The term “phishing” has been circulating the business realm for quite some time—largely because of its popularity amongst cyber criminals. Phishing is a type of social engineering attack that tricks victims into giving away information to cyber criminals posed as a trusted source. It’s an easy and effective way for criminals to hack sensitive systems and information, and the dangerous aspect is that it can come in many forms—the main one being email. Today, phishers, on average, launch a new attack every 30 seconds—and phishing schemes are growing increasingly sophisticated as cyber attackers use new tools and tactics to create authentic-looking emails.
Low-cost phishing and ransomware tools are very easy to get a hold of, and the attacks are just as easy to execute. So, what makes phishing such a successful method of cyber attack, and what can organizations do to protect themselves? In this post, we’ll dive into why phishing is so prevalent and how companies can work to mitigate these attacks.
The most common type of phishing attack involves a criminal posing as a high-level executive who will then send an email message to an employee with access to a desired system or information. Cisco recently released a midyear report showing that CEO fraud netted cybercrime five times more money than ransomware over the last three years. This tactic is essentially the easiest way for criminals to get all the necessary information to commit tax and other fraud. And, according to anti-phishing company PhishMe, phishing emails pretending to be regular office communications are the most effective, with an average click-through rate of 22 percent.
Why Does Phishing Keep Happening?
When trying to determine the key factors that allow phishing attacks to infiltrate organizations, all paths lead to a lack of cybersecurity education among employees. Human error, paired with corporate cultures that fail to prioritize cybersecurity education, are often the culprits when businesses fall victim to phishing attacks. In fact, a global survey over 400 C-suite execs by the management consulting firm A.T. Kearney showed that cybersecurity (at 43 percent) is the top operational challenge they faced. This can be due to the fact that many employees have never received adequate security awareness training, if any at all.
So, why does phishing keep happening? It’s because people continue to fall for it! However, if organizations begin to prioritize security training and education, they can prevent their employees—and their sensitive business data—from being such easy targets.
How Companies Can Catch Phishing
The first line of defense against phishing attacks is to enhance education around email security. Failing to establish per-message authenticity company-wide puts organizations at risk of targeted email attacks.
It is imperative that all employees in an organization understand what a phishing email looks like and how to avoid becoming a victim. However, this is only possible when users are given the tools and training needed to detect potential phishing emails. In addition, companies need to develop policies and provide instructions on what users should do if they suspect phishing.
Where MSPs Can Step In
The reality is, companies are simply not doing enough to reduce the risks associated with phishing and malicious software. Aside from a general lack of cybersecurity training, many companies lack adequate backup processes, and strong internal control processes are often missing as well. Thus, there is a clear demand in the small- and medium-sized business (SMB) market for a secure solution to these problems, and an even larger demand for someone to manage that solution—creating a huge opportunity for managed services providers (MSPs).
Ultimately, the right mix of technology, intelligence and expertise can help negate the root of the phishing issue: human vulnerability. Not only can MSPs provide the necessary security training to SMBs, but they can also offer a suite of solutions that can bolster their cybersecurity strategy. With a remote monitoring and management (RMM) solution that’s coupled with antivirus software, MSPs can be more proactive in preventing phishing and similar attacks. Similarly, MSPs who offer cybersecurity-as-a-service will be able to better manage cyber threats for SMBs by boosting threat detection and analytical capabilities. Lastly, should a client fall victim to a phishing attack, the best method for recovery is to provide reliable backup and disaster recovery (BDR). With this solution, you can ensure that clients have recent backups and that their essential data can be restored to a known and undamaged state—with as little downtime as possible.
Phishing may have gotten the best of companies in the past, but with a solid cybersecurity plan and solution, these types of threats can easily be evaded.
By Lily Teplow
By Brian Downey
By Dave LeClair