Phishing is one of the oldest tricks in the book - yet it’s a tactic that’s still used by scammers and cybercriminals to this day. The reason for that is simple. It works.
From 2017 to 2018, 76% of businesses reported being the victim of a phishing attack. Per the SANS Institute, 95% of attacks on enterprise networks are the direct result of phishing. And in 2017, phishing attacks grew by an alarming 65%.
The reason phishing works so well is because it targets the weakest link in your security infrastructure - a weak link shared by virtually every business in the world. Your people. No matter what you do to harden your software, there is always the chance that an unsuspecting staffer might grant access to someone nefarious.
You can’t completely remove the chance of this happening. What you can do is mitigate it. Here’s how.
Scammers and hackers alike count on two things
All they need is a moment of incaution. Maybe someone forwards them a document they have no place seeing after they pose as a colleague or enters their credentials into a phony login page. Maybe someone clicks a link or downloads an attachment that contains malware.
Phishing attacks only succeed because people make mistakes. Coaching your employees to recognize the red flags of a phishing scam is a good first step. But you also need to teach them how to be more careful and observant.
You need to teach them to practice a technique known as mindfulness.
It’s actually quite simple. Coach your users so that they learn to stop and think before they take any action. Help them develop a habit of questioning every email they receive, every attachment that comes their way, and every login page they encounter.
Teach them to observe, ponder, and move carefully, and you might be surprised at the results.
“Even the briefest pause alerts your instincts, leading to a better decision the majority of the time,” explains University of Michigan Professor Ryan Wright. “We often use technology mindlessly. If you pause and are more mindful for just a second, then you have already won.”
As the old saying goes, practice makes perfect. The more you expose your employees to the tactics commonly used by scammers, the more inured they’ll become to them. The more familiar they are, the less likely they become to fall for such techniques. As an added bonus, such drills can also help you identify employees who might represent potential security risks, and may require additional training.
Of course, at the end of the day, people still make mistakes. It’s in our nature. Mindfulness and training both only go so far in mitigating that. The best way to bridge the gap is through technology.
If you haven’t done so already, equip your email server with data leak prevention, spam protection, and malware scanning utilities. Every single attachment that either enters or leaves your gateway should be subjected to a scan in order to ensure it doesn’t contain a malicious payload (or, in the case of outgoing mail, that a sensitive document isn’t being sent to an unauthorized domain). I would also recommend installing some sort of EFSS or content collaboration utility.
A platform such as this will allow your organization to remain in control of sensitive documents even if they pass outside your firewall, and will make it that much more difficult for a hacker to gain access to your most sensitive assets.
Phishing is one of the most common forms of cyberattack because it exploits the most common cybersecurity weakness: people. By training your staff in mindfulness, educating them on the red flags of a scam, running regular drills, and incorporating security software, you can take a huge step towards mitigating this weakness. You’ll still be targeted on occasion, of course - but this time, you’ll have a much easier time making it out unscathed.