A recent report released by GreatHorn reveals that security leaders have witnessed a 25 percent rise in phishing attacks that break through security defenses. In spite of multiple security solutions, approximately half of participants had phishing emails arriving in their in-boxes. The effect has been seen in both the public and private sectors. For example, one of the largest successful phishing attacks to occur in 2019 was that of the Oregon DHS, a breach that compromised over half a million patients and 2.5 million emails.
The spread of phishing attacks is a result of various, interconnected causes, with each one influencing the other in a disastrous domino effect. An oblivious employee who has not been trained well in information security can easily fall victim to any of the following:
In order to protect your organization against such attacks, employees need to be empowered with defensive technologies and knowledge. The following is a compilation of tips by a number of security experts on how businesses can defend themselves against phishing attacks.
Implement spam and web filters
Deploying spam and web filters to block or delete malicious websites and viruses automatically strengthens your first line of defense. Using heuristics to identify if an email is malicious or not can be helpful, but may allow more sophisticated malicious emails to slip through.
Invest in anti-phishing and training programs
This can include conducting mock phishing scenarios in which employees can practice and learn how to determine whether an email or link are malicious. Employees should understand the types of potential attacks, what such attacks can do and how to deal with them. While spam and web filters are able to detect phishing attacks, ensuring that employees are well aware of phishing attacks serves as a backup plan, like a two step verification process.
Establish a set of security rules
One of the most common reasons for phishing attacks is employee negligence. By enforcing preventative measures, you can minimize this cause. Some possible rules can include:
Privacy is key
This is more than just protecting personal or sensitive information. It is vital that your organization is aware of every piece of information that it publishes or reveals to the world. This is because hackers now leverage social engineering to research organizations, reading about them, their employees, what role they play and who they may be contacting. A hacker may try to spoof an email address to make it look like an important member of the organization to prompt employees to open their emails without thinking twice. Moreover, employees should protect themselves by ensuring that the answers to their security questions are not available on their social media profiles. Questions like "What school did you go to?" and "What is your mother's maiden name?" should not be considered security questions if their answers are available online.