Dissection of a Phishing Attack, Part 5

by Scott M. Lewis

Employee training. It is essential to communicate and train employees on the risks of phishing, how it happens and what they can do to be aware of the dangers. Educate employees about prevention steps, their role in prevention, and how this is protecting the company. Create a culture of security within your business. Share the information. Educate on the risks and empower employees to ask questions. We have seen in the Winning Technologies customer base where we have implemented filter and prevention systems, and then people complain because they don’t understand the role and function of the new system. Continuing education on new and increasing threats and emerging threats will help reinforce the culture of security within your company. Then it comes down to a security versus convenience discussion, you can’t be secure and convenient, so you have to find that balance for your organization.

Routine testing of employees. Several products allow you to test your employees with fake phishing attempts. These will identify how click happy your employees are, and specifically identify within your employee-base who is more likely to fall victim to a phishing attempt. Armed with that information, these products allow you to have more focused educational programs for these individual employees and to help in the development of routine training for all employees. This type of routine testing can be an eye-opener for owners and managers. It can also show you if you are building a culture of security and awareness, which is key to a long-term security strategy.

Cyber Insurance has been an ongoing debate regarding phishing attacks. The long-standing question is, are phishing attacks typically covered under a cyber insurance policy? In 2016, a case was filed by Ameriforge Group Inc. challenging if a cyber insurance policy taken out through CHUBB should provide protections for a spear phishing attack which resulted in a bank transfer of 480,000 dollars by Ameriforge. The insurer denied the claim because they said it did not cover CEO fraud or business email compromise as a result of spear phishing. According to the policy, it would only cover the cyber event if it involved a forgery of a financial instrument. According to CHUBB’s legal team, the financial device involves a written promise, order, or direction to pay that is similar to a check or draft. The bottom line here is since a phishing attack does take human interaction, any phishing financial losses are typically tied back to a human mistake. It is going to depend on the language, the specifics of each policy, and how the coverage is defined within that policy. Phishing is such a high risk these days that phishing is, by most standards, left out of cyber insurance policies. So don’t assume that all cyber insurance policies are going to cover phishing attacks that result in financial losses.

Successful phishing attacks don’t happen merely due to the human condition. Companies still do not focus as much energy and money into training, technology countermeasures, along with simply understanding and communicating the risks to our employees that are present in our connected world. Phishing will continue to grow. You can’t create a multi-billion or trillion dollar industry and expect that it is going to slow down or disappear.

Unfortunately, it just isn’t going to work that way. There are many things you can do to help reduce the risk, limit the damage, and not make yourself the easiest target on the block. However, these come with a budget impact that is going to be ongoing, must be managed, and proactively monitored.

Scott Lewis is the President and CEO of Winning Technologies Group of Companies which includes Liberty One Software. Scott has more than 35 years of experience in the technology industry and is a nationally recognized speaker and author on technology subjects. Scott has worked with hundreds of large and small business to empower them to use technology to improve work processes, increase productivity, and reduce costs. Scott has designed thousands of systems for large, medium and small companies and Winning Technologies goal is to work with companies on the selection, implementation, management, and support of technology resources. Learn more about Winning Technologies at www.winningtech.com or call 877-379-8279.