Three Important Phishing Protection Measures to Keep Your Business Safe
According to Cofense, 91% of all cyber attacks start with a phishing email, making it the number one security threat faced by businesses. If adequate phishing protection measures are not put in place, a successful phishing attack is inevitable.
The risk of an attack is also increasing. Research conducted by IBM X-Force revealed more than half of all emails are spam and the majority of those messages are malicious. The Cofense Enterprise Phishing Resiliency and Defense Report revealed phishing attacks increased by 65% last year, while the Wombat Security State of the Phish Report shows just how effective phishing emails are at breaching defenses. The report indicates 76% of businesses have experienced a phishing attack in the past year.
Spam and phishing emails are not just a nuisance. They can have serious implications for businesses. Cofense figures suggest a typical phishing attack costs a mid-sized company $1.6 million to resolve. The Ponemon Institute/IBM Security Cost of a Data Breach Study indicates the average cost of a phishing-related breach is far higher, typically costing an enterprise $3.6 million to resolve.
Many businesses and small enterprises could not afford to take such a massive hit and have naturally implemented phishing protection measures to reduce the risk of a successful attack. However, protecting against phishing attacks requires more than the purchase of a security solution.
Cybercriminals’ tactics are constantly changing and phishing campaigns are becoming much more sophisticated. Rather than use ‘spray and pray’ tactics to send millions of messages in the hope that some will be successful, smaller, more targeted campaigns are now being conducted with messages carefully crafted to maximize the probability of a response.
These changes to phishing tactics make it harder to prevent the messages from being delivered to end users, and much more difficult for end users to identify the messages as malicious.
With the threat level at critical, a high probability of attack, and severe consequences if an attack succeeds, businesses need to invest more heavily in security, but where should that money be spent? What are the best phishing protection measures to deploy?
What are Most Effective Phishing Protection Measures?
When it comes to implementing phishing protection measures, you need to defend in numbers. No single solution will provide you with total protection against phishing attacks. If you want to keep your business safe, you will need to implement layered defenses. To get you started, here are three of the most important phishing protection measures to deploy.
Advanced Spam Filtering Software
First and foremost you need to implement a technological control that will prevent the majority of phishing emails from reaching inboxes. If phishing messages are not delivered, they can do no harm.
The primary defense is therefore a powerful spam filtering solution. Email service providers such as Microsoft and Google have improved their spam defenses, although third-party solutions offer greater protection from phishing. Most commercial spam filters – either appliance-based gateway solutions or cloud-based filters – will block more than 99.9% of spam and malicious messages.
Web Filtering Solution
While spam filtering solutions are effective at quarantining malicious emails and blocking spam messages, 0.1% of spam emails are likely to be delivered. Many phishing emails contain hyperlinks to webpages that probe for vulnerabilities. When a vulnerability is identified it is exploited to download malware. Alternatively, end users are convinced to part with their login credentials. A web filtering solution blocks access to webpages known to be used for phishing and malware distribution and can prevent the downloading of malicious files.
Security Awareness Training and Phishing Simulations
Phishers target the weakest link in the security chain – Employees. Businesses must therefore ensure their employees are prepared for inevitable attacks, are alerted to the threats they are likely to encounter on a daily basis and are trained how to identify malicious emails.
One of the biggest mistakes a business can make is assuming employees are aware of ‘common sense’ best practices, such as never opening email attachments from unknown senders or not clicking on hyperlinks sent in emails.
All end users must be trained and made aware of the attack tactics being used by cybercriminals and should be taught security best practices. A once a year training session is no longer sufficient. Employees need regular reminders of security best practices and up to date information on the latest threats.
Training should be accompanied by phishing simulation exercises. Most security awareness training companies offer free or paid for phishing simulation services. These exercises help to reinforce training, with a failed simulation turned into an education opportunity. Multiple security awareness training companies have demonstrated that susceptibility to phishing attacks can be reduced by up to 95% with training and phishing simulations.
Implement these three phishing protection measures and you will be able to greatly improve your security posture and prevent costly phishing attacks.