The number of cyberattacks and security breaches increases every year. Year by year, the percentage surges upwards. According to Gemalto, there was a 164 percent increase in cyberattack frequency between 2016 and 2017. Projections between 2017 and 2018 already show a trend towards even greater growth.
The pattern is clear: cyberattacks are becoming more and more frequent. And if that weren’t difficult enough to tackle, they are also becoming more sophisticated and more in-depth. Cybercriminals have access to highly advanced technologies for bypassing firewalls, anti-virus software filters, and system backups. Over-reliance on any one solution is a recipe for eventual disaster.
But the vast majority of cyberattacks still start from a single point of origin – email phishing. Phishing emails use a variety of deceptive tactics to defraud email users into giving up key data. This could mean login credentials, sensitive financial information, or customer data.
Protecting your organization’s email users from phishing attacks is a powerful cybercrime deterrent. If you incorporate a solid multi-layered security approach into your corporate culture and processes, you can completely avoid having to explain a data breach to customers and stakeholders ever.
How to prevent phishing attacks
While cybercriminals continue to innovate new ways to pilfer data and illicitly obtain sensitive login credentials, there are some key strategies you can implement today to keep your business safe. Some of these are common sense, others are more subtle.
All of them are critical for any Internet-enabled business. Implement these steps to keep your business safe from email phishing, cyberattacks, and data breaches:
1. Keep your anti-virus updated
This is an obvious step but it’s one that many individuals and businesses neglect. Anti-virus software works by comparing digital activity with known threat signatures. When suspicious activity occurs, the anti-virus triggers a warning and stops the execution process.
Cybersecurity professionals identify new threats every day. In order for an anti-virus solution to work, it has to have the latest examples of digital threat signatures in its database – otherwise, it will only look for obsolete threats. You need to protect your business from today’s malware and phishing attacks.
High-powered anti-virus software can also identify fake updaters that contain malware, and verify website addresses against known compromised URLs. There is no reason to avoid updating your anti-virus whenever the software vendor releases an update.
2. Instruct employees on when to open email attachments
A simple rule for opening email attachments is to only open them when you know what they contain. No employee should open an email attachment without knowing in advance what they’re opening. Whether it’s a spreadsheet, a PDF, or a Word document, opening any unexpected file can potentially present danger.
This also holds true for email attachments from known and trusted contacts. Cybercriminals can compromise business emails and use your colleagues’ accounts against you.
3. Implement DMARC to protect your customers
DMARC is an email authentication technology framework that establishes trust between your domain name and your email recipients. It allows your employees to instruct email providers on how to handle unauthorized emails carrying your domain name.
This won’t stop incoming phishing scams, but it will alert you to outgoing ones that use your domain name to fool customers, vendors, and partners into giving up sensitive data.
4. Set specific protocols for communicating personal information
Develop a cybersecurity policy that identifies how, when, and through which channels your employees can disclose personally identifiable information. A cybersecurity professional should create these protocols for you and develop automated implementations for them whenever possible. This way, you don’t have to rely on your employees remembering to adhere to policy.
In general, it’s a good idea to only communicate sensitive data through secure website portals or over the phone. But you can’t trust these channels of communication on their own – there must be a system of authentication in place.
5. Use two-factor authentication
Two-step verification can prevent successful phishing attempts from resulting in cyberattacks and data breaches. An example of two-step authentication is having a user input a password and then asking for a confirmation code sent to their telephone number. This extra layer of security can prevent a cyberattacker from using ill-gotten login credentials for illicit gains.
Examine all of your company logins, vendor agreements, and other trusted communication channels and ask yourself whether those connections need automatic trust. Unless there is a business-critical reason for a connection to enjoy automatic trust, it should feature two-factor authentication.
6. Educate employees on phishing scam identification
Tell your employees to send all suspicious, unexpected, or otherwise random emails to a single person who is accountable for phishing identification and education. That person should be responsible for holding regular sessions for identifying false alarms and discerning between legitimate cybersecurity threats.
With enough exposure to known phishing scams, your employees will become better at detecting suspicious emails when they arrive.
7. Run mock phishing drills
A Columbia University study found that in a group of 2000 students and faculty members, it took four mock phishing drills to teach every single participant to identify and delete phishing emails. While the majority learned after the first drill, it took multiple rounds before the entire group achieved the same results.
Since a single successful cyberattack can threaten the stability and foundation of your entire business, you need to set your sights on a 100% phishing protection goal using mock phishing drills. It may take several iterations, but eventually your employees will learn how to identify phishing emails.
8. Invest in time-of-click protection
One of the best ways to protect employees from email phishing is to deploy an email security solution that offers time-of-click protection. This protection begins running the moment a user clicks on a link in an email, verifying the linked URL’s reputation and comparing it to known cyberattack vectors in real-time.
This is a powerful tool for protecting both known and zero-day cyberattacks. With URL reputation maintained on an up-to-the-minute basis, even attacks that are currently propagating through the Internet can be stopped by Time-of-Click solutions like the one we offer at DuoCircle.