Reeling in a big phish
As the old saying goes, “Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.” The same could be said for preventing phishing attacks. Put an antivirus program on someone’s computer and it might keep their computer protected until it’s outdated. Teach someone what warning signs to look for, and they will be less likely to be the latest victim of a phishing attack during their tenure at the company.
Cyberattacks typically begin with a phishing email. In fact, studies have shown that 92 percent of malware is delivered by email and the average user receives 16 phishing emails per month.
It’s not just individual employees who are at risk either. Businesses are often the target for these emails. Ninety five percent of attacks on business networks result from successful spear phishing — super targeted attacks aimed at deceiving a specific person. Many companies are leaving an opening for this to occur as well. According to Check Point Research’s 2018 Report on Information Security, 97 percent of organizations are using outdated cybersecurity technologies.
Phishing emails can result in data breaches, payment fraud and ransomware. Most people are familiar with the more widely publicized data breaches that have received mass attention, such as the ones that happened to Capital One and Equifax. In reality, middle market companies are the most vulnerable to these types of attacks due to their limited security personnel and minimal funds they budget for managing cybersecurity. This limited budget ends up proving to be quite costly for them as the average remediation costs of a major phishing attack to a mid-sized company in the U.S. ranges between $290,000 and $429,133, according to a report issued by Osterman Research Inc.
Many owners and executives are not familiar with the steps that are needed to provide strong cybersecurity for their company and employees. Most rely on an employee or outside information technology contractor to handle security for the company. These executives, especially at the mid-market level, do not make cybersecurity a priority. Due to this limited attention and resources, they cannot stay ahead or even keep pace with cyberthreats that are evolving every day.
While it is important to have a strong cybersecurity system in place, it is imperative to have employees trained on what to look for. Most major breaches within the last decade have not resulted from technology failures, but from people and process failures. In order to remain safe from breaches or other malware related issues, employees must be diligent at recognizing and managing phishing emails. The best way to do this is by training staff on how to identify and handle them properly.
Practice is necessary in order for people to be able to recognize phishing scams and learn how to deal with them appropriately. Employees are on the front lines of all phishing attacks. Conducting internal phishing campaigns gives employees the opportunity to practice safely while providing companies a mechanism to track progress. Training and testing employees on phishing recognition skills will decrease the chances of a company-wide breach.
It only takes one click of a mouse on the wrong email to cause damage to a company’s well-being as well as their reputation. It is worth investing in the proper training and processes to prevent a mistake that could cost the company millions of dollars. A recent Ponemon Institute study that focused on the cost of phishing and the value of employee training found that training reduced click-throughs on phishing emails between 26 percent and 99 percent, with an average improvement of 64 percent.
Nearly every company will be the target of a cyberattack at some point as long as their doors are open. The better employees are at recognizing a phishing email, the more likely the company will be able to avoid an attack that could damage their reputation and cost them precious time and money. It is essential for companies to have core cybersecurity practices in place and for employees to know what to look for and how to handle it.
David Barton is a managing director with UHY based in Atlanta, and serves as leader in the internal audit, risk & compliance and management & technology consulting groups. He has more than 25 years of practical experience in information systems and technology risk and controls.
Kimberly Anderson is a senior manager with UHY based in St. Louis and serves on the technology risk and compliance group. Anderson has 20 years of experience in information technology consulting, including audit, SOC reporting, PCI compliance, DR/BCP and cybersecurity.