SMB Best Practices For Preventing Successful Email Phishing Attacks

In this article Security researcher Daria Levinshtein lays out some best practices for SMB's to avoid becoming the victim of a phishing attack.

SMB Best Practices For Preventing Successful Email Phishing Attacks

Phishing has long been a major threat that businesses have had to contend with, although the threat has grown significantly in the past few years. Phishing is now the number one cyberthreat faces by businesses. While phishing emails used to be easy to identify, phishing attacks are now much more sophisticated and virtually indistinguishable from genuine emails. It is therefore no surprise that so many phishing attempts are successful.

It is difficult to determine exactly how many phishing attacks are successful as many businesses do not report successful phishing attacks. One recent data breach investigations report from Verizon suggested one in 14 employees has been fooled by a phishing attack. Other studies have shown the success rate of phishing attacks to be 10% or higher.

Large businesses are now committing considerable resources to preventing phishing attempts from succeeding. The Ponemon Institute recently conducted a survey that suggested, on average, companies with more than 10,000 employees are spending an average of $3.7 million every year on phishing defenses alone.

That high spend is understandable considering an estimated 91% of all data breaches start with a phishing email and the average cost of a data breach is now $3.62 million (Ponemon Institute/IBM Security). Small to medium sized businesses do not have such deep pockets, yet they too are targeted by cybercriminals. So how can SMBs defend against phishing attacks without breaking the bank?

Best Practices for SMBs to Adopt to Improve Resilience to Phishing Attacks

There are several relatively inexpensive ways for SMBs to improve resilience to phishing attacks. Security solutions can be purchased to block phishing attacks at all stages of the attack, but make sure you cover the basics. These measures include:

Regular Security Awareness Training

There are many security awareness training vendors that can provide you with training material and anti-phishing CBT courses and they are worth the investment. Alternatively, you can develop your own training material in-house. Regardless of the option you choose, it is important that training occurs throughout the year. An annual training session is not sufficient as employees will forget the training within a couple of months if refresher training is not provided.

Keep Up to Date on New Phishing Threats

Phishing tactics change, so it is important to keep up to date on the latest threats. Ideally, sign up to threat intelligence services and follow reports of phishing attacks in the media. Use the information to keep your employees aware of the new tactics and techniques being used by scammers through email security alerts and monthly cybersecurity newsletters.

Encourage Employees to Report Suspicious Emails

If one employee receives a phishing email, chances are that is not the only copy in your mail system. Multiple emails are likely to have been delivered. If you encourage employees to report suspicious emails to the security team, action can be taken to remove all copies of the email from the mail system. It also allows security teams to investigate how the email made it past the perimeter defenses and make changes to block those types of emails in the future.

Implement Policies and Procedures for Verifying Certain Requests

Consider prohibiting the sending of sensitive information via email and use a more secure method of transferring files – Dropbox for instance. Implement policies that require all bank transfer requests sent via email to require phone verification if the transfer is above a certain amount. A phone call will allow the authenticity of any email request to be quickly verified.

Set Up 2 Factor Authentication on All Accounts

If an employee discloses a username and password in a phishing attack, two-factor authentication can prevent the attacker from gaining access to the account. Even if a username and password is used, account access can only be gained with the second factor – a code sent to a mobile phone when an unfamiliar device is used to access an account.

Conduct Phishing Simulation Exercises

Some employees will take training on board and become security titans after one training session. Others will be much slower on the uptake. By conducting phishing simulation exercises you can find out which employees are susceptible to phishing attacks and they can be provided with further training. Phishing simulations exercises will help you to determine how effective your training program has been.

Adopt these best practices and you will be able to greatly reduce susceptibility to phishing attacks, improve your security posture, prevent costly phishing attacks and data breaches.

You can find further information on preventing successful email phishing attacks here