Security solutions for businesses are constantly improving, forcing cybercriminals to spend more time and money on breaking into corporate networks — and, increasingly, relying on social engineering. Exploiting the human factor and making use of readily available contact info (such as for HR and PR staff), crooks can extract login credentials from unsuspecting employees without having to worry about those ever-improving cybersecurity solutions.
Unfortunately, there is no magic bullet to protect companies from phishing; the problem requires both organizational and technical measures. Here’s how to implement such protection in practice.
Protect your mail server
Browsers and some e-mail clients have their own security filters, but cybercriminals have many techniques to bypass them. Some, for example, use e-mail marketing services.
Preventing phishing e-mails from reaching employees’ mailboxes at all is a strong starting point. Use a security solution at the mail gateway level such as Kaspersky Security for Mail Server, which not only checks links in incoming mail, but also detects threats in sent files.
Protect Microsoft Office 365 services
These days, instead of deploying their own mail servers, many companies use cloud services, primarily MS Office 365. Microsoft Office account data, which potentially gives attackers access to services such as OneDrive and SharePoint that may store confidential information and contact details, is a frequent and unsurprising target of phishing attacks. Even if an employee knows in theory that they need to check messages carefully, they might still click a link or forward a message to colleagues if they’re in a hurry.
Microsoft has its own, imperfect security technologies, which you can — and should — strengthen with additional layers of protection. For example, Kaspersky Security for Microsoft Office 365 prevents the spread of threats through Office services, guards against spam and phishing, and removes malicious attachments.
Train employees
Today’s cybercriminal bag of tricks includes malicious links hidden in e-mails, attached Trojans disguised as documents, misleading text messages and phone calls, and more. Phishing messages can even come from a hosting provider or a partner company if one of its employees’ accounts is compromised. Employees must be aware of these schemes and be able to spot suspicious e-mails.
Staff cybersecurity awareness training can come from your own IT department or outside experts. Additionally, online tools such as Kaspersky Automated Security Awareness Platform help employees learn in a convenient, on-the-job format.
Send test phishing e-mails
Testing employees by sending them relevant phishing e-mails enables — or forces — employees to apply their knowledge in practice and prepare for real incidents. Testing also highlights people and areas in need of improvement.
Provide contact info for someone who can help check suspicious e-mails
After basic cybersecurity training, employees will be able to spot most phishing e-mails by noting visual cues such as unknown sender address, wrong company logo, and typos. In some cases, however, determining whether a message is safe may require the help of an expert. Include your company’s best contact for evaluating suspicious messages in the onboarding guide and prominently on the corporate portal.
Protect workstations
Even experienced and sharp-eyed employees make mistakes. Phishing links may appear in an employee’s personal e-mail or come in through a messaging app — channels your security systems do not control. Therefore, installing a security solution on every Internet-connected workstation is crucial. That way, even if a phishing link reaches the target and gets clicked, the redirect will be blocked.
Protect mobile devices
Employees use smartphones to view mail and financial documents, and they chat in messaging apps. Mobile devices have always posed a threat to corporate security, and do so even more in this era of mass remote work. To thwart phishing attacks on mobile devices, secure those devices as well, with Kaspersky Endpoint Security for Business, which protects both workstations and mobile phones.
Stay ahead of criminals
Phishers are forever coming up with new schemes, such that even the savviest pro might one day unwittingly hand over the keys to their mail or other account. With a few commonsense requirements, you can ensure cybercriminals get their hands on as little confidential information as possible.
Enable two-factor authentication
Turn on two-factor authentication for all online corporate services. With 2FA enabled, even if attackers discover the credentials for a corporate account or an e-mail password, they won’t be able to get in.
Require unique passwords
Instruct employees to use unique passwords for each work service or device. Then, even if phishers get one password, no other resources will be at risk.
Adhere to the principle of least privilege
If employees have access rights only to the servers, cloud storage, and other valuable assets that they truly need, cybercriminals will not be able to inflict too much damage, even if they gain control of a corporate account.
Action plan
By following these simple tips, you can protect your employees — and thus your business — from the phishing menace. In brief:
- Protect your mail server;
- Protect your Microsoft Office services;
- Train employees;
- Simulate phishing attacks to reinforce training;
- Give staff a way to contact someone who can help check suspicious e-mails;
- Protect workstations;
- Secure mobile devices;
- Enable two-factor authentication wherever possible;
- Use reliable security solutions.