The 6 most effective tips to prevent a (new) phishing attack on your business
Even before your company is phished, you need to take action. What steps should you take and how can you prevent this from happening (again)? Phishing expert Arnout Van de Meulebroucke provides six tips.
Why should you be afraid of a (new) phishing attack?
Dealing with information correctly and securely is not only necessary for every organization, it is also mandatory. A lack of information security can lead to serious consequences such as data breaches or phishing attacks. With an ISO certificate, a company shows that it complies with certain international standards. ISO 27001 is an example of such a standard regarding cybersecurity. The conditions listed in it help organizations avoid major risks.
Prevention is better than cure: it's a nice saying. The average cost of a major hack today is around four million dollars, depending on which cyber threat intelligence source you consult. Moreover, 90% of all hacks are the result of human error, often a successful phishing attack. Figures that do not exactly make one optimistic.
However, sometimes the inevitable happens and you have no choice but to try and limit the damage, bear the consequences and finally prevent such incidents from ever happening again. But first, you need to clean up the mess.
What is ISO certification and what does it entail?
6 effective ways to prevent phishing attacks
ISO stands for International Organization for Standardization. This is an organization that develops and publishes international standards, which we call ISO norms. ISO 27001 means that an organization correctly manages the confidentiality, availability and integrity of all their data. Through a list of requirements, the standard shows how to handle this in the best way.
A crucial condition for being ISO 27001 compliant is to build a strong Information Security Management System (ISMS). Among other things, the standard requires that you use such an ISMS to systematically investigate and track what information security risks, such as poorly secured accounts, exist for your company.
In addition, an ISMS must help avoid those risks. An important part of that is anti-phishing training, after all, that's how you create security awareness among your employees and prevent dangers. All of this contributes to an even more efficient ISMS. ISO 27001 also means that an organization regularly evaluates and adjusts its information security.
1. Limit (possible) consequences
Your first step should always be to try and limit the possible consequences. And that can be a pretty big undertaking: anti-ransomware, anti-malware, antivirus and other software help prevent major problems, of course, but once a hacker manages to penetrate your defences, the consequences (and the costs) can be considerable. Technical means therefore only help to a certain extent.
If you've already been hacked, limit the damage: restore backups, clean up the network and look for any 'rubbish' that hackers can use to attack again. After all, there's no point in spending money on remediating if you run the risk of encountering the same problem again next week.
We see that companies are usually very quick to react – fortunately - but the sad truth is that they usually react by running exercises they should have done much earlier. It is only after a major leak that they ask themselves how they can strengthen their weakest link, which is their people. If you haven't done so already, now is the time.
Why ISO 27001 certification is important
How do you become ISO 27001 compliant?
ISO 27001 certification is therefore a real asset for any organization. To obtain it, a company needs to go through the following steps:
- Buy and read the ISO 27001 standard, it contains all the requirements you need to meet for certification.
- Risk Assessment: identify all possible information security risks. Baseline measurement testing through phishing simulations from Phished can help with this.
- Risk Treatment Plan: draw up a suitable plan with appropriate measures for each risk.
- Draw up a statement of applicability. This is a document in which you record which actions from the catalogue of security measures from ISO 27001 apply to your organization.
- Make an overall analysis. This brings together steps 2, 3 and 4. Record how you will deal with unexpected incidents and what you will do if an information security risk has occurred.
- Draw up an information security policy, including the Information Security Management System (ISMS), of which anti-phishing training is an essential part.
Then an independent party will visit your company and conduct an audit. If you pass, you will receive an ISO certificate for three years.
2. Read up on relevant rules
At the same time as limiting the potential damage, however, you must follow the rules. Since the introduction of the GDPR - and various regulations since - an organisation is obliged to inform the necessary authorities of the extent of the problems, what they will do about it and also: what they already did to avoid such problems.
This last step plays into the size of the sanction an organisation may face when that authority judges that mistakes have been made. If you have already invested in training for your employees to deal with and prevent cyber risks, don't forget to mention it! In addition, you also need to inform customers and partners if their data has (possibly) been stolen.
How can Phished help you?
