In April 2018, IT Governance reported that 75% of organizations have experienced “at least one” phishing attack. While most businesses are used to dealing with spam—it often seems like getting spam is a rite of passage for anyone with an inbox—the types employees are used to range from random ads and “last chance” sales to cold emails from strangers they don’t know and foreign bank transfer requests.
Spam may be annoying, but the emails are usually harmless. Most people know what questionable messages look like: they don’t recognize the company or the sender, the copy is riddled with spelling errors and odd language, or the requests have questionable files attached. The majority of email users know to simply delete them.
Unfortunately, spear phishing is a different threat altogether. Not only do these attacks threaten the security of an organization’s sensitive data, they’re often a lot harder to detect. Attackers have upped their game. They’re able to spoof email addresses that look like they’re from the business they’ve targeted (e.g. email@example.com), and the messages are often filled with reasonable requests or attachments, like an order form for a company accountant.
Yikes. No wonder the percentage of employees who have fallen for phishing attacks is so high.
Thankfully, it is not impossible to protect your organization and secure your information. Here are four easy steps you can follow to keep phishing emails from doing damage to your business.
1. Install the latest security patches for your OS
Check your operating system frequently for new security patches. While OS patches aren’t always created specifically for phishing threats, they will help you avoid vulnerabilities in your organization that could give a successful phishing attack access to critical company data.
For Windows users: Microsoft releases updates to their OS often, especially if they’ve identified a potential security concern and want to protect their users against it. Versions like Windows XP are also updated on occasion if there’s enough risk to warrant it—good news for those who still use unsupported versions.
For macOS, Linux, AIX, and VIOS users: These operating systems also receive frequent patches to ensure the best protection against potential gaps in security. Updates are released as industries predict new cyberattacks, so make sure your customer-facing and internal systems are always current with the latest security patches for your particular OS.
2. Encrypt sensitive company information
Use strong file encryption practices in your organization to better safeguard company data from prying eyes. Along with a trustworthy secure file transfer solution, encryption will protect the files you send to your databases, cloud environments, trading partners, and customers, making it difficult for hackers to decrypt any information they get their hands on.
Here are a few examples of things you should encrypt. Successful encryption will limit the scope of damage a phishing attack could have across your business.
- Hard drives
- Cloud storage
- Passwords and security questions
- Internet activity (by using a VPN or masked IP address)
- External storage like USB drives or hard drives
- Files like business contracts, audit reports, and tax documents
A managed file transfer solution can guard your files in transit and at rest using modern encryption technologies. Good MFT software helps ensure that you stay up-to-date with the latest encryption standards, while making your file transfers simple to track, manage, and audit.
3. Protect your accounts with multi-factor authentication
Organizations around the globe have implemented multi-factor authentication (MFA) as part of their cybersecurity framework. Some companies let customers choose if they want to enable MFA on their accounts. Others, especially those in industries that process personal data, require clients to enter their password, their pin, and a mobile code in order to view or manage their information.
If you haven’t already: Consider establishing multi-factor authentication across your accounts for an extra layer of protection.
Multi-factor authentication helps ensure that anyone who accesses your private data has been approved and verified by your servers. It works by requiring at least two pieces of identification (say a username/password combo and a randomly generated token) that complicates the ability for hackers to compromise your systems—even if they have half the details needed to get in.
If we lived in a perfect world, passwords and security questions would be impenetrable. But in reality, employees often use a small variety of passwords across multiple websites and overshare personal data on social media, compromising the integrity of their logins and security questions.
Our suggestion? Implement MFA at work and at home. It will give you an extra layer of security against spear phishing and other types of attacks, no matter where you are or where you go.
4. When you see suspicious email activity, ask first
If you receive a suspicious email from someone you trust, check that it came from the sender before you interact with it. Stop by their office, give them a call, or send them a separate email and ask if it was truly a request from them.
It takes two minutes to establish whether an email should be trusted. While it might interrupt a project or packed schedule, the detour to their office is absolutely worth it. Hopefully, the email is legitimate and you can respond with ease. But if it’s not, if the email is a carefully-concealed phishing email, your IT team can now warn others in the organization of a potential cyberattack.
Remember, always alert IT of suspicious email activity. If you received something off-putting or strange, chances are other employees have too.
Spear phishing attacks happen every day. They’re a cybersecurity concern organizations should be aware of and take measures against. But they don’t have to be a problem if you take the time to update your operating systems, encrypt your file transfers, secure your accounts, and report strange emails to your IT department.