Although many companies are adopting new communication technologies, such as Slack, e-mail is still the primary form of communication for most businesses. There are 294 billion e-mails sent throughout the world every day. According to M3AAWG, 90% of all e-mails are spam and virus distributors. Hackers and cybercriminals can exploit company employees and their customers in e-mails using Social Engineering. Social Engineering is the use of deception, to manipulate individuals into divulging confidential or personal information that could be used for fraudulent purposes.
There are multiple types of Social Engineering attacks, phishing being the most common. No company is immune to phishing attacks, although many companies have set up sophisticated inbound mail filters to reduce the probability of employees receiving phishing emails. However, undesired e-mails can quite easily slip through the cracks and end up in the mailbox of a company employee. Cybercriminals may pretend to be someone they are not, such as another employee or their boss, asking for Personal Identifiable Information (PII) or a request for payment. No matter how small or large a company is, proper security awareness training should be required for preventing Social Engineering attacks. In 2017, Facebook and Google each lost $100 million to such attacks. This shows that even high market cap tech companies are not able to completely eliminate the impact of these attacks. However, the losses would be much greater if it weren’t for the advanced security awareness training programs available in the market today. An increasing number of companies are implementing simulated phishing attacks, paired with interactive training, to increase employee aptitude in recognizing phishing emails.
In a simulated phishing attack, the company will intentionally send out a fake email to employees including attachments or links that, in a real attack, would be malicious. If an employee clicks on the attachment or link, they have failed the simulated test and the results are reported back to the software that ran the test. At the end of the test security, administrators use this click metrics to see how susceptible their employees are to phishing scams. The industry average for an exercise such as this is a failure rate of 13.2%. To some, this may sound low, but all it takes is one person to click on a link or send PII information, for large amounts of money, data, and other assets to be damaged or stolen. A 13.2% failure rate should not be celebrated, it is the responsibility of companies to lower this number to 0%. When a company is in the news for being hacked or compromised, it is no longer an eyebrow-raiser. Companies making the news for being compromised is now a common theme. Security awareness training will help prevent your company from being compromised. Along with Security Awareness training, here are some other best practices:
- Multi-factor authentication – one of the most valuable pieces a cybercriminal will seek are user credentials; using multi-factor authentication helps to ensure an account’s protection by requiring two pieces of evidence that you are the proper authenticated individual
- External e-mail tagging – tagging emails from external senders is an effective way to instantly inform users that an email has come from someone outside of the company’s domain.
- Application whitelisting – Only specific, approved software can run on an employee’s machine; the bare minimum that the employee needs to complete their daily duties. This is an effective technique to make it very difficult for hackers to gain access to a machine.
Clearview Group helps companies of all sizes, across many industries, to consult on ways to reduce cybersecurity risk, including the risk of social engineering attacks and phishing scams. We understand that it is only through the combination of people, processes, and technology that an effective risk management program can be built. If your company is looking to identify potential gaps in your cybersecurity risk management program or implement strategies to reduce cyber threat exposure, contact Clearview today.