Besides the fact that Phished stores its application servers and data in Google datacentres that are ISO 27001 and ISO 27017 compliant, we can help other companies to obtain such a certificate. A previously mentioned ISO standard involves the organization investigating possible information security risks.
Phished offers baseline measurement testing through phishing simulations, giving you an overview of possible weak spots. In order to be ISO 27001 compliant, you must also know how to tackle those risks correctly. Via our anti-phishing training employees can learn how to recognize and deal with all kinds of cyber threats. The Phished Academy also contributes to achieving the ISO standard for permanent training on information security. This way you can quickly frame that ISO certificate and hang it on the wall.
3. Looking ahead: phishing prevention
After mitigating consequences, it is time to look ahead: what steps can you take to prevent this from happening in the future? The first step, of course, is to train your people. Assuming that the technical side is in place, it may be time to strengthen the human side by providing them with the necessary tools and guidance.
The time when technical means were sufficient to protect an organisation is long gone. Today, it is necessary to bring the knowledge and behaviour of employees up to the same level as the technological tools. Only then will a company be fully protected against increasingly complex threats.
4. Prevent overconfidence
Police commissioner Stijn De Ridder confirms something we at Phished have known for a long time: everyone is vulnerable when it comes to phishing. As he puts it:
"One the one hand, I find myself thinking 'how is it possible they still fall for this?’, but on the other hand I can’t deny that a lot of phishing campaigns are made very professionally – that criminals do more than simply adding a fraudulent link for their victims to click on. They’re often in possession of leaked data, ‘leads’, which help them to carefully prepare their attack according to their specific victim. Then they approach them by phone, present themselves as a bank employee, after which they succeed in plundering entire bank accounts. When I read these stories, I sometimes do think ‘this could potentially happen to me.’"
Or, to put it more sharply: "CEOs claiming never to have fallen victim to a cyberattack, are simply not aware of it."
Find the entire interview with police commissioner De Ridder below.
5. If you want your people to be ready, give them the necessary tools
Since the COVID-19 pandemic, employees found their remote working toolbox significantly expanded. From one day to the next, they had to learn how to navigate not only their jobs in a completely different way but how to execute them as well. New tools made it possible to do their work from home, but often they did not receive the necessary guidance or training to use them safely.
People might be opening back doors without meaning to, they might be bringing threats onto the company network while they're not even aware of it. Or, as Sabine van Hoijweghen from Secutec pointed out: "People who don't use their computers as an integral part of their job, are often a lot more vulnerable and so need extra training."
Interested in IT security from an MSP's point of view? Find our interview with Van Hoijweghen below.
6. Brush up on your knowledge and skills
The general knowledge on cybersecurity topics is at an all-time high, yet people seem to have more problems than ever to actually fight off threats. On the one hand, the sheer volume of cyberattacks makes it difficult to ward off every single attempt, but on the other hand, something else is at play: the fact that knowing does not equal recognising.
The Phishing Paradox means that while more people than ever know about the phenomenon, they still don't always know how to recognise it. To become safe against phishing - and other cyber threats, one needs to actively engage with the topic, train and become better versed in the subject.
And that's the case for everything. Cyber experts often claim that companies today aren't ready for what will await them in five years, but I would daresay that they still aren't ready for threats from five years ago. It's high time that people straighten up their knowledge, brush up on their skills and start addressing their weak spots. In order to be ready for the future, you have to be ready to meet today's challenges first.
Find more insight on today's threats in the video below.
How can Phished help you with phishing prevention?
In order to minimise threats as quickly and efficiently as possible, people need to be trained as regularly as possible. Research has already shown that cybersecurity training loses its impact after one month. After six months, everything is completely forgotten, that is why it is important to keep people on their toes. Phished does this through short, automated and personalised training.
Our phishing simulations teach recipients the correct reflexes, while the Phished Academy provides insight into the importance, recognition and handling of threats in just a few minutes, as well as offering hundreds of other tips on a wide range of cybersecurity issues. Finally, Phished ensures that people are committed to their organisation's cybersecurity strategy. Employees who are motivated and prepared make for a much better protected organisation.
Try it for free
Fortunately, you don't have to take our word for it: see for yourself during a live demo.
Try it and you'll see how easy it is to comply with the basics of cybersecurity: training your people to become fully fledged cybersecurity experts.