Mid-market CEOs: avoiding phishing scams
Graeme Freeman
Fractional CTO, Fractional CIO. Fractional CISO, Co-founder & Director of Strategic Partnerships - Freeman Clarke UK, Co-founder & President - Freeman Clarke US
As you know, phishing is a form of fraud where criminals get in touch – usually via email – pretending to be from a reputable business, colleague, or friend. Their aim is to trick you into providing sensitive information like bank account numbers or a password, or to tempt you to inadvertently download malware like ransomware.?
Phishing is incredibly common. Some experts estimate that more than 90% of cyber attacks start with a phishing email, leading perhaps to billions of lost dollars – not to mention the reputational hit to a business.
Incidents are underreported, and there is effectively no official protection or law-enforcement. Unfortunately, technical solutions are only partially effective.?
So the message for cyber criminals – many of them state-sponsored – is clear: send out enough phishing emails and someone will bite. They’re doing great business and operating with near impunity.?
But we take the CEO’s perspective, which is how to protect your business and its data. From that point of view, the question is: ‘Why do people keep falling for it?’
Here are the most common reasons and what to do about them.?
People don’t fall for phishing scams because they’re thick. They fall for scams because they are busy or distracted and nobody ever told them what to look out for – there are no guidelines for releasing information, or verifying identity, or even whom to go to with questions or problems.??
A good CISO, however, will teach staff how to know when somebody is trying to electronically pick their pocket. A CISO will lay on training, lift awareness of the threat, and create security protocols. They will also create an atmosphere of honesty, where staff who make a blunder will report it immediately rather than try to cover it up. ?
领英推荐
Often in a mid-market business, staff will wear many hats. Whilst this makes for an interesting job, perhaps it’s time to remove a hat or two. Who has access to your bank accounts and credit cards? Is it entirely necessary they do? Everyone in your business should follow the principle of least privilege, where they only have access to the information required to do their jobs.??
So in the event of a breach, the criminals will be confined, rather than have free rein.?
The above precautions will be meaningless unless staff understand that security is a never-ending process. The best CIOs, CTOs, and CISOs will update staff on new threats as they develop and see that training is not one-and-done but periodic. They’ll establish an understanding of the potential risks and ensure the level of spend and planning are appropriate.??
They’ll see that the business gets accreditation like Cyber Essentials+ and that everyone, right up to the CEO, feels invested in the security of the company.??
And they’ll ensure that, in the event of a disaster, there are effective plans, an effective response, and the impact is managed and minimized.?
Unfortunately, there is every indication that phishing attempts will only become more sophisticated and numerous. The good news is that Freeman Clarke CIOs, CTOs, and CISOs have deep experience in helping mid-market businesses stay secure and grow.?
If you’ve got questions about cyber security – or anything else IT related – remember, we’re always up for a no-strings, no-pressure chat.??
Most cyber attacks and data breaches happen to mid-market businesses. Find out the risk to your business with a free, no-strings expert discussion.
Strategic Head of IT | Commercially Aware and Business Focused | Transformative Leadership in Technology Optimization, Innovation, and Cybersecurity | Driving Operational Excellence and Digital Transformation
8 个月Setting up your e-Mail as Eiren O'Keeffe describes is critical and training and security awareness will help but from practical experience we know busy people make mistakes. They don’t do it deliberately and they often know better, how many InfoSec professionals have been caught out over the years? With the increasing sophistication of these scams is it sensible to ask busy people to be the businesses last line of defence? People need a technical solution that will check Paul Larner RED for them and a variety of other parameters for them in the background and quarantine anything high risk. At Real Places Ltd we implemented Abnormal Security and it proved to be a game changer. From a CEO’s perspective he needs confidence that the technology risks are being managed within his risk appetite and removing malicious emails before people have the ability to click on a link by mistake goes a long way towards that.
Fractional CIO / CTO / CISO / IT Director, Certified CISO, Oxford AI certified, CIO100 2021 award-winner
8 个月Great post, Graeme. I always implement KnowBe4 at my clients to provide ongoing phishing training to all the staff. I also try to educate everyone to look for danger in emails - R - REPUTABLE - Does the email appear to come from a reputable source (your bank, HMRC)? E - EMOTION - Does the email evoke an emotional response (you've won - or lost - something)? D - DO - Does the email ask you to do something? Click on a link, open an attachment If all these are true, think RED alert for danger!
Digital Transformation Leader ? Strategic Technology & Innovation Driving Business Growth ? Cat Surfing Instructor | [email protected]
8 个月Many businesses make it easy to perpetrate these crimes by failing to implement basic protection for their email, such as Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC). So many businesses come through with "Unverified" email or, even when verified, have only done the basics for verification yet lack the additional configuration to reject spoofing attempts. This allows fraudsters to, often successfully, spoof *internal emails* and redirect or authorise payments, not to mention mailman in the middle attacks impersonating internal accounts which happens far more often than is reported. We also have the added wrinkle brought on by deepfake technology and the lack of effective first line defences for verification of "who" we are speaking with, which makes it easy with off-the-shelf deepfake technology to impersonate someone, or as seen recently a whole bunch of someones on a video call to coax a multimillion pound payment to a fraudulent account. First principles and security is often a secondary consideration.
Next Trend Realty LLC./wwwHar.com/Chester-Swanson/agent_cbswan
8 个月Thanks for Sharing.