Don’t Wait for the Bait: What You Can Do to Prevent Phishing

BusinessTechnologyTechnology News

In 2016, phishing earned a spot in the public eye by victimizing big brands such as Dropbox, American Express and Yahoo. Then there was the presidential race. Remember the impact it had on the election? Hillary Clinton sure does.

After a whirlwind year of hacks, people began connecting the glaring dots and realized that if top companies are falling for this trap, then we all might be doomed. Phishing relies on the fallacy of human nature—a guarantee. Everyone has a fair share of oversights, whether they are caused by curiosity or plain old negligence.

Phishing is an attempt to fool users into opening emails, clicking on web page links, downloading files, and providing financial or private information. Area 1 Security, a company focused on cyber attack prevention, found that phishing remains the most common type of cyber attack. Apparently, 95 percent of breaches begin with targeted phishing.

Oren J. Falkowitz, CEO of Area 1 Security and a former senior National Security Agency official, says, “Breaches, from elections to the ones you’ll never hear about, are almost all phishing attacks.”

Planner Vulnerability

The question is no longer whether an attack will happen, but when. All industries should prioritize cybersecurity, including the meetings and events industry. Even though the industry maintains a relatively low profile, cybersecurity inattentiveness creates vulnerability, which in turn attracts hackers.

Falkowitz says that high-profile speakers, large groups and venues don’t generally contribute to vulnerability.

“People who are seeking to attack are goal-oriented,” he says. “Sometimes that goal involves a high-profile individual or location, but that’s usually the case only with super-high-profile individuals like, say, the president.

“An ice cream shop can still be a target. You don’t have to be the Department of Defense. You might just be easy to go after because you’re unprotected, and that’s often a top driver.”

Generally, hackers are interested in locations, contacts and financial information. Accessing this type of information is easier to execute and is a more practical means to profit. Since high-profile breaches are over-represented, the public has a distorted representation of the everyday hack. In fact, small events can be the most targeted because cybercriminals are aware of their likely susceptibility.

Keeping Good ‘Health’

The emphasis needs to be on anticipatory action. Once a hacker has cracked entry, access to that system is available until the breach is discovered. Therefore, if your company is only focused on cybersecurity around the time of a big event, then security is still compromised, even for that event.

“Without acting now, the costs will become very significant to clean up,” Falkowitz says. “You also risk your brand’s reputation and customer confidence. It’s the equivalent of not taking care of yourself and then developing heart disease. We know that it’s more costly to fix messes than prevent them.”

The timeline of an attack is also a major concern. According to Area 1 Security, a phishing attack involves a “long planning, quick delivery and long discovery” trajectory. An attack may involve months of careful planning, yet the execution may only take several minutes. Meanwhile, the discovery takes a considerable amount of time, typically happening around 200 days after the breach has already occurred. Imagine the potential damage over many days of undetected entry.

Falkowitz recommends several basic steps in strengthening cybersecurity. Even though nothing is foolproof, these actions increase the cost for the attacker and have proved to be effective. Here is how to build a robust line of defense.

Use cloud services such as Google and Microsoft for work: These offer top features and security controls at reasonable costs.
Use a two-factor authentication system: This is an additional line of security that not only requires a user name and password, but also an additional piece of information or action on a third resource (such as a text message code).
Ensure that all users in your organization have strong passwords: A strong password is 12 characters, containing upper and lowercase letters, numbers and at least one special character. Passwords should vary across platforms. Ideally, get a password manager such as Dashlane, Zoho Vault, Keeper or LastPass.
Invest in anti-phishing software: It will dramatically increase your security and save you money in the long run.

Details Matter

“Details matter; it’s worth waiting to get it right,” Steve Jobs famously stated.

Phishing doesn’t have only one look. It won’t always be an odd attachment from a Nigerian prince. Take the time to closely examine every email in your in box before you click “open.”

A method called “spear phishing,” when emails appear to be sent from a familiar source, can make the situation even trickier. Be vigilant with emails that are not part of an exchange or emerge unexpectedly. And be very skeptical of any email that urges action. Keep in mind that spear-phishing emails will almost look spot-on, but they characteristically contain a slight mistake, such as a misspelled word. Never try to validate a suspicious email by sending a response. Instead, send out a fresh message.

Key Takeaways

Everyone is vulnerable to attacks, and the time to implement a system is right now. Make sure your company is secure by requiring strong and unique passwords, examining questionable emails and investing in a cybersecurity software to save big later. Don’t undestimate the threat. After all, why would you risk incurring major costs, suffering damage to your reputation and compromising client information?