How to Prevent Phishing Attacks: Strategies for Small Business IT Departments and Specialists
Phishing is the
number one security threat for small businesses. Intended to sound like ‘fishing’, this social engineering tactic attempts to trick targets into providing their personal information or installing malicious software. The U.S. Department of Justice believes there’s $5B in financial damage attributed to such scams every year.
The dramatization of cybercrime in the media has us believing that the majority of breaches involve a sophisticated hacker, typing furiously on their terminal in a dark room to break through a company’s network. First, few hackers are that good; second, why not just trick a human into opening the door?
Adversaries that employ phishing techniques effectively tend to be very persuasive, having more social than technical acumen. They’re very good at convincing employees to simply hand over the “keys”. They also, unfortunately, understand that small business employees typically are much more vulnerable than their enterprise counterparts who’ve been trained to sidestep such traps.
What are the Methods of Phishing?
The most common type of phishing that companies are exposed to is “spray and pray” campaigns. It’s the least sophisticated technique where a generic message is emailed to millions of users asking them to provide information or click a link that would subsequently download malicious software. This method is easy to spot, but one duped employee could have grave repercussions for a small business. That single click could install ransomware, which shuts down company systems unless a hefty payment is paid.
Email isn’t the only platform where small business employees are vulnerable to phishing attempts. Adversaries seek to establish rapport with victims through websites, text messages, and social media as well. In fact, 1.3 million fake web pages are
created per month for the sole purpose of attempting to trick users to enter their personal information. These fake log-in portals are rather well-done, and even the most discerning eye could be fooled by one during a busy day.
The most effective means of phishing is “spear phishing”, where the adversary hones in on a particular individual to develop trust to maximize their ability to get them to do what they want. Often this involves posing as someone within the organization, usually someone in leadership, and more often than not, the CEO. The criminal harvests enough information beforehand about the targeted company, department, and individual to come across as authentic. Usually, all it takes is a quick comb through social media to get a sense of the target’s interests and hobbies to build trust.
Spear phishing can be a very effective way to get an employee to grant access to unauthorized users. The ultimate goal is to breach the employer’s network and get access to money or intellectual property rather than exploit the targeted user themselves. One of the most common tactics these criminals use is malicious “payloads” that are hidden within forwarded documents. Once the employee opens the documents, they are prompted to download macros in order to view the file correctly. These macros then turn out to be malware or ransomware.
How to Defend Against Phishing?
So what is the best defense against phishing? Here are 5 strategic steps small and medium businesses should implement to achieve phishing protection.
1. Train employees to detect phishing attempts
The first step is to make employees aware of the threat. Security guidelines must be crafted and enforced — do not be afraid to be strict and establish consequences for noncompliance.
Next, it’s critical that all employees are trained to discern between genuine correspondence and phishing. They also need to know the basic trends. Mass phishing attempts often have grammatical errors, attackers often use high-profile events as a lure, and low-level employees in finance and human resource departments tend to be targeted the most.
It’s a good idea to develop exercises within a protected sandbox environment and test employees’ ability to identify what is a legitimate correspondence and what is not. Ideally, a small business should enlist the help of a managed services provider well-trained in phishing detection and mitigation, that can help craft security guidelines and conduct
2. Securing the network perimeter
Since adversaries are ultimately looking to access the company’s network through phishing, a small business should look to
secure their network’s perimeter. In a multi-cloud world, where the typical organization is using a mix of several on-premise and cloud applications, the perimeter is a lot less straightforward and harder to protect than it used to be.
Adversaries tend to breach the most vulnerable part of the perimeter and then ride the “lateral traffic” between systems to get access to everything. When using multiple systems and applications, it can be difficult to know where vulnerabilities lie within the perimeter and actively monitor security across all of them. A managed service provider can help you find gaps within your network and protect your perimeter across all platforms.
3. Keep all software and systems up to date
Phishing attacks, like most other forms of cybercrime, look to
exploit outdated software. In a perfect world, employees would detect phishing before they fall victim to it, and malware wouldn’t even be downloaded. But by ensuring that all software is patched and updated, your chances of exploits as a result of successful phishing decline dramatically.
4. Mailbox security
Intelligent users are the best line of defense against phishing attempts, but software can help too. Anti-spam and anti-malware products, such as
BitDefender GravityZone Security for Exchange, can flag suspicious correspondences. Strong security offerings provide multi-layer protection against spam and phishing without overburdening email servers with security processes.
5. Anti-virus software
The steps above, if followed comprehensively, should render a small business protected. However, it is still necessary to make plans to mitigate damage if a phishing attack does breach a company’s network. All small businesses must employ tried and true anti-virus software such as the
McAfee line of products.
Aventis Systems has expertise in securing small businesses. We provide both the consulting services and security products required to make your people and systems as smart and secure as possible to thwart cyber threats.