Table of Contents (click to jump)
If you have used email in the past ten years or have had an online presence there is a good chance you know about phishing. I am not talking about the relaxing, semi-boring, past-time spent with Grandpa on the lake, but those off-putting, suspicious emails and other messages you get that just don’t seem quite right. You know the ones I am referring to: It could be a “friend” stranded in a foreign country needing money to get home or your “boss” emailing you out of the blue to cut a check for a vendor you’ve never dealt with. Essentially these “phishing attacks” are designed to look like a trusted source so you open the message/attachment and unleash whatever malware they have attached.
The motivation behind these phishing scams can range from pure profit to political disruption, but, in the vast majority of attacks, hackers are looking to capture as much data as possible and turn it into cash. These scams take many forms and can have potentially devastating effects: 60% of small businesses hit with a significant phishing attack have had to shut their doors within 6 months of the incident . We will discuss the three things you need in your Phishing Tackle Box so you’re prepared for the worst.
Okay, so what exactly does it mean to follow the “best practices” for your business? This is often a hard question to answer because each business is different, from the data they handle to the amount allotted to their security budgets. The following is recommended for everyone:
- Corporate grade firewall
- Corporate grade anti-virus on all workstations
- Spam email filters
- Multi-factor authentication
- Data backups onsite/offsite
There is much more you could do on the technical side, but the above list would be a good starting point for any business no matter its size. Now, just because you did some work on your network, don’t pat yourself on the back just yet. Industry best practices does not only cover what needs to be implemented on the technology side, but also what needs to be implement from a physical and administrative point of view which brings us to the next part of your tackle box.
Remember Blockbuster Video? They thought they had it all figured out when it came to the movie rental industry and were so confident in their solution that they didn’t see the next big thing (Netflix). The same logic applies to your security. If you don’t build your network to accommodate and change with the times, your now-fancy network security system will become stagnant and leave you exposed. Staying appraised with new cybersecurity trends will not only help keep your software up to date, but will also help with your biggest security threat: your employees.
This is NOT an insult, employees are typically a company’s most valuable asset, but when it comes to data breaches, the vast majority are caused by end-user error which is to say someone internal opened something they shouldn’t have. But can you really blame an employee for opening something risky if they haven’t been trained on what to look out for or avoid? Today, employees are not just faced with the classic email scam, but also very clever phishing texts, tweets, pop-ups, and the newest flavor, phishing calendar invites.
Based on the sheer multitude of threats, employee awareness and education are now more important than ever. How your company trains your employees is up to you and can range from actual in-person training sessions (recommended) to sending out educational videos. When considering the training option best for your company, always remember, it only takes one person to let someone in and at that point it’s too late to start pointing fingers.
The last part of your Phishing Tackle Box is the tool you hope you never have to use, the disaster recovery (DR) plan. Your disaster recovery plan is like health insurance for your business. It can be painful paying those premiums, but can you imagine being in a situation where you need it and don’t have it? A medical emergency could be devastating to an employee; the same thing can happen to organizations who do not prepare for the worst.
If you want a firsthand glimpse at the consequences of not having an established disaster recovery plan look no further than the cities of Baltimore, MD  and Riviera Beach, FL . This year both cities were, held hostage by hackers for weeks at a time resulting in hundreds of thousands of dollars in damages, or millions in Baltimore’s case. City officials had no semblance of a disaster recovery plan in place and this embarrassing oversight nearly turned Baltimore into Balti-no-more (if you liked that pun try Riviera Breach on for size!).
Here are some of the essentials to include in your disaster recovery plan:
- Appointed official – When a breach occurs time is critical and you cannot run around like a chicken with its head cutoff. You need to have a decision maker chosen in advance to make the tough choices if something were to occur.
- TESTED incidence response plan – This is the essential component of any disaster recovery plan. It should be highly detailed and cover, step by step, what to do in the event of a breach. The plan should include things like guidelines for if and when to disconnect from the internet, a map of how company data is stored, and, a list of people who must be notified of a breach and the information needed on how to communicate to this group.
- Data recovery – Typically, after a breach, your immediate goals are to become operational again and to recover stolen data. If you have properly-configured backups this should be easy enough, but you need to be 100% certain that you are backing up to a time before any malicious code was introduced. If this is not done hackers could lay dormant in your network only to resurface months later with more devastating results.
Phishing, unlike fishing, is becoming more and more common every year. The first quarter of 2019 marked a 62% increase in malware detection according to WatchGuard’s latest Internet Security Report. Phishing scams were among the most popular so make sure you get your tackle box ready now and don’t let a scam capsize your business.