Why Should Businesses Defend Against Phishing Attacks?
In 2013 there were nearly 450,000 phishing attacks and record estimated losses of over USD $5.9 billion. Phishing remains an ominous threat to consumers and businesses around the world. (1)
What Is Phishing?
Phishing is an attack in which someone pretends to be some other person or individual (e.g. your bank) in order to deceptively obtain sensitive information about you or your employer. In a phishing attack the victim will receive an e-mail, text, or similar messages, that appear to be from a trustworthy source (e.g. a close friend, a financial institution) that attempts to fool the victim into divulging valuable information such as social security numbers, bank account numbers, credit or debit card numbers and PINs, usernames and passwords.
Phishing attacks can be targeted at specific individuals or companies and can be sent en masse or in a targeted way using information gathered using social engineering tactics. Regardless of the approach, victims of phishing (even in their home email account) can infect an entire corporate network resulting in damage to company brand reputation, loss of intellectual property and assets, exposure of sensitive customer information, and fines.
Why Do Businesses Need to Worry About Phishing?
According to the Ponemon Institute, US companies have the second most costly data breaches at $188 per record (Germany comes in first at $199/record), with a total cost per US company at $5.4 million. (3) These costs were calculated using both direct and indirect expenses incurred by the organization. Direct expenses include engaging forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions and discounts for future products and services. Indirect costs include in-house investigations and communication, as well as the extrapolated value of customer loss resulting from turnover or diminished acquisition rates.
The risk of data breaches and the financial damages associated with breaches is significant for companies of all sizes. While smaller organizations may believe that they are not a target they are actually at risk because they do not prioritize appropriately defending themselves from attack. 57% of small businesses suffered staff related security breaches in the last year (up from 45% a year ago). (2)
While 57% may seem like a high number, the same study found that 84% of large organizations had staff related breaches. (2)
What Is the Best Way to Protect Against Phishing Attacks?
According to Deloitte, over 70% of companies surveyed in a recent study, rated lack of employee security awareness as an average or high vulnerability. (4) There’s a good reason for this rating. Security technology, the first approach to protecting a corporate IT infrastructure, is not effective in protecting against social engineering or phishing attacks. It takes a human to identify that “something doesn’t seem quite right about this” to avoid an attack and report it. Of course employees can only do this if they have the right knowledge to spot an attack in progress and practice safe behaviors to avoid opening themselves or their employer to attacks.
Sadly, even with the profound statistics listed above with regard to percentage of companies that have had staff related breaches, 42% of organizations don’t provide any ongoing security awareness training to their staff. (2)
According to a PWC survey, organizations with a security awareness program in place were 50% less likely to have staff-related security breaches. (5)
How Should You Teach Your Employees to Avoid Phishing Attacks?
What steps do you need to take to create an effective security education program?
12013 A Year in Review – RSA Fraud Report
22013 Information Security Breaches Survey – PWC
32013 Cost of Data Breach Study: Global Analysis – Ponemon Institute
4Blurring the lines – Information security in a world without boundaries – Deloitte
52012 PWC Information Security Breaches Survey