A recent study conducted by Intel Security found that 94 percent of people failed to tell the difference between a real email and a phishing email 100 percent of the time. What’s worse: among the executives that took the survey that number rose to 96 percent.
Email phishing has proven to be the preferred technique for breaching an organisation’s security, and the volume is staggering. Over 150,000 new phishing URLs were found in the fourth quarter of 2014 alone!
It only takes one employee to fall for a phishing email to impact your entire organisation. That’s why it’s so important to be aware of the dangers of phishing scams. Below are three things you can do to counteract these threats.
1. Employee education: Your best defence against security attacks
Forewarned is forearmed, as they say. Building awareness of email scams and the motivations behind them is one of the most important things you can do to reduce your company’s vulnerability to an attack. But you can’t just train once—you need to continually educate your employees.
One of the best ways to educate employees, including executives, is to lead them through active learning exercises that simulate real-world security attacks. A great example of this is Facebook’s annual Hacktober initiative, which stages simulations of real-world security attacks like sending phishing emails and dropping thumb drives.
Develop a list of best practices to further help employees identify and avoid phishing scams. Remind your employees of the dangers of phishing by keeping them up-to-date on the latest techniques and threats. This will help them recognise and avoid such scams.
2. Deploy comprehensive protection to safeguard your attack surface
Attackers know that if they want to phish your company, they have to get their emails through your outer perimeter – or your “attack surface” – and into your users’ inboxes. Regularly reviewing email distribution lists and preventing outsiders from sending emails to internal groups with common addresses is a simple way of closing gaps that can be exploited by phishers.
Technology also offers multiple layers of protection to help you fend off not just spam and viruses but also sophisticated phishing attacks. While it doesn’t completely replace user education, it can block some attacks and reduce the impact of an attack should users do fall victim. Deploying anti-malware filters from industry leaders can help prevent malicious emails from making their way into your inbox.
3. Prepare for the worst case scenario
Even with the best technology and most prudent safeguards in place, the rapid evolution of phishing techniques makes it nearly impossible to protect your company from these threats 100 percent of the time.
You need to protect yourself by hardening your infrastructure. This way, if —or more likely, when – you’re targeted, you can lessen the impact of the attack. Look beyond how your sensitive data is stored and accessed, and implement tools that can protect your IP while still enabling your employees to effectively do their jobs.
Finally, use an outbound email monitoring application to scan emails that leave your company for malicious URLs and attachments. That way, if anyone has broken into your email system, they will be prevented from sending malicious links to other employees. In addition, this scanning tool can also prevent sensitive information like customer contacts or corporate IP from leaving your inbox.
By Jonathan Levine, Chief Technology Officer at business and IT service provider Intermedia