[BreachExchange] How to protect your business against phishers

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 26 21:56:01 EST 2019


In this post, I’ll go over how to protect your business against phishers.
I’ll go over why you should consider security awareness training with your
staff and other measures that you should put in place.

Start with top-level software

A simple anti-virus system offers great protection against a random attack.
What it can’t do is to protect you is protect you from an employee clicking
on the wrong link in an email, or downloading a fun meme with a virus.

That’s why you should opt for software that offers more. An email scanner
can help you out here by quarantining emails that look suspicious. Someone
is then able to go in and check those emails in a safe environment. If
they’re legitimate, they can be released. If not, they don’t even make it
onto your servers.

Security awareness training

You know how to recognize a phishing email, right? Well, the stats tell a
different story. If 94% of ransomware attacks are a result of phishing,
that means a lot of money being lost because phishing attacks go undetected.

Standard training urges you to look at things like the address the mail has
been sent from, the spelling, and so on before deciding if the mail is
legitimate. Security awareness training will teach you and your staff how
to recognize the different forms that phishing may take.

Make no mistake; today’s phishers are pretty sophisticated. They can create
dummy websites, legitimate-looking client instructions, or even
inter-office instructions. Unless you know what to look for exactly, good
luck in telling these apart from the real thing.

Test your staff

Your training is only effective if staff use the principles in their day to
day tasks. Occasionally firing off a phishing email can highlight areas
where training needs to be beefed up. It can also show you which staff is
taking their training seriously.

Monitor email communications

Naturally, you’ll need to advise staff that you’ll be doing this. It’s not
nice to think that you have to spy on the people that work for you, but
it’s good business practice to do so. By doing this, you can see which
staff are taking chances on the emails that they open.

Is there someone on the team who receives and sends a lot of dodgy emails?
Are they opening anything that they feel will be funny to read? You need to
know. And it’s not in order to punish them, but rather to educate them to
the dangers of doing so.

Final notes

Protecting your company against phishers is all about education. If you and
your staff are properly trained in spotting an attack, you’ll be able to
fight them more effectively. Add that to a killer email scanning program,
and regular refresher courses and tests, and you’re way ahead of the game.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20191226/2574c14a/attachment.html>

More information about the BreachExchange mailing list