You can have the best cybersecurity system in the world, but all it takes is for one employee to click one wrong link to blow your company’s online systems wide open. The 2019 Cost of a Data Breach Report found that the average cost of a data breach for a business worldwide is $3.92 million, though the United States fares much worse than the norm.
On average, the costs of data breaches are about $8.19 million per breach for each business affected. Devastatingly, a third of that cost comes from loss of customer trust following the cyber incident. Trust is something that can’t be purchased at any price.
The main reason behind the success of digital attacks is how quickly scammers adapt to current events and the education people receive about phishing scams. These fast adaptations lead to employees sharing confidential information without a second thought.
Scammers spoofing secure sites
Most people consider websites to be secure if their URL starts with "HTTPS." In the past, this indicated the site was legitimate and, therefore, safe, earning it the "lock" icon in Chrome browsers. However, scammers have developed the ability to utilize secure URLs.
At the end of 2017, a third of scammers could use HTTPS in their URLs, according to Phish Labs. By the end of 2019, the Anti-Phishing Working group estimates 74% of phishing websites had secure certificates.
For these reasons, businesses may find the idea of trying to stop a cyberattack of any kind daunting. However, there are some relatively efficient ways of stopping scammers in their tracks.
One of the most effective techniques: make sure your employees are well-trained in spotting and avoiding phishing scams. An untrained employee with access to sensitive information or even with just a username and password to log into the company network can be the catalyst for some of the worst attacks businesses face. Here are three of the most common ways employees can expose businesses to outside attack.
1. Being in a hurry
The average employee gets dozens of emails a day. Standard practice calls for deleting or passing over the spam and skipping directly to business communications or social media notifications the employee is interested in.
Scammers know the way employees work and will spoof return email addresses or craft subject lines that make it sound like they need to respond quickly or complete a task for a superior. In their hurry to respond, employees may not read the email as closely as they should. Believing the link comes from a trusted sender, they may click on it and end up on a familiar landing page that tricks them into inputting login information which then gives the scammers access to the company’s data whether it is on a server in the office or stored in the cloud.
The Enterprise report showed common sources of phishing fraud came from emails regarding holiday eCard alerts, new rewards programs, grievances or complaints filed, safety bulletins, courier services, browser updates required and open enrollment periods.
2. Missing subtle signs of phishing
Few employees are going to fall for the old African prince trick, but some may not recognize the more subtle signs of subterfuge.
"Phishing emails often look like they are from credible sites but are designed to trick you into sharing your personal information," Gary Davis, chief consumer security evangelist at Intel Security told BusinessWire. "Review your emails carefully and check for typical phishing clues including poor visuals and incorrect grammar."
Embedded links in an email should also be checked before they’re clicked on to verify you know where the link is going to take you. Watch out for fake links that are just slightly different from the actual location.
3. Not using two-factor authentication
Employees may complain about the nuisance of needing to verify login credentials with their phone or an outside email account, but it’s an effective way of preventing hackers from getting into the system from an outside network using stolen credentials. Companies that don’t offer two-factor authentication or make it optional may consider implementing it as a mandatory security precaution company-wide.
How training and testing pays off
Offering regular training to employees to keep them updated on recent trends in phishing may be your best bet for keeping your company’s network safe.
"The tendency to fall for a phishing email, or susceptibility, is best addressed with conditioning employees to recognize and understand phishing emails," explains the 2017 Enterprise Phishing Resiliency and Defense Report. "Repeated phishing simulations—including those based on relevant, emerging threats—have shown a shrinking susceptibility rate for three years running. It’s proof that a progressive, mature anti-phishing program keeps organizations safer."
Prime-Tek, a cybersecurity company that offers firewall management, external, internal and wifi vulnerability testing and an innovative training and testing program, knows the importance of keeping company data safe. Many small businesses could not survive the expense of recovering from a successful cyber attack. However, with proper training and ongoing testing, Prime-Tek says employees can learn how to avoid those potential pitfalls.
The new service is "based on educating and testing employees on phishing and other malicious emails, texts and other messages" Tim Petersen, CEO of Prime-Tek said. "We will send the test ‘phishing’ emails to the clients on a regular basis and report back if their employees fell for it or not."
With this service, businesses will be able to better prepare their employees for phishing attacks and identify whether their training program is working.
To train and test your employees to keep your information safe, contact Prime-Tek today for a customized quote.