The most tragic part of cybersecurity is that it's the one area of technology where workers are turned against their company.
In an article about phishing by Steve Granger at ZDNet – he lays out some terrible facts from a Coalfire survey. 71% of businesses handed over credentials – up from 63% in the prior year.
Research from PHISH360 has seen a single company where over 90% of users clicked on a fraudulent email. Through training, this number continued to decrease. This shows that proper training can work very well for users.
Consider, just one click could take a company’s entire operation down or give the hacker access to the sensitive data on the network.
We have seen a company in the New York area who was heavily reliant on a handful of customers.
They had a breach of credit card information, lost their few customers and declared bankruptcy. Hundreds of jobs were affected.
It was one of the saddest events we have witnessed.
It is why at Apex Technology Services, we fight tirelessly to stop hackers from getting in.
The point is – a breach can be devastating and when the majority of workers are clicking emails they shouldn’t, we are way undertraining our workers.
Bleeping Computer even has a silly phishing spotlight where they outline scams that everyone should know are fake.
One of the latest shows a message telling users they must login to unblock Microsoft Excel.
Many of us have seen similar messages - it only takes a moment of weakness to click and let the hackers in.
Again – it only takes one user to click and a company could have a serious business email compromise (BEC) on its hands.
One of the most amazing things we hear from company executives is they think they are too small to be a target.
They don’t understand (no matter how much explaining is done) that everyone is a target.
At this point, it is safe to say that thanks to various breaches, the vast majority of email addresses are available to hackers.
All they need to do is send various messages over time and more people will be fooled into clicking and entering information.
TechCrunch outlines this idea – in an article which reminds us startups are just at as much risk as large companies when phishing is concerned.
In case you need more convincing, GetApp just published research showing 43% of companies say someone in their company has clicked on a phishing email.
What we find interesting about this number is it is below the 71% number above.
One explanation could be – users and their companies do not know they have been hacked!
This is because hackers could be on the network but not doing anything malicious – yet.
The worst case of BEC we have witnessed was a hacker breaching the email of company – specifically a person responsible for sending the bank account information for wire transfers.
The hacker monitored the email and waited until a big sale was about to go through.
At that point, the hacker sent an email to the customer with their bank information.
The customer thought they had paid the company – but they didn’t. The money was lost and a legal dispute ensued between the customer and company over who was liable.
It is highly likely a phishing email started this whole mess.
How do you stay secure or at least drastically reduce the risk? Follow these three steps to start:
1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.
2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phishing Box, KnowBe4 and Phish360; are all great. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.
3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.