Did you know more than 90% of data breaches start with a phishing email?
A successful ransomware attack can devastate any size organization. As examples from a recent survey, 50% of law firms, 42% of insurance brokers, 37% of non-profit organizations and 27% of retail companies lack a written incident response plan. And 34% said they don’t give employees phishing tests to determine their exposure to risk.
We have been actively recommending and implementing layers of security from the hosted level, firewall level, server level, computer level, policy level and now by the user level.
Organizations who have incident response plan (IRP) are able to respond more quickly and more effective than those without one. And for organizations in healthcare or financial services, having a plan may be required by law. If you don’t yet have an IRP, we can provide template plans for a variety of types of organizations and even can assist in writing one if need be.
We want to reduce your organization’s chance of experiencing a cybersecurity disaster by 70% security awareness training and provide an IRP if an attempt is made.
What is “phishing”?
Phishing emails look like they came from a person or organization you trust, but in reality they’re sent by hackers to get you to click on or open something that will give the hackers access to your computer.
Why are you at risk?
Hackers are actively targeting organizations because you have information that is valuable to them. Specifically, they may be interested in any type of valuable data, such as customer, patient, student, or employee data, intellectual property, financial account information, or payment card data. If one employee falls for a phishing attack, the systems the employee uses can potentially be accessed. (We can run a report on your account to assess phishing attempts per account, contact us if you are interested in obtaining this report)
How to spot a phishing email
Hackers have gotten clever in how they design the emails they send out to make them look legitimate. But phishing emails often have the following characteristics:
- Ask you for your username and password, either by replying to the email or clicking on a link that takes you to a site where you’re asked to input the information.
- Look like they come from the HR or IT Team
- Have grammatical errors
- Contain email addresses that don’t match between the header and the body, are misspelled (like @gmaill.com), or have unusual formats @company-othersite.com)
- Have links or email addresses that show a different destination if you hover over them
- Try to create a sense of urgency about responding
How can you prevent phishing emails?
Employees responding to phishing emails is still one of the biggest risks we see. Training your employees is an essential first step in making sure your data is never encrypted or held for ransom.
- To help educate your employees about what to watch for, we’ve attached an employee tip sheet. You can download it HERE
- The Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) within DHS also have useful collections that include tip sheets. Click here.
- In addition to tips we do have a solution that is a cloud-based training software that allows your business to train employees to aid with security awareness and phishing resistance. The platform allows us to setup and deliver simulated security threats and phishing incidents to educate and test employees. The training can be required and simulated emails will be sent, and if an employee falls for the threat testing, you would know and the employee can go through further testing. The cost is based per organization and is very reasonable. If there is an interest let us know.
- Last year we started “hardening” in Microsoft 365 to prevent phishing email attempts as a preventative measure for protecting your accounts.
- Similar to the “365 hardening” in #4 we have a new solution that is similar to the hardening but with more bells and whistles. The system works in an A.I. setup learning the types of emails you get and where they are coming from. Example. If you got an email from us regularly, but one email originated from a country in Europe not our usual IP address it would flag it. This system ties into 365 very nicely and even give the employees the ability to mark things phishing or safe, if needed. But once a message is marked safe the “outside email” banner will be removed for that email for the entire organization. The solution is a very reasonable cost per account, if there is an interest let us know.
