What type of data can your company afford to lose? Customer information? Financial records? How about trade secrets? If the answer is “none of the above,” your data security program needs to adequately address the threat of phishing.
More than four in 10 data breaches in 2016 involved some type of social engineering, according to a new cyber security study from Verizon. And almost all of those social attacks used phishing emails.
Phishing breaches most often target trade secrets, according to Verizon’s 2017 Data Breach Investigations Report, which found that personal information is the second most common target. And at an average of $4 million, the cost of a single data breach can be enough to bankrupt a business. It’s not just direct costs you have to worry about, it’s also the indirect costs like reputation damage and customer churn that can have a devastating effect on your business.
Think your industry is safe from phishing attacks? Think again. While highly regulated industries with sensitive data such as healthcare and financial services are often on higher alert regarding cyber security, it was actually the manufacturing sector that had the highest rate of phishing attacks in 2016, according to the Verizon study. It just goes to show that all businesses, regardless of industry, should be on guard for social engineering attacks, which exploit the human element in your IT security infrastructure.
Phishing training and testing
“Train your employees on security awareness, and encourage/reward them for reporting suspicious activity such as potential phishing or pretexting attacks,” recommends the Verizon study.
Phishing training and testing can help you to identify vulnerabilities and monitor the effectiveness of information security policies, procedures and training at your company. In these highly targeted tests, an email with a fake, but harmless, link is sent to targeted employees. Employees who click on the link will be directed to a website with training resources about phishing, and test performance is measured and reported to management.
The greater an employee’s awareness, the better prepared he or she will be to identify a phishing attack to could potentially compromise the company’s sensitive data.
Reporting cyber threats
Training your employees can go a long way toward boosting your data security, but you also need to have reporting mechanisms in place. The Verizon study found that in cases where there was a reporting mechanism for users to report suspicious emails, one in five users reported the incident, a notably higher number than the one in 14 users who made the mistake of clicking on a link in a phishing email.
Unfortunately, many organizations don’t have clear policies or processes surrounding reporting, and consequently their employees lack proper channels for alerting the company to threats.
What is the process for reporting at your organization? How often are you training your employees to recognize the latest types of phishing schemes?
The good news is that it’s not too late to bolster your defenses.
Kaufman Rossin’s PhishNet service can help you to train and test your employees’ cyber security awareness quarterly or semiannually. Contact us to learn more about how we can help you to identify your vulnerabilities and mitigate your risk of phishing and other types of cyber attacks.
Jorge Rey, CISA, CISM, CGEIT, is an information security and compliance director at Kaufman Rossin, where he provides IT security consulting services to businesses in a variety of industries. Kaufman Rossin is one of the Top 100 CPA and advisory firms in the U.S. Jorge can be reached at firstname.lastname@example.org.
Roberto Valdez, CPA, is a risk advisory services professional in Kaufman Rossin’s Boca Raton, Florida, office and provides IT security consulting services to businesses in a variety of industries. Roberto can be reached at email@example.com.