This is the latest installment of our Cybersecurity Awareness Month series of blog articles designed to give you helpful tips and best practices to keep your data safe from harm. Previous editions:
- How to Truly “See Yourself in Cyber”: Cybersecurity Awareness Month 2022
- Passwords Shouldn’t Be as Easy as 1-2-3-4
- 3 Steps to Ace Software Updates and Keep Your Information Secure
- 4 Steps to Implement MFA to Keep Your Data Safe
Not the leisurely activity you may enjoy on a cool Saturday morning, phishing – and its close cousin spear phishing – are two of the most targeted social engineering attacks individuals and organizations may encounter. Read on to learn about these two dangerous threats, if it’s getting any better, how we counteract phishing at AvePoint and our tips to help prevent you from being a criminal’s catch of the day.
What is phishing and spear phishing?
Phishing: This is one of the most popular social engineering attack types. Phishing scams are email, text message (Smishing), and voice calls/voice messages (Vishing) campaigns aimed at creating a sense of urgency, curiosity, or fear in victims, which prods them to reveal sensitive information, clicking on links to malicious websites, or opening attachments that contain malware.
Spear Phishing: This type of attack is a more targeted phishing scam where the bad actors choose specific individuals or businesses. They tailor their messages based on characteristics, job positions, and contacts belonging to their victims to make their attacks less noticeable. Spear Phishing is a more sophisticated form of phishing attack which can take weeks and months to pull off, is much harder to detect, and have a better success rate if done skillfully.
These attacks can have a negative impact on organizations, such as business and operational disruption, data exposure, reputational damage to the organization, and serious financial implications.
How bad is it?
Both the National Cybersecurity Alliance and European Union Agency for Cybersecurity named phishing as one of its focus areas for Cybersecurity Awareness Month for a reason.
According to recent research:
- Fifteen billion spam emails make their way across the internet every day, meaning spam filters are already burning the candle at both ends – and we all know what happens when we burn the candle at both ends, we ultimately get burned.
- Last year, 83% of organizations reported experiencing phishing attacks, and this year an additional six billion attacks are expected to occur.
- In fact, one in 99 emails is a phishing attack – think about how many emails you receive in a day … it’s a lot more often than you may think.
How AvePoint Addresses Phishing for its People & Customers
I’m a member of AvePoint’s Privacy, Security, and Risk (PSR) team, which has a simple yet profound mission: To place safety at the heart of our customers and our people.
For our people, we conduct regular security awareness trainings, internal articles, and social media posts with new tips following the evolving sophistication of social engineering and routinely hold mock phishing exercises. You’ll notice that this all is focused on awareness and education, which 84 percent of US-based organizations believe have lowered phishing failure rates.
When it comes to our systems and customers, we ensure that our security awareness training complies with the gold standards of privacy and security accreditations, including ISO 27001, GDPR, and CCPA. We also stay on top of the latest cybersecurity trends – like the rise in ransomware attacks, vendor risk, remote working, mobile cybersecurity, cloud security threats, and social media engineering attacks – and assess how it impacts our systems.
11 Tips to Avoid Falling Victim to Phishing
How can you avoid being on the wrong end of a social engineering attack? Here are some best practices you can implement:
- Train employees to identify phishing attacks, e.g., avoiding clicking on malicious links and attachments.
- Conduct random mock phishing exercises.
- Implement Multi-Factor Authentication (MFA) on your organization’s critical applications and systems.
- Keep all systems and applications current with the latest security patches and updates.
- Deploy a web filter to block malicious websites.
- Encrypt all company sensitive data.
- Remote access to company data should be executed through the company’s Virtual Private Network (VPN).
- Conduct regular user access reviews (UARs) on all critical systems and applications.
- Encourage employees to have a complex password/passphrase, which should not be used for other accounts, and password/passphrase should be treated as the keys to the kingdom.
- Regularly analyze and evaluate your internal security processes to make sure your applications and systems are not easily exploitable.
- Have a dedicated contact for employees to report any suspicious activity or activities.
At AvePoint, that is our PSR team. We stand ready to ensure we live up to our mission to place safety at the hearts of our customers and people every day.
To learn more about how we embed trust as the core principle into our systems and people, visit the AvePoint Trust Center.