Tips for Your Vendor Security: How to Prevent Phishing Attacks
Phishing is an attempt to deceive a victim in order to gain access to confidential information and/or distribute infected files. Even with the latest technologies that prevent many phishing emails from reaching inboxes, and even with the right training and procedures, phishing attacks accounted for nearly one-third of data breaches in 2018.
As we mark National Cybersecurity Awareness Month (NCSAM), it's an appropriate time to note that every type of company has been targeted by phishing, including financial organizations, tech security companies, educational institutions and healthcare. High ranking executives are regularly targeted by phishing scams with business email compromise (BEC) alone costing companies $26 billion, as reported by the FBI.
So how can your vendors avoid becoming victims of such attacks?
1. Map the Employee Threat Landscape.
Human behavior dictates the likelihood that an employee might be a victim of a phishing, spear phishing or BEC attack. Companies should check employees’ public footprints, such as their social network presence, to be alerted of irregular behavior compared to industry standards. This allows companies to rectify broken policies by better understanding how hackers are targeting employees.
2. Assess Employee Access.
Security teams should assess the amount and critical nature of the data employees have access to. You may have an HR manager interacting with unauthorized entities without having the right cybersecurity training to detect phishing. Therefore, organizations should restrict pathways to critical data to reduce the threat posed by an attacker gaining access to the corporate network.
3. Train and Test Employees.
Consider using a platform that tests employees by sending fake phishing emails to gauge responses. Effort should be focused on groups that are particularly at risk, such as HR, which regularly has access to unknown entities.
4. Involve Everyone.
Cybersecurity shouldn’t stop at the door of the security team. It takes the participation of an entire company to secure a business, from the CEO to your newest recruit. All employees should undergo cybersecurity training and be taught how to spot phishing attacks. For example, employees should realize that they are more prone to phishing attacks from their phones, since they have less visibility into who sent an email than they do on a computer.
This is the first in a series in honor of National Cybersecurity Awareness Month (NCSAM), and is dedicated to helping organizations guide suppliers with their cybersecurity. Don't miss our next blog post about creating secure passwords.