Phishing: a potential cyber threat to business security
Phishing is a crime that involves tricking people into sharing confidential information. It is currently a preferred gateway for cybercriminals to gain access to corporate networks and data. According to data from the Identity Theft Resource Center, in Q2 of 2022, out of 184 data breaches reported in the US, 107 started from a phishing scam, 55 from ransomware, and 22 from malware, i.e. phishing caused 55% of the breaches.
This information coincides with data from cybersecurity firm Palo Alto Networks, which, in its 2002 Incident Response Report, reviewed the top three access vectors for cybercriminals, finding that phishing accounted for 37% of cases, followed by software vulnerabilities (31%) and brute force attacks (9%).
This form of intrusion has become popular thanks to its success level. All it takes is an email in which the offender pretends to be a company executive or supplier, exploiting existing trust relationships, for more than one member of the team to end up giving up their passwords, installing malware, or performing an action that puts their security at stake. From then on, the criminal has a clear path to access applications, private networks, and confidential company data.
Acid Labs wanted to test phishing's effectiveness through a study of 425 employees from different companies, which yielded the following results:
- 45% of them fell victim to a spear phishing experiment.
- 96% of the members opened the fake email.
- 55% clicked on the malicious link contained in the email.
- 45% ended up interacting with the communication.
But that's not all, "the study showed that, once a phishing attack is detected, organizations do not have a clear and defined procedure to stop the information leakage," says Hans Findel, Chief Innovation Officer at Acid Labs.
Simulating a phishing scam to understand its scope
According to Cymulate, two of the best measures a company can take to reduce the likelihood of successful attacks are: multi-factor authentication (an authentication scheme requiring two or more identity credentials) and security testing via external companies on a regular basis.
One of these tests is called Ethical Phishing and consists of an intentional attack to identify the company's most vulnerable users, with the aim of training employees and preventing or confronting future cyber risks.
This last point is of key relevance. A report by Knowbe4 found that the number of employees exposed to phishing attacks decreased after these training exercises were conducted. In the insurance industry, for example, the results of the companies studied showed that the number of workers at risk of fraudulent threats dropped from 50% to less than 20%.
This content will help you strengthen your cybersecurity strategy:
Protect and Optimize the Infrastructure of your Business Network with SASE
Cloudflare: Long-term Connectivity for Remote Workers
Five Reasons for Strengthening Cybersecurity with an SCO Platform
"The traditional technological approach is to deal with most security problems using technical tools: firewalls, VPNs, and antivirus. However, one of the least observed factors is the human factor, and the exposure they have to the world today. So-called social engineering takes advantage of this exposure and individuals' trust relationships to maliciously exploit them. The ubiquity of social, personal, or business relationships over the Internet only enhances it," says Fabian Arias, CTO of Acid Labs.
"The human factor is one the elements that cause the most damage to organizations year after year, and can be combated with education, awareness, and the introduction of cybersecurity culture as an important pillar of modern organizations, in addition to addressing them with technological tools," adds Arias.
Tips to prevent phishing in your business
According to the Organization of Consumers and Users (OCU), common sense is the best tool to protect yourself against phishing, however, there are other actions that can significantly reduce data theft or improper access to organizations' privacy:
- Use a web browser that is able to block online threats. A recent study found that Mozilla Firefox or Microsoft Edge were able to cancel up to 80% of phishing attacks.
- Carry out technological developments that protect business assets and plan a cybersecurity strategy that keeps an eye out for potential breaches.
- Use a powerful antivirus that is capable of blocking as many phishing sites as possible.
- Change all passwords with a fixed frequency and activate the identity verification process.