the year.
Since January, at least 68 companies have announced that they fell victim to a spear phishing attack responsible for stealing the W-2 U.S. tax records of all their workers. One or more employees receive an email appearing to be from the CEO with subject lines such as: “Request for all employees’ W2.” If the employee falls for the scam, the attacker attempts to file tax returns for all workers before the workers do. Then the attacker steals the victims’ tax refunds. There are costs to the company, too. It must pay to provide identity theft protection to all employees, and the employee responding to the scam may be fired. Stocks can be affected, as happened at Seagate Technology; on the day the news of the W-2 attack hit the media, the company’s stock price decreased 3.5 percent.
Hopefully, you are convinced that protecting against phishing is a critical part of your company’s security strategy. Phishing will continue as long as it is profitable for the attackers. The key is to change user behavior when confronted with a phishing email. The obvious advice is not to click on strange links in email. But phishing emails are becoming increasingly convincing. According to Verizon’s breach report, 30 percent of people fall for phishing emails.
Users who have been burned by phishing are less likely to fall for them again. Ideally, though, it would be better to train employees to recognize phishing emails before a breach occurs. A report from Experian and the Ponemon Institute surveyed 601 IT executives and other corporate decision-makers whose companies provide data protection and privacy courses to their employees. A discouraging 60 percent of respondents say that their employees are either not knowledgeable or have no knowledge at all in cybersecurity. Only 49 percent say that their company training includes lessons on phishing and social engineering. Most disconcerting is that merely 54 percent of the companies have security training at their place of work that is mandatory, and of those companies, more than a quarter excuse executives and contractors from attending. Furthermore, only 30 percent of companies require employees to take or retake the course following a data breach.
It is obvious that these shortcomings in data security training must be remedied. But instead of waiting for a new course to be developed, there is a stop-gap method; ready-made websites offering phishing training. Just google “phishing training” for a list.
Although employee behavior is the key to tackling the phishing problem, IT can help:
It’s important to put technologies in place to detect and block phishing scam from reaching your users. Phishing scams will evolve as will the technology to battle them. The best line of security defense always will be educated users.
Some guides and articles to help you learn how to identify phishing scams & safeguard your data :
Sign-up for email updates...