In the first half of 2018, nearly 500,000 phish were detected, much more than the approximately 370,000 detected in the last half of 2017 (and that includes holidays, when phishing attacks generally tend to spike). Not only is the phishing phenomenon getting worse, it’s increasing in sophistication to further fool people out of information and money. While there is no single solution or approach that will completely solve for phishing damage, there are five best practices that organizations can employ to better protect themselves.
How to Prevent Phishing: 5 Best Practices
1. Raise Awareness
Just as organizations regularly have employees attend harassment training or diversity training courses, security in general and phishing in particular should be part of any ongoing dialogue with employees. This is important because while most people know what phishing is, they continue to fall for phishing scams.
According to a 2015 survey involving 19,000 respondents, computer security company McAfee reports that 97% of respondents could not correctly identify a phishing scam email. This is in part because the scam artists continue to hone their skills of behavioral manipulation, persuading unwary people into clicking on phishing emails, links, and ads. Through ongoing training (not a one-and-done lunch-and-learn course that will likely have little impact), organizations can make their employees more aware of the different types of phishing scams they may face and educate them as the scams continue to evolve.
2. Provide Real-Time Defense
Despite the benefits of training, employees are still going to fall for phishing scams. This is especially true around the holidays and end-of-quarter periods when employees may be getting hundreds of emails and their guard is down.
So, it’s important that organizations implement tools and services that will protect users at the point of attack—in their Inbox. These tools and services immediately red-flag and block malicious emails before they reach employees. The most effective solutions will know which external accounts (even personal accounts on Gmail and other providers) are trusted and trustworthy, and red-flag those specific emails that are suspicious or clearly malicious.
3. Engage Your Users
Employees like to know “why”—and answering this question through employee engagement has been proven to reduce staff turnover and improve productivity and efficiency. Most importantly, engaged employees are happier, giving them purpose and enthusiasm about their position. This applies to security as well; when employees are actively engaged in protecting themselves and the organization, they’re more likely to be alert for suspicious phishing emails. In addition to training, make sure employees have a clear understanding of why certain emails are being flagged as suspicious or malicious. Again, it’s all about keeping them in the loop.
4. Create Feedback Loop
Oftentimes, employees may have little contact with the IT team in their day-to-day activities (until their computer crashes, of course). But connecting end users with IT/security teams in real-time with a feedback loop can strengthen bonds and go a long way toward reducing phishing incidents. Feedback loops are all about bettering the business through a cycle of monitoring and improvement.
While feedback loops can benefit every aspect of an organization, they are particularly important when it comes to security, as a breach can bring a business to a grinding halt. A feedback loop for email phishing and other security incidents simply involves IT identifying phish and informing impacted users, with users in turn notifying IT when they believe they’ve received a malicious email. Ultimately, this gives IT at-a-glance visibility into what users are reporting.
5. Create Incident Response Process
Many working within IT become so focused on preventing phishing damage and other cyber threats that they forget to consider what to do when one does occur (because it’s really not a matter of if, but when). A solid incident response plan, which outlines how an organization will respond to a data breach or cyberattack, aims to limit potential damage and ensure a swift return to normal operations.
To create a strong incident response process, IT teams need to invest time into defining how they will respond when incidents are reported, with detailed steps and the role and responsibilities for each member of the team clearly outlined. It’s a good idea to share ideas with other security leaders in the industry to solicit feedback and find potential gaps (and to help them out as well). The plan should then be clearly communicated with everyone on the team, and practiced quarterly so that when incidents occur, response will be quick and effective.
Phishing is here to stay. Today, over 75% of businesses report being a phishing victim, and six billion attacks are expected to occur throughout 2022. To fight back against phishing damage, organizations and IT teams need to be vigilant and follow industry best practices to mitigate the threat. If your team is concerned about phishing or been the victim of an attack, our team can help!