Ransomware Phishing: An Ounce of Prevention
Phishing has been in the news lately, not only because it was the intrusion technique allegedly used by Russian hackers to access U.S. voter registrations, but also because it is becoming more prevalent, especially in the UK. You only have to look at the recent NHS “Wannacry” and the latest “Petrwrap” ransomware incidents both starting with curious staff opening phishing emails to understand the risks.
Years ago, cybercriminals focused their efforts on the organisation’s network perimeter, or in exposed and critical servers. But they have since learned that the easiest and most cost-effective way to gain access is to simply trick an employee into opening the door and letting them in!
Ransomware Phishing on the Rise
According to an industry report on the state of the phishing:
- 85 percent of businesses have suffered from phishing attacks.
- Phishing emails have been opened at a rate of 30 percent, and there has been a 250 percent surge in phishing detected in Q1 2016.
- 9 out 10 phishing emails now carry ransomware.
- The average cost of an incident is at $1.6M. Ouch.
Further exacerbating the problem is the fact that employees are generally reluctant to admit their own ignorance. According to HR Zone, 27 percent of office workers do not know what phishing is and more than one in five people admit to having been tricked into clicking a link or opening an attachment they don’t understand.
For this reason, employee security awareness is critical but just as important is reassuring staffers that they are not wasting time by being proactive.
You need to support them by giving them the tools to protect against phishing attacks and you need to give them the time needed to be cautious.
This might mean an occasional delay due to verification or check-in, but to be safe, you must give employees time and support to both ask questions and verify. Because isn’t this far preferable to a breach?
More Haste, Less Speed
We live and work in a world where information moves at breakneck speed and is typically needed “yesterday”.
To suggest we all take a step back to consider our email in-basket more carefully might seem counter-intuitive, but it’s not. Employers must lead by training staff to look at the underlying URL, not just the displayed text, to see where an email is actually coming from. They also need to become habituated to look at email headers to determine whether or not the email address has been spoofed.
Request Cyber Risk Aware Demo
Email filtering and user education are both smart security investments that will pay off today and in the future. Contact us today to determine how Cyber Risk Aware can work with you and your staff to catch those (spear) phishing and ransomware attacks before they catch you!