According to a Zogby Analytics report shared by Hartford Business Journal, “58% of more than 400 business executives reported an increase in suspicious emails in the last year.” With this type of crime, it is safe to assume that those numbers are actually even less than the real figures. There will always be some organizations or individuals who do not want to answer honestly or who simply are not even aware that they have been targeted and remain blissfully ignorant. What is crystal clear is that all organizations need to be vigilant against the threat of email attacks.
Get to Know “Phishing”
Phishing is a form of social engineering, and in the context of information security, social engineering is defined as “the use of deception to manipulate individuals into divulging confidential or personal information“. A huge percentage of so-called “hacks” occur only due to the participation of the victim.
Many of the most high-profile “hacking” stories from the last few years were the result of users being tricked into giving their login information to people who then use it against them. The most common method is to send unsuspecting victims to fake websites which resemble their real counterpart. When the user enters their login credentials, payment details, or other information into a form on that page, they are handing it right to the bad guy.
Phishing works because people believe the messages they receive. According to security firm FireEye, people open just 3% of spam email, yet they open 70% of phishing emails. And 50% of people will click on the link; generally within just 1 hour from the time they receive the email. This underscores the sense of urgency people feel to act upon these messages because they can be very alarming and give you the sense you need to act before you get a chance to think about the legitimacy of the email.
The Zogby Analytics report mentioned that “37% of organizations say they received emails from an address claiming to be a senior manager or vendor seeking payments” and “47% of employees received those emails and responded by transferring company funds”.
What Can You Do?
Consider the ways that your organization scans and protects communications. There are many security services and methods out there which are improving all the time. Phishing is being taken extremely seriously and there are many solutions which can help to mitigate your organization’s risks. The big picture is that you need to have a plan in place to make it very difficult for an attacker to gain entry to your data even if they do successfully “phish” one of your employees.
It seems obvious, however most organizations don’t help to prepare their front-line to defend the organization from this threat. Communicate your expectations to your workforce quarterly or monthly. Make cybersecurity a part of initial onboarding and ongoing workplace training. Cybersecurity really is an area where the weakest link in the chain can expose an entire organization, so it is critical that you take a holistic approach and make sure that everyone is well prepared and following best-practices.
We are living through a period where technological change happens very quickly. You can’t just buy a software package or a device, set it up, and be done. Your leadership team, management, and IT all need to follow current events and be agile to the issues of the day. As the technology shifts, adjust as necessary to protect the organization to the threats of the day. It is an unfortunate reality for now, and hopefully one that we will someday grow beyond.