Phishing attacks and how to be resilient
The people an organisation employs can be its most significant cyber security threat.
If employees are not educated and regularly trained in the art and science of cyber resilience, they can accidentally open the door for attackers to walk through.
This is because phishing attacks prey on human nature and the susceptibility of people to engage with what they deem to be a trusted source (when in fact, it’s not).
A successful phishing attack can do major damage to an organisation, leading to the theft of information, the unavailability of key systems and the breaching of data protection rules.
The good news is that businesses can take steps to mitigate the risk of falling victim to a phishing attack and to ensure they know exactly how to respond if one gets through – for most organisations, this is a case of when and not if.
What is a phishing attack?
Phishing attacks encourage an individual to engage with some form of communication because it appears to have come from a trusted source.
Phishing usually centres on fake emails sent to induce the recipient to click on a link or share confidential information, usually related to accessing a system, network or data.
They are usually easy to spot but are becoming increasingly sophisticated with links to spoof websites that look exactly like the legitimate site to which the user thinks they are being redirected.
What makes these attacks so effective is that they play on human psychology and our instinct to take action when requested to do so by a person or organisation we trust.
While technologies exist that help employees spot fake emails and report them, they are less effective than educating and training staff to be cyber security aware.
A quick word on spear phishing:
This a less common type of phishing attack as it is aimed at a specific individual within the organisation due to the privileged capabilities and access to information they have.
This is of great concern when these individuals are easy to identify and are not tech-savvy or phishing-aware.
Phishing and ransomware go hand in hand:
While phishing and ransomware are considered separate types of cyber attacks, they are closely related.
Ransomware is a type of malware designed to block access to systems, networks and data until a ransom is paid, and the most effective way of deploying ransomware is via a phishing email.
Phishing and the common mistakes businesses make:
A large number of small to medium-sized, and even enterprise-level, organisations do not take cyber security as seriously as they should.
A lax information security culture is alarmingly common, and this ultimately leaves businesses vulnerable to not only phishing scams but other cyber attacks.
A strong cyber security culture ensures that staff are encouraged to report dodgy emails instead of being worried about “bothering” members of the security or IT team.
With phishing scams, this is often the difference between an attempt being successful or not.
The impact of a phishing attack can be severe:
A successful phishing attack can cause major headaches for a business.
It can lead to sensitive and valuable information being compromised or stolen, which in turn can mean breaching data protection rules and being subject to the fines and penalties that come with doing so.
That ransomware is often combined with a phishing attack means that organisations can have their systems and networks taken offline until the ransom is paid.
This has a serious negative impact on the ability of the company to conduct “business as usual”, preventing it from providing products and services to its customers.
Not only does this inhibit the company’s ability to generate income, it can do untold damage to its reputation which can take years to recover, if at all.
How to respond to a phishing attack:
If data has been stolen, it’s important to contact the local law enforcement agency and other bodies such as the Information Commissioner’s Office as data theft is a crime in most countries.
To truly diagnose the impact of the attack, it’s best to work with a cyber security specialist as
it will have the knowledge and expertise required to determine what has been stolen, which systems are unavailable and the proper steps to take to get back online quickly.
Have a strong cyber security culture in place:
The most effective way to protect against phishing attacks is to have a comprehensive cyber security policy in place and which includes regular staff training and awareness initiatives.
If this is combined with technologies that help to identify and report phishing scams, a business can mitigate the risk of falling victim to a phishing attack.
To learn more about how CRMG can help your organisation be cyber-resilient, get in touch with the team here.