Human error is the cause of a data breach within an organization in no less than 95% of cases. And that's not surprising, because employees are in the front line when it comes to malware and virus attacks that come in via phishing emails.
But before anyone clicks on a malicious link, in many cases something has already gone wrong in preventing a phishing attack.
In this blog, we take you through the 5 most common mistakes made by organizations. In addition, we give tips on how you can prevent phishing attacks within your organization.
Mistake 1: The CISO and security department are trained on phishing, but the rest of the company is not
It is the responsibility of management and security to educate everyone in the organization on phishing. Only 1 in 5 companies has trained its employees to recognize a phishing attack. This while in 95% of cases a person is responsible for a data breach (for example by clicking on a link).
As an organization, therefore, make sure that the entire company receives regular training in phishing. Preferably in a classroom setting, so you can be sure that everyone actually gets the message. If this is not possible, make sure there is enough written and video material about phishing and that your employees really read it.
We have published some helpful blog posts that you can use to educate your employees:
Mistake 2: Emails arrive uncontrolled
Cybercriminals love email because it is the easiest access to the most important data within your company. A whopping 91% of cyber attacks start with an email and 98% of organizations using Office 365 have phishing emails in their inbox.
Yet there are still many companies that do not have email security installed. Probably because many companies think that the spam filter protects them sufficiently. Unjustly, because these spam filters cannot recognize spear phishing attacks, for example. So make sure your company uses an email security solution like ours. More information about our easy to implement solution can be found here.
Mistake 3: Thinking phishing won't happen to you
Thinking a phishing attack won't happen to you is one of the biggest mistakes you can make. Every company holds valuable data for cybercriminals, and anyone in your organization can become a victim. So make sure you are not surprised by an attack, but prepare well. You can do this by drawing up an email security plan in which you take several measures. You can find more information about this at error 5.
Mistake 4: Ignoring phishing via other platforms
Although most phishing attacks are carried out via email, a third of IT and security professionals have experienced an increase in phishing via other platforms in the past year. These include video conferencing platforms such as Microsoft Teams (44%), messaging platforms for employees such as Slack (40%), cloud based file sharing platforms such as Google Drive (40%) and SMS (36%).
The training given within organizations is often only about phishing via email. So make sure you are the one who does prepare for phishing via other platforms.
Mistake 5: Implementing only 1 measure
It is not enough to train your employees once in phishing. The techniques change every day, and the places where the attacks happen are also expanding (other platforms). In addition, you cannot rely on just a spam filter or an email security solution. You need to have a phishing attack plan today that takes multiple attack techniques into account. Your plan should for example include periodic phishing training, an alert function or place for all employees to forward attacks to, installing an email security solution, and making sure all your programs are always updated.
Could you use some help creating a phishing attack plan? Or don't have an email security solution yet? Contact us through our website!