October is National Cyber Security Awareness Month and once again consumers and business professionals will read and hear stories from industry experts and vendors on the latest cybersecurity threats and what they can do to remain safe online. EdgeWave aligns with these national initiatives and over the coming weeks, we are excited to share a four-part series highlighting the issues specifically related to email-borne cyber threats stemming from Phishing attacks.
The National Cyber Security Alliance theme for this week is “Simple Steps to Online Safety”. Everyone is encouraged to think of ways to protect themselves while online and put them into practice. While EdgeWave’s focus is providing web and email security solutions for business, we know consumers are at the core of every business and emails are still the lifeblood of business communication. The knowledge we gain and the security practices we follow at work are highly influenced from the home environment – and vice versa. Let’s look at the impact Phishing has on us all:
From the Anti-Phishing Working Group’s Phishing Activity Trends Report (published Feb 2017):
- Phishing attacks have grown more than 5700% since 2004
- 1.2M total phishing attacks reported in 2016 — a 65% increase over prior year
- Over 277K phishing sites detected in Q4’16 and 46% were hosted in the United States
- Over 211K unique phishing e-mail campaigns were reported by consumers in Q4’16
For businesses, a successful Phishing attempt could lead to a data breach of sensitive company and customer data. According to Verizon in the 2017 Data Breach Investigation Report, “email phishing attacks are the most prevalent variety of social attacks, which comprise nearly 44% of successful breaches.”
Businesses that maintain customer credit card data are highly targeted and hackers place their bets on opportunities that might yield the greatest reward. In their research, the Anti-Phishing Working Group reported Retail, Financial Services, and ISPs were affected more than other vertical industries but the risk is still great for all businesses, regardless of the industry they associate with.
So what security measures should a business implement when they are concerned about protecting their intellectual property and customer data? How does IT staff ease the fears of their CIOs and CISOs about seeing their company on the front page of the Wall Street Journal or on CNN to explain how hackers got access to their data?
Businesses can develop their own “counterattack” plan based on some simple steps – things that
- Put anti-spam security tools in place to do much of the heavy lifting and protect employees from known email-borne threats. Filter spam at the gateway but also configure employees’ email clients for security as an added measure of protection (useful for remote workers who aren’t connecting through the corporate network). While spam is typically delivered en masse, phishing is a more targeted form of spam – a scam. Because phishing is more advanced, EdgeWave recommends adding an anti-phishing solution to go with the basic anti-spam tools.
- Add other layers of security such as antivirus software and a firewall (and keep them up-to-date).Phishing attacks are constantly emerging. According to Verizon, 95% of those that lead to a breach were followed by malware installation of which 66% of the malware was installed from infected email attachments.
- Provide security awareness training for employees. Encourage them to not trust unsolicited email, treat email attachments with caution, and don’t click links in email messages. While there are professional organizations who specialize in security training, it all starts with a conversation between IT staff and employees about the security policies they should adhere to.
There are links to additional free resources below that can help you learn more about Phishing and you can also check out EdgeWave Anti-Phishing Solutions: https://www.edgewave.com/solutions/phishing/
Part two of this series will focus on the resource constraints and demands of IT professionals. Part three will take an in-depth look at the challenges and risks that employees present. Part four will introduce new solutions to help businesses guard against Phishing attacks.
National Cyber Security Alliance (NCSA): https://staysafeonline.org/
STOP. THINK. CONNECT.™ is the global online safety awareness campaign to help all digital citizens stay safer and more secure online: https://www.stopthinkconnect.org/
Department of Homeland Security Cybersecurity Toolkits: https://www.dhs.gov/stopthinkconnect-toolkit#
Report Phishing: https://www.antiphishing.org/report-phishing/overview/