This week we are delighted to present you with a handy guide to phishing. The majority of data breaches are due to social engineering and phishing, so it makes sense then to ensure you embrace best practices. It would be virtually impossible to cover everything in one piece, so our experts have hand-picked some key pointers for you. For more information, contact us and we’ll be happy to help.
Social engineering and phishing
Phishing was the most common cyber-crime in 2020, according to the FBI. This interesting read from Tessian reveals more, and illustrates the huge year-on-year growth in Phishing from 2019. Cyber criminals generated $1.8 billion by using business email compromise (BEC) techniques. Almost 70% of breaches against Public Administration – one of the most targeted industries – came via social engineering. This piece from KnowBe4 includes in-depth research findings to support the devastating impact this has had. Therefore, awareness of how to combat social engineering and phishing attacks is critical.
Implement a cyber security framework
First and foremost, you must have a cyber security framework in place. This typically consists of policies, technical defences and training. Your policies need to be clear and communicated to everybody in the organisation. Technical defences take the form of controls and mitigations designed to protect operating systems and hardware. Cyber awareness is crucial nowadays, and regular training sessions must be held to both raise and maintain this.
Our friends at the NCSC created this very useful guide for organisations.
Tips for fighting social engineering and phishing
No guide to phishing would be complete without specific tips on how to fight against it:
- Create an Acceptable Use policy outlining the general ‘dos and don’ts’ for your organisation
- Consider creating a specific Phishing policy
- Train your team on this and all other policies regularly
- Ensure you have Firewalls in place
- Consider Content Filtering services
- Carry out regular DNS Checks
- Implement Anti-Virus software
- Deploy a permission-based approach to user access
- Ensure you are using robust email security standards: SPF, DKIM & DMARC*
*SPF = Sender Policy Framework; DKIM = Domain Keys Identified Mail; DMARC = Domain-based Message Authentication, Reporting and Conformance.
We have kept this guide deliberately brief, as there are so many actions you can take against phishing. You must be proactive and make a point of initiating conversations with your team about it. They are the key targets for social engineering scams and must be prepared. Of course, there is no guarantee that you will avoid attacks even if you do follow all of these tips. Following them will certainly help, however. In our experience, we have found it is a good idea to assume the worst. Expect an incident and prepare accordingly.