IBM Security’s “Cost of a Data Breach 2021” tells a sad tale: data breaches costed companies $4.24 million per incident on average–the highest cost in the 17-year history of the report. It turns out that security incidents became more costly (10 percent more than last year) and more difficult to contain due to drastic operational shifts during the pandemic. In fact, when remote workers were involved, data breaches ended up costing companies $4.96 million (nearly 15 percent more than the average breach). There is more: the average time to detect and contain a data breach was 287 days (212 to detect, 75 to contain), which was one week longer than what was discovered last year. One more thing: compromised user credentials were the most common method used as an entry point by attackers. And according to Verizon’s “2020 Data Breach Investigations Report“, credentials were by far the most common attribute compromised in phishing breaches. Things did not improve in 2021, seen in Verizon’s “2021 Data Breach Investigation Report“, where phishing attacks increased by 11 percent from last year due to increased remote working. But what exactly is phishing? What can organizations do to address the issue?
What is phishing?
Phishing is a cybercrime where scammers try to lure sensitive information or data from people by disguising themselves as a trustworthy source. For example, an email may appear to be sent from a trusted bank with some sort of warning like the account will be frozen unless the account is verified, but really, this is a scam attempting to get the email recipient to enter personal information and account details. This was not the bank—this was a bunch of cybercriminals trying to threaten the recipient’s cybersecurity. Banks would never email customers requesting this type of information.
Another example may be in the form of an urgent phishing email warning that the account will be shut down and access to messages will cease unless a link is clicked on to resolve the situation. This is the scammer trying to capture personal information or install malware or adware. By malware, I mean any type of malicious software designed to harm or exploit any programmable device, service or network in order to extract data that cybercriminals can leverage over victims for financial gain. There are several kinds of malware, some of which include viruses, scareware, spyware, and ransomware. By adware, I mean software that hijacks a browser or other parts of a system in order to blast someone with unwanted ads.
But email is just one way—phishing can be done through the good old fashioned phone call (known as vishing) or text message (known as smishing) too. And there are several types of phishing, where the main ones include:
- Email phishing: impersonating legitimate companies and trying to steal personal information
- Spear phishing: more personalized email messages that seem to come from individuals that the person knows
- Clone phishing: replicating a received email, but adding a dangerous attachment or link
- Whaling: targeting high ranking executives to gain access to sensitive data or money
- Pop-up phishing: tricking users into installing malware
How can someone know that phishing is taking place? If things seem too good to be true, they usually are. If there are strange graphics or spelling and grammatical errors, that is a sign. And if there are urgent messages with deadlines or suspicious attachments and hyperlinks—especially from senders who are not recognized—those are red flags. If the message (or the page it is linking to) seems a bit off, it likely is.
But some are particularly deceptive—some spear phishing emails may target a company employee, appearing to come from a manager or a coworker. The email may request access to sensitive company information, and if the target provides the information, there could be a consequent data breach.
What can organizations do to address phishing?
First and foremost, organizations are recommended to educate individuals who are working in the organization, whether they are employees, contractors, suppliers, or support workers such as IT support workers who have access to the organization’s sensitive information. It is important to note that several workers may simply be unaware or make mistakes, and these factors can be minimized with training.
When training workers, there are several strategies that can be utilized, including: inviting experts to come and emphasize the importance of not falling victim to phishing and using strong passwords; providing real-life examples using simulations; having interactive videos and games; and listening to the Office of the Information and Privacy Commissioner of Ontario’s podcast about not falling for phishing. The organization should start this training at the beginning of the working relationship and regularly provide updated training throughout the working relationship.
Another necessary strategy is to properly protect the organization’s systems. It is worth taking a look at various options to see what is most appropriate for the organization, whether it is antivirus protection, malware removal and protection, and ransomware protection.
And given that we now live in a world with remote work, organizations are recommended to read the document entitled, “Cyber Security Tips for Remote Work” and “Best Practices for Passphrases and Passwords” by the Canadian Centre for Cyber Security. The information contained in these documents can be used when creating an organization’s cybersecurity training program for workers in the organization. Lastly, the Canadian Centre for Cyber Security also has a list of actions to take in the case of accidental interaction with a malicious email in “Spotting Malicious Email Messages“.