Header tips na phishing
17 August 2021 / Elaboration

The 6 most effective tips to prevent a (new) phishing attack on your business

Even before your company is phished, you need to take action. What steps should you take and how can you prevent this from happening (again)? Phishing expert Arnout Van de Meulebroucke provides six tips.

Why should you be afraid of a (new) phishing attack?

Prevention is better than cure: it's a nice saying. The average cost of a major hack today is around four million dollars, depending on which cyber threat intelligence source you consult. Moreover, 90% of all hacks are the result of human error, often a successful phishing attack. Figures that do not exactly make one optimistic.

However, sometimes the inevitable happens and you have no choice but to try and limit the damage, bear the consequences and finally prevent such incidents from ever happening again. But first, you need to clean up the mess.

6 effective ways to prevent phishing attacks

1. Limit (possible) consequences

Your first step should always be to try and limit the possible consequences. And that can be a pretty big undertaking: anti-ransomware, anti-malware, antivirus and other software help prevent major problems, of course, but once a hacker manages to penetrate your defences, the consequences (and the costs) can be considerable. Technical means therefore only help to a certain extent.

If you've already been hacked, limit the damage: restore backups, clean up the network and look for any 'rubbish' that hackers can use to attack again. After all, there's no point in spending money on remediating if you run the risk of encountering the same problem again next week.

We see that companies are usually very quick to react – fortunately - but the sad truth is that they usually react by running exercises they should have done much earlier. It is only after a major leak that they ask themselves how they can strengthen their weakest link, which is their people. If you haven't done so already, now is the time.

Tips na phishing main 1

2. Read up on relevant rules

At the same time as limiting the potential damage, however, you must follow the rules. Since the introduction of the GDPR - and various regulations since - an organisation is obliged to inform the necessary authorities of the extent of the problems, what they will do about it and also: what they already did to avoid such problems.

This last step plays into the size of the sanction an organisation may face when that authority judges that mistakes have been made. If you have already invested in training for your employees to deal with and prevent cyber risks, don't forget to mention it! In addition, you also need to inform customers and partners if their data has (possibly) been stolen.

3. Looking ahead: phishing prevention

After mitigating consequences, it is time to look ahead: what steps can you take to prevent this from happening in the future? The first step, of course, is to train your people. Assuming that the technical side is in place, it may be time to strengthen the human side by providing them with the necessary tools and guidance.

The time when technical means were sufficient to protect an organisation is long gone. Today, it is necessary to bring the knowledge and behaviour of employees up to the same level as the technological tools. Only then will a company be fully protected against increasingly complex threats.

4. Prevent overconfidence

Police commissioner Stijn De Ridder confirms something we at Phished have known for a long time: everyone is vulnerable when it comes to phishing. As he puts it:

"One the one hand, I find myself thinking 'how is it possible they still fall for this?’, but on the other hand I can’t deny that a lot of phishing campaigns are made very professionally – that criminals do more than simply adding a fraudulent link for their victims to click on. They’re often in possession of leaked data, ‘leads’, which help them to carefully prepare their attack according to their specific victim. Then they approach them by phone, present themselves as a bank employee, after which they succeed in plundering entire bank accounts. When I read these stories, I sometimes do think ‘this could potentially happen to me.’"

Or, to put it more sharply: "CEOs claiming never to have fallen victim to a cyberattack, are simply not aware of it."

Find the entire interview with police commissioner De Ridder below.

5. If you want your people to be ready, give them the necessary tools

Since the COVID-19 pandemic, employees found their remote working toolbox significantly expanded. From one day to the next, they had to learn how to navigate not only their jobs in a completely different way but how to execute them as well. New tools made it possible to do their work from home, but often they did not receive the necessary guidance or training to use them safely.

People might be opening back doors without meaning to, they might be bringing threats onto the company network while they're not even aware of it. Or, as Sabine van Hoijweghen from Secutec pointed out: "People who don't use their computers as an integral part of their job, are often a lot more vulnerable and so need extra training."

Interested in IT security from an MSP's point of view? Find our interview with Van Hoijweghen below.

6. Brush up on your knowledge and skills

The general knowledge on cybersecurity topics is at an all-time high, yet people seem to have more problems than ever to actually fight off threats. On the one hand, the sheer volume of cyberattacks makes it difficult to ward off every single attempt, but on the other hand, something else is at play: the fact that knowing does not equal recognising.

The Phishing Paradox means that while more people than ever know about the phenomenon, they still don't always know how to recognise it. To become safe against phishing - and other cyber threats, one needs to actively engage with the topic, train and become better versed in the subject.

And that's the case for everything. Cyber experts often claim that companies today aren't ready for what will await them in five years, but I would daresay that they still aren't ready for threats from five years ago. It's high time that people straighten up their knowledge, brush up on their skills and start addressing their weak spots. In order to be ready for the future, you have to be ready to meet today's challenges first.

Find more insight on today's threats in the video below.

How can Phished help you with phishing prevention?

In order to minimise threats as quickly and efficiently as possible, people need to be trained as regularly as possible. Research has already shown that cybersecurity training loses its impact after one month. After six months, everything is completely forgotten, that is why it is important to keep people on their toes. Phished does this through short, automated and personalised training.

Our phishing simulations teach recipients the correct reflexes, while the Phished Academy provides insight into the importance, recognition and handling of threats in just a few minutes, as well as offering hundreds of other tips on a wide range of cybersecurity issues. Finally, Phished ensures that people are committed to their organisation's cybersecurity strategy. Employees who are motivated and prepared make for a much better protected organisation.

Try it for free

Fortunately, you don't have to take our word for it: Phished is offering every organisation a free 14-day trial for up to 25 recipients. With no obligation to buy - you don't even have to share your payment details. A test is started in three easy steps: you create an account, you upload recipients (or we do that automatically for you!) and our platform does the rest.

Try it and you'll see how easy it is to comply with the basics of cybersecurity: training your people to become fully fledged cybersecurity experts.

Logo voor website
Try Phished for free

Start your 14-day trial

Try it free. No credit card required. Instant setup.