A company of 50 employees may seem “too small” to be targeted for a cyber attack but to a cyber criminal, there are 50 possible attack vectors to exploit. Inbound spam filtering and outbound web filtering may be helpful. It is recommended to provide periodic cyber awareness training and enforce security policies. But all it takes is one of those 50 employees, one time, to get caught off guard and fall victim to a phishing email.
Preventing phishing attacks is close to impossible. A better strategy is to minimize your risk of an employee engaging with a phishing email and limit the damage any successful phishing attack can cause. If a phishing attack is detected, you should immediately isolate the compromised PC from the rest of the network. Never forward the email, not even to your IT department. The best way to defend against attacks is to share how your internal defenses work. Openly discuss security measures, enforce all policies, conduct periodic incident response drills, talk through the results, and adjust the methods where necessary.
If you catch a phishing email in action:
- DO NOT forward the email
- DO NOT click on anything in the email
- Immediately notify your IT department
- Notify others of the attempt to warn them. In a NEW email.
If you experience a phishing attack, here’s what you need to do to mitigate the attack:
- Isolate PC from the rest of your network
- Change email password
- Change any password that is the same or similar to the same credentials
- Check your mailbox for any unidentified rules (ex. Delete all incoming emails)
- Monitor network for suspicious activity
Future prevention tactics
- Employee education – consistent, always top of mind
- 2 factor authentication on email
- Email filtering
- Threat detection platform to monitor for other suspicious activity
It is most important to educate your employees about the tactics of phishers. Employees should be trained on security awareness as part of their orientation and regularly throughout their time of employment. Inform them to be wary of e-mails with attachments from people they don’t know. Let them know that no credible website would ask for their password over e-mail. Additionally, people need to be careful which browsers they utilize. Read all URLs from right to left. The last address is the true domain. Secure URLs that don’t employ https are fraudulent, as are sites that begin with IP addresses. Phishing and spear phishing are the most common methods used by cyber criminals. Your employees should always have this at the top of their minds.
Phishing attacks are unpredictable and concerning. We understand and we want to help. We offer a full cyber awareness training program and further security measures necessary to keep your organization protected. To get started with establishing the right program for your organization, allow us to conduct a complimentary gap analysis. From there, we can determine how your current tactics are measuring up and what we can do to minimize your risk.