While they pose a significant risk to your business, there are several steps you can implement to help mitigate phishing attacks targeting your company. Let’s take a look at a few of them below.
1) Security Awareness Training
Your best line of defense against phishing attacks is continued education.
Phishing attempts are only successful because of human error, which means your employees need to be taught how to spot them before they fall victim to an attack. Conduct regular security awareness training, including enrolling your employees in courses that help them identify phishing attempts.
As a part of this training, you can even conduct phishing simulations to help them understand how they should respond in real-world situations.
2) Email Security
In addition to security awareness training, bolster your email security. Be certain spam filters are active on email accounts across your network, make it easy for employees to report phishing scams, and be zealous when it comes to password security.
3) Disable Macros
A popular way for attackers to install malware or spyware on your computer is by delivering a Microsoft Office document that requires macros to run. Macros are shortcuts or specific keystrokes that make routine commands easier to implement (i.e. print, save, undo).
By disabling macros, you mitigate the risk of malware being unsuspectingly installed on an enterprise device in the case an employee accidentally opens an infected attachment. Be sure to make this a default setting and enforce it in your group policy.
4) Implement Multi-Factor Authentication
Another effective step in protecting yourself from being hacked via phishing attempts is to enable multi-factor authentication on all accounts.
In the event you do fall victim to a phishing attack and accidentally hand over your email address and password, you have a second line of defense since you need another device in order to authenticate access. Microsoft reports this simple tactic blocks 99% of attempted hacks.
5) Encrypt Sensitive Data
Encryption converts all the data on your network and devices into something only accessible via an authentication key. By encrypting your data, you provide an additional layer of security in the event you’re compromised due to a phishing attack.
6) Employ SSL Certificates
Secure Socket Layer (SSL) certificates indicate information transmitted between a user and a website is encrypted and secure.
These certificates are identified by “https://” at the beginning of a URL address. Other times, it’s indicated by a lock or the word “secure” in the browser bar. Websites without encryption only have “http://” at the beginning of the URL address and often read “not secure” in the browser bar.
If your company’s website collects any sort of personal information from its users (emails, passwords, credit card information, etc.), you need an SSL certificate to ensure their information is transmitted securely. Additionally, Google now uses SSL as a ranking signal. Without one, your website will be harder to find in search results.
7) Provide Securely Hosted Payment Pages
In addition to SSL certificates, if your business collects payment information via the web, it’s important to provide securely hosted payment pages (HPP) for your users.
These are typically hosted by a third-party and can either be embedded into your website or redirect users to a secure platform to process payments. An HPP is already secure and PCI-certified, helps you avoid sensitive credit card information from passing through your servers, and reduces your liability in the event credit card information is stolen.
8) Ensure Security Policy Covers Phishing Prevention Measures
Lastly, ensure your security policy clearly covers phishing prevention measures. This includes requiring security awareness training, establishing password requirements, mandating two-factor authentication, and policies regarding mobile device security.
Summary
Phishing is intentionally designed to trick, manipulate, and force an attacker’s targets into surrendering personal and sensitive information. Sometimes phishing attacks are quick financial ploys, whereas other times, they are a small piece of a larger social engineering attack to bring down an enterprise.
It’s vital for your small business to proactively train its employees to identify and prevent phishing attempts in their tracks, including establishing detailed security protocols to mitigate the risk of exposing sensitive data.
To summarize:
- What is phishing? Phishing is the process that hackers engage in to gain access to sensitive information. These scams victimize companies of all sizes and cost US businesses an average of $5 billion per year.
- How does phishing work? Standard phishing attacks occur in three stages: bait, hook, and catch. Many phishing schemes depend on malware to assist attackers in acquiring the information they’re after, including viruses, trojan horses, ransomware, and spyware.
- Types of phishing attacks – Typically, phishing attacks are attempted via email or fake websites imitating other popular sites. Hackers might also use SMS messages, voice calls, social media apps, or more targeted initiatives, called spear-phishing.
- How to prevent phishing attacks – Effective ways to mitigate risks associated with phishing include Security Awareness Training, heightened email security, disabling of macros on popular software programs, and implementing multi-factor authentication. Companies can also encrypt sensitive data, enable SSL certificates on websites, host secure payment pages, and strengthen security policies.
Need help identifying gaps in your company’s security? Commprise offers IT security and compliance auditing, including phishing tests. Book a call.