I read somewhere that phishing attacks had increased by some 800% in the last year. As a statistic it’s largely meaningless but the fact that it feels possible suggests that, yet again, the battlefield has turned and small businesses now need to turn to face a new threat.
Every phishing email is formed around a lie. A message with an attachment might use urgency, greed or compassion to persuade you to click it. It’s an order, a tax refund or the CV from a would-be employee. An email with a link might suggest an official communication or automatic process that you need to complete to continue as normal. These emails don’t come from strangers, they come from customers, suppliers and increasingly colleagues or friends.
Whilst the target of the attack may seem to be the organisation, they are largely indiscriminate. If the attack is designed to infect and then extort from the company, then there may be little targeting involved. Thousands of emails create a return for which there is almost no initial cost. But the entry point of the attack is not the organisation, it’s the employees who have the unenviable task of protecting the network.
There’s a very good reason for this. A modern firewall is a very difficult thing to penetrate. For an indiscriminate attack it makes no sense to attack the firewall when there are far softer targets available. So rather than try access the network through its defences, which are primarily designed to resist inbound attacks (much like a fortress wall), why not persuade someone on the inside to open the gate.
So what to do? Well there are probably three things that would seem sensible.
First you should try and avoid the messages reaching your staff in the first place. This means implementing an email anti-spam and anti-virus policy. This is not necessarily the same as anti-virus software – it’s better not to let the email reach you if you can.
Then you should hold a meeting of your staff and explain what a phishing email might look like, how they should respond to it and importantly, explain that nothing is so urgent that there isn’t time to show the message to a colleague before clicking. Behind every person who’s just clicked on an infected email there always seems to be someone saying ‘you didn’t click on that did you?’ So share knowledge amongst your team.
Finally, critically, create a culture where if the worst happens and a member of staff activates an infection, then they feel able to report it immediately. Many of these infections start shredding data very quickly, but prompt action after an infection (such as simply unplugging the machine) can significantly reduce the impact to your business.