83% of successful cyber attacks in the UK in 2021 were phishing attacks. If you want to protect your business against this serious threat, there are a few things you need to do.
And they’re probably something you want to look into sooner rather than later. Because any successful phishing attack does usually come with a steep financial cost for your company.
Yet there’s also the reputational damage, fines from regulators, and the loss of company value to consider. These are things that most organisations that don’t take phishing seriously overlook, only to be bitten hard by when the attack actually happens.
Here you’ll find everything you need to know about what phishing is and the steps to take to safeguard your business.
What is phishing?
Phishing attacks come in the form of emails that essentially trick your team members into revealing confidential information or installing something they shouldn’t. They are, in short, a scam.
In the past, they were simple and pretty easily spotted (though, sadly, still worryingly effective).
Today, they are an increasingly sophisticated form of social engineering – to the point where it can be very difficult for the uninitiated to tell a phishing email from a real one. They tend to come in two basic forms:
1) The confidential information scam
These email phishing attacks pretend to be from a reputable organisation, official body, or even someone within your own company.
They may masquerade as someone in your IT department asking you or a team member to confirm your username and password. Or perhaps they make it seem like a team member needs to make an urgent payment to a vendor.
The important thing is, they’re not real. But they can really look it. And your well-meaning team member hands over your business’s sensitive information, their own passwords – whatever info is asked for under the guise of being a legitimate request.
2) The malware/dodgy link scam
If you’ve heard the advice never to follow a link or open an attachment from an unknown email address, this is the reason why.
Anyone who clicks on one of these dodgy links or attachments ends up downloading some malware onto the company system.
This sounds very easy to spot, you might think. But when that email looks just like all the others you’ve received from a client or supplier or even someone inside your own organisation (these are a slightly more advanced type of attack called “spear phishing”), you might be surprised how easy it is to miss.
Tips for how to prevent phishing attacks
Now we know what they are, how do we stop them? Here are the basics you need to cover if you want to protect your business against phishing attacks:
1) Stop phishing attacks before they reach your team
One of the best ways to protect your team and your business from phishing attacks is to ensure they don’t get through in the first place. Nothing is guaranteed to eliminate all phishing attacks, but you should do things like:
- Use anti-phishing software
- Use the anti-phishing tools within Microsoft 365 and Google Workspace if you use them
2) Put MFA (Multi-Factor Authentication) in place
Multi-Factor Authentication means you have multiple layers of security protecting your business. A username and password is one layer or “factor”. Others might include requiring your team to enter a code received on their mobile, to log in also using a keycard, to use a fingerprint scan, and a wide range of others.
Those confidential information scams suddenly start looking much less clever if all the hacker gets is one piece of information that can’t get them into your system on its own.
In fact, MFA is so good at preventing cybercrime in general that it’s something you should definitely be implementing for your business as soon as possible
3) Set up a phishing reporting system
If a member of your team does spot a dodgy email, will they just delete it? Or will they know what to do about it?
Most email clients have tools, functionality or add-ins that can help you do this. For instance, Microsoft Outlook has an easy function you can set up to not only report suspected phishing emails to Microsoft, but also to your Managed Service Provider or IT team.
This means all your team needs to be aware of is how to use that system. Well, that’s not actually “all” they need to be aware of…
4) Get your team phishing awareness training
You might have spotted already that the success of any given phishing email relies on one thing: your team’s ability to spot it for what it is.
That’s why every member of your team needs to be given proper training in how to spot phishing emails. Because even with all the proper anti-phishing protections in place, your team’s awareness is going to be your best weapon and protection.
Of course, there may be some jobs that make their holders particularly important targets for this kind of training. Your finance people, for example. Yet every single person who has access to your systems needs this kind of knowledge if your business as a whole is to be protected.
Once isn’t enough either. Having a system in place to train new hires and regularly update existing team members in the ever-evolving landscape of cybersecurity threats is vital.
5) Test that training
It can be easy enough to count a completed phishing email training course as a box ticked in your cybersecurity must-do list. But has that training really sunk in?
Setting up regular phishing email tests and simulations is a good way to make sure that everyone is on the watch for this pernicious threat. It also lets you spot anywhere a little refresher training wouldn’t go amiss.
Is your business properly protected against phishing threats? Do you need cybersecurity consultancy?
Let’s talk about it. Nearly 1000 businesses in Bristol and beyond trust us to make sure their cybersecurity is where it needs to be.
Set up a cost and commitment-free consultation with Chief Geek Gildas Jones today via this link. Let’s work out what we can do to protect your business.
ALL ARTICLES