A recent study of 330 global IT professionals, sponsored by Sophos (Phishing Temperature Check – Freeform Dynamics), found that 77 percent of IT professionals received regular reports of phishing attacks from the end-users they support. While anyone in the office may be the target, the study indicates that Accounting and Finance are targeted in nearly 60 percent of attacks and that a majority of respondents experienced attempted impersonation of senior managers. This particularly dangerous combination is commonly done to request a fraudulent wire transfer. Even a single click on the wrong link by a single employee can create a substantial problem, such as a ransomware infection or data breach.
Despite these threats, the report indicates that 62 percent of businesses fail to implement a security awareness testing program. Additionally, 62 percent of respondents do not use data loss prevention (DLP) software to search for, classify and manage particularly sensitive data.
Here are some ways to build a security awareness program for your office:
NO. 1: EDUCATE YOUR STAFF ON IT SECURITY BEST PRACTICES.
The common thread in the vast majority of cyber-attacks point to the weakest link in your IT network – your employees. The foundation is recruiting and thorough background checks. On an ongoing basis, comprehensive IT security training and awareness programs help establish a culture of security and compliance. All new hires should complete an IT security training course. Train all of your employees with fresh content annually. Post security awareness posters around the office. Additionally, consider providing short training opportunities throughout the year, such as weekly videos or scheduled newsletters for constant reminders. A continuous cycle of assessment, education, reinforcement, and measurement maximizes learning and lengthens retention.
NO. 2: CONDUCT PERIODIC SIMULATED PHISHING CAMPAIGNS.
A simulated phishing campaign is a great tool to test, assess and educate your staff about the latest phishing tactics hackers are using. Most tools offer on-the-spot training that is required for anyone who mistakenly clicks on a “malicious” link. Management can review reports of the campaign activity to make adjustments to the firm’s security policies and see if employee awareness improves over time. This is critical for all employees and pay extra care to accounting and finance staff. An FBI report from 2017, (Internet Crime Complaint Center (IC3) | Business Email Compromise) reports over $5 billion in wire transfer fraud over a little more than three-year period. The report lists several scenarios, including foreign wire transfers (which can be extremely difficult to prosecute). The risk of financial loss via wire transfer is high, even for domestic wire transfers, as they are difficult to trace or reverse.
NO. 3: PERFORM A DARK-WEB BREACH ASSESSMENT OF YOUR EMPLOYEES.
You might be surprised to learn how many of your employees have compromised usernames, passwords or other personally identifiable information (PII) being sold on the dark web. Reviewing a report of dark web activity could help identify employees who may need extra training.
NO. 4: DEVELOP A CULTURE OF HEALTHY SKEPTICISM & MULTI-STEP VERIFICATION.
Scenarios often involve phishers masquerading as trusted business executives, vendors, or lawyers implementing at least a two-stage approval process for significant financial transactions can go a long way to prevent wire or check fraud. Encourage your staff to question any message that seems out of place and have a policy for how they can report suspicious emails. If possible, include job roles that require a separation of duties and job rotations for personnel who manage access to sensitive data. If your firm size is too small to rotate job duties, business owners can periodically audit who has access to sensitive data and perform regular reconciliation review.
Expect the criminals to be extremely convincing. Every day they are crafting emails that are harder to identify. In fact, people are far more likely to click on phishing emails than genuine marketing emails. We live in dangerous times. Start implementing practical steps to train your staff and reduce your risk.