Doubtless, you are aware that phishing (an email that looks like a company communication or something work-related containing malware) and spear phishing (the same thing from the spoofed account of a company executive) have become facts of life. Or maybe not.
There are a host of reasons to be concerned.
Phishing attacks are literally out of control. According to one survey published earlier this year, 85 percent of companies in the United States reported being the victim of a phishing attack (up from 13 percent in 2014) and 67 percent reported a spear phishing attack, up from 22 percent in 2014.
According to Verizon, 30 percent of phishing emails get opened, and a whopping 93 percent of malware this year was ransomware. $2.3 billion dollars have been lost to CEO spear phishing campaigns, and the average cost of these attacks is now $1.6 million. If that were not bad enough, the Ponemon Institute published a report last year that found the average 10,000-employee company spent around $3.7 million dealing with a phishing attack, and about half of that cost was through loss in productivity.
Putting aside productivity costs for a moment, your enterprise could conceivably become an unwitting co-conspirator in a major crime if the goal of the hacker was to marshal your company’s computing power for a targeted attack. The possibilities may seem like the stuff of a major motion picture, ranging from robbing a bank or stealing information that could cost a candidate an election to high-tech murder via the hack of a pacemaker or insulin pump–but they are all real possibilities in the wild west of cyber insecurity, where the only sure thing is that most of us will “get got.”
One more thing to consider–before we talk about what you can do to inoculate your company against the viruses out there–is liability. This is still uncharted territory, but it’s well within the realm of possibility your systems could be recruited into a larger effort, one that could cause harm to a third party–something that always opens the door to lawsuits seeking damages.
Throw a rock (or Google “employees phishing survey”) and you’ll find compelling and utterly depressing statistics about the number of people who still feel pretty confident that their colleague is careless (or clueless) enough to click on phish bait.
The fact of the matter is that we all have moments at work when our guard is down, and that’s all it takes to open the gates to the barbarians. We are all “that colleague” who could expose the company to malware.
The FBI has for some time suggested system changes to address the issue of phishing–multiple-factor authentication for email, for instance–but the fact of the matter is that employees need to be in the mind set that everything that happens during their work day could be a scam, and so it falls to everyone to never trust and always verify.
There is no sure-fire way to avoid getting scammed, but there are things you can direct–or demand, depending on your management style–from your employees.
Old school as it may seem, picking up the phone to confirm the authenticity of requests is an essential habit to instill in your colleagues–especially for wire transfers or access to sensitive information (think W2 scams). You may also want to inculcate a culture where people get into the habit of sending a text to verify that an email request is genuine. There are now a few excellent messaging clients that your company might implement as well that would double as a mode of communication to confirm the authenticity of a request or an authorization–but bear in mind very few are without security issues, and all of them only offer a way to double-check before double clicking.
More generally, the only to stop the phishing epidemic is to get employees to remember, throughout their workday, that fraud is omnipresent and the only real protection against it is to make sure everyone–from the shipping department to the board room–is being careful. It’s all about ownership, and making everyone accountable to and for everyone.