Is your small business protected from the most prevalent form of social engineering—email phishing? Karen Stern, Partner in Charge of Brown Smith Wallace Entrepreneurial Services Group, discusses the importance of setting a strong foundation in two key areas to prevent phishing in your organization, in this month’s “Financial Fitness” column, as featured in Small Business Monthly.
Although there are a number of different types of social engineering attacks, phishing was again the top variety, found in over 90 percent of both incidents and breaches, according to the 2017 Verizon Data Breach Investigations Report. The report also noted that 95 percent of phishing attacks that led to a breach were followed by some form of software installation. The act of manipulating people into disclosing sensitive data continues to be on the rise and it’s important for organizations of all sizes to lay the groundwork for prevention and detection.
Below are the areas of focus to prepare against potential phishing attacks:
- Educate users on the signs of phishing emails and where to report them.
- Isolate systems so the malware cannot spread.
- Consider including [External], [E] or [Not from the CEO!] in the subject line for incoming outside emails.
- Create an internal process that includes some form of communication other than email, particularly for large wire transfer requests.
- Develop an incident response plan that identifies, contains, notifies and resolves the incident.
- Expire credentials that may have been compromised.
- Understand where infected users have system access.
- Work with your financial institution to block and alert on irregular activity such as large transfers of funds.
If you are not sure what records to include in your policy, it’s worth the investment to establish a specific records retention policy.