From the Risk Engineering Team: Wishing for Less Phishing

by | Dec 14, 2021 | Cyber Risk

This holiday season we’re wishing for less phishing.

As the holidays approach it is important for organizations to stay sharp and keep their employees alert for phishing attacks. The FBI reports that holidays routinely see a spike in phishing attempts and that phishing continues to be one of the most effective attack vectors for bad actors. Phishing attacks require low effort to compromise an account and oftentimes lead to high reward from deploying ransomware, extracting confidential data, and obtaining stolen credentials. According to a 2021 Coveware report, phishing accounted for over 30% of ransomware attacks this year.

During this time of year, organizations are overburdened with year-end targets and goals, and people are planning to take time off to spend with their families and recharge for the new year. The last thing they are thinking about is a cyberattack. While people take off for the holidays, it’s important to remember cybercriminals don’t. Social engineering and phishing are the most frequent attack techniques used against organizations and these are the attack vectors that tend to see an uptick during the holiday season.

Increased migration to cloud services, widespread adoption of mobile devices, and the expansion of the internet of things (IoT) have made businesses more vulnerable than ever before. Organization leaders and security professionals should rely on best practices to avoid falling victim to phishing attacks and deploying year-round security awareness training for employees.

Best practices to help organizations prevent phishing attempts include:

  1. Enforce flexible Access Policies
    a) Introducing standardized methods of system access ensures that even if an employee is compromised, core systems will not be. This extra level of insulation significantly reduces the chance of a successful attack. Implement policies for each application where access is only provided to a user depending on a user’s role, location, network, and trustworthiness of a device are taken into consideration before granting access to a particular application.
    b) A good approach to enforcing these policies is to understand a user’s role in the organization and what level of access they will require to do their job or a “need-to-know” principle. This principle dictates that a user should only have access to resources they’ll need to effectively manage their work responsibilities. If they don’t need access to sensitive data, they shouldn’t have access to the application storing that information.
  2. Create a continuous security awareness culture
    Security awareness training shouldn’t be a one-time training or yearly box for employees to check. Instead, it should be a year-round continuous process where employees are constantly learning to identify phishing attempts and security best practices. This becomes even more relevant today since cybercriminals are cleverly designing phishing emails to trick the recipient into believing the message is legitimate. A security awareness training program with phishing simulations is bundled with Cowbell’s cyber insurance policies.
  3. Multi-Factor Authentication
    Microsoft estimates that 99.9% of ransomware attacks could have been prevented with MFA. With phishing attempts surging in volume and sophistication, introducing MFA organization-wide has become essential. Check out Cowbell’s list of commonly used services that offer MFA.
  4. Stop threats before they reach your inbox
    Cloud-based email protection protects against email focused attacks, the number one vector for phishing attempts. They accomplish this by blocking or quarantining suspicious emails.
    I) If your organization is using any edition of Microsoft Office 365 that includes Exchange Online then you can enable email protection for inbound emails. The email message will pass through connection filtering checked for spam and any malicious attachments. This is then quarantined for inspection by an admin.
    II) Google Workspace administrators can protect incoming email against phishing and malware. By default, Gmail displays a warning and moves untrustworthy messages to spam, however you can also tailor the settings to be quarantined separately before it hits a user’s inbox.

While we’re wishing for less phishing, we’re not holding our breath.

If the trend continues, 2022 will see even more phishing attempts than 2021. All organizations should take steps to make themselves more cyber resilient, including instituting prevention best practices and purchasing standalone cyber insurance.

Cowbell is focused on providing a closed-loop risk management experience and enabling businesses to understand their cyber risk and be proactive about addressing it. Additionally, Cowbell Cyber policyholders get access to cybersecurity awareness training that allow employees to avoid common phishing attacks and help keep their organization safe.

Stay Safe,

Cowbell Risk Engineering Team

Related Posts

Cowbell Blog

Grow your cyber IQ with our insights into cyber insurance, cyber risk, and cyber security.

See How Cowbell Can Protect Your Business