You may have heard of phishing, which is the practice of sending fraudulent texts or emails that appear to come from a legitimate source, with the intention of encouraging the recipient to provide personal information.
Businesses have been struggling to protect their networks from phishing, and with attacks up 65% in the past year, it seems the fight is far from over. To make matters worse, a more sophisticated and destructive offshoot of phishing has recently emerged — spear phishing.
What is Spear Phishing?
Phishing messages are usually generic, sent to a large number of people in order to cast a wide net in the hopes that somebody will bite. Spear phishing, as the name implies, is much more precise and is targeted at a specific victim.
The spear phisher gathers personal information about the target, such as an employer, hometown, or friends, in order to craft messages that seem more credible. No red flags are raised, and the recipient happily does as the phisher requests, sharing highly sensitive data and information about themselves in the process.
What Spear Phishing Means for Your Business
Spear phishing presents a major problem for businesses. Phishers are increasingly seeing businesses like yours as lucrative targets, with a staggering 95% of all attacks on business and enterprise networks thought to be the result of successful spear phishing. How does this happen?
The Weak Link in Your Network Security
Spear fishers usually gain access to your sensitive data and business networks via your employees. For example, they might gather information on your employee and use it to craft an email to them appearing to come from your IT team, asking them to click on a link and re-submit their credentials to access one of your network systems.
The link leads to a dummy site that’s barely distinguishable from yours. When your employee logs in, the phisher records their credentials and uses them to access your real system. There, they can steal data, spy on your business, or bring your system crashing down, and you likely won’t even know it’s happened until the damage has been done.
4 Steps to Keep Your Business Safe from a Spear Phishing Attempt
Despite your best efforts to secure your business, you’re only as strong as your employees. Adequately protecting yourself from spear-phishing, then, relies on comprehensive training and awareness. Here are four steps you can take to keep your business safe…
Step 1 – Educate Your Employees
Knowledge is power, so train your employees on how to spot spear phishing and what to do about it. And because threats like spear-phishing evolve rapidly, ensure that your training and awareness programs are refreshed and updated at least annually to stay ahead of phishers.
Step 2 – Practice Good Password Hygiene
Passwords are at the very core of your network security and as such, they deserve the utmost attention. For each of your systems, require that users create long, complex passwords and change them on a regular basis. Don’t just ask users to do this and trust that they’ll comply; make it a mandatory requirement for using the system. And of course, the sharing of company passwords should be discouraged in the very strongest terms, even between other employees.
Step 3 – Implement Multi-Factor Authorization
Multi-factor authorization, or MFA, adds an extra layer of security to your systems. After the user enters their password, they’re typically required to pass through a further verification stage by entering another password/code, answering a question, submitting biometric information, or responding to an email or text. If somebody does obtain the user’s password, MFA means they’ll usually be thwarted at this second stage.
Step 4 – Take Good Practices Home
In order to be effective, good security practices must go beyond the office. Spear phishers will usually target a victim outside of work too, so your employees must be encouraged to apply the same awareness, caution, and protection to their personal and home networks.
That means practicing good password hygiene on any devices or online systems they use outside of work, from banking to social media to online grocery shopping and everything in between. Where available, they should be encouraged to set up multi-factor authorization, too.
Personal phones, computers, and other devices should be password-protected, encrypted, and secured with up-to-date antivirus and malware programs. This is especially true if they use these devices for business-related activity, in which case you should embed usage rules into company policy.
Your employees should be encouraged to take all reasonable measures to protect company data that’s taken outside of the workplace, whether on a business trip or to a home office. Physical documents and devices should be stored securely when not in use, such as in a locked briefcase or filing cabinet.
Finally, employees should think carefully about the work information they share with their personal network. Your employee might think they’re bringing their old high school buddy up to speed on all the exciting projects they’ve been working on, but there could be a phisher on the other end of the email conversation, gathering data about your business.
Don’t Fight Phishing Attacks Alone
With 76% of businesses falling victim to a phishing attack last year, it seems phishers are winning the fight for your sensitive data. That doesn’t have to be the case. Protect your business now with expert training and managed security services from CyberSheath. Contact us now to find out how we can help.