As a healthcare IT company handling the personal information of over 36 million patients, a data breach would be a worst-case scenario. Besides the clients’ loss of trust in the company, an organization’s reputation would be effectively lost. Investors may lose confidence and cease partnership, and the organization may face fines or potential legal ramifications from the data owners. According to the Verizon 2020 Data Breach Investigation Report, 22% of data breaches in 2019 came back to one thing: phishing. In the same report, of over 2,900 companies that reported breaches, phishing was the leading cause.
The cybercrime of phishing has only become more prevalent– and incredibly convincing. Emails in personal or work inboxes that look authentic are from false organizations wanting to collect bank credentials, logins to sensitive platforms, and other private data. These emails prompt a user to click on an embedded link or button that looks legitimate or lures them with promotions and other opportunities. Some phishing schemes aim to scare the user by appearing as an urgent request from a person’s business, work, place of banking, or the like. The phishers may claim a person’s credentials have been hacked, and they must click immediately to secure the account.
So, how bad is it to click on that link?
In the case of a phishing scam targeted at a business, the average breach costs an organization $3.86 million, according to IBM. That number is only an average and can be much higher depending upon the type and volume of sensitive data that is lost or stolen. The consequences to a company, its employees, and its customers can be enormous and shuttering. If the phish is aimed at an individual’s inbox, there can be severe consequences to their banking, credit, or identity information.
How can an organization protect itself?
Anti-virus and anti-malware software programs are great starts. If a company maintains them and continues to perform updates, it will trap a decent percentage of malware and phishing scams before they ever get to a person’s inbox. But these programs are not infallible, and there will always be new and devious variations to those kinds of attacks. Some of them will make it through, and it will lie with the individuals to make the right choices to prevent a large-scale breach.
The best and last line of defense is the individual.
While it may seem like added pressure, the fact that anyone with the right training can prevent phishing scams is good news. With a little focus and review, employees can spot and avoid these kinds of traps. Here is how Lightbeam staff are trained:
- Always review a sender’s address and look out for impersonations of trusted brands or people.
- Always inspect URLs within emails by hovering over them before clicking. When hovering, the individual should look for whether or not the address that pops up is different from the URL it is supposedly from. Also, hover over the sender’s address. Does it match?
- Notice the domain name in the email from the address. Does it appear real? Or is it a close misspelling intended to appear as a real URL at a glance (e.g., “microsotf.com”)?
- Always be skeptical and ask practical questions: would a company executive send a random employee an email out of the blue asking them to click a link and review a spreadsheet? Would a bank ask a client to click a URL in an email to change their password after their credentials are supposedly compromised? The answer is no.
When in doubt, always ask someone, especially an internal IT team member. They would be the best eye to determine whether or not an email is legitimate or an attempt to phish. Or, if a receiver knows them, check with the sender and ask them if they genuinely need assistance with their “task.” Determining whether an email is safe or not is just another form of fact-checking, and it is crucial for an organization that handles sensitive information.
Take the time to spot the signs.
According to the 2019 HIMSS Cybersecurity Survey, phishing appeared in 59% of significant security incidents across all organizations, and 69% of incidents that occurred at hospitals. Especially at large organizations, employees are on the receiving end of dozens, if not hundreds of emails per day from a variety of sources. That alone can be exhausting to keep up with, and that exhaustion coupled with a desire to go through an inbox as fast as possible is, unfortunately, what can make phishing attacks so successful. It only takes a few seconds to look over the body of an email and determine that things do not look right. No significant time is lost, and one person may avoid making a costly mistake that could disrupt or end an entire company. Take a second, stop to read, and hover before clicking.
Russ Smith is Lightbeam’s VP of Infrastructure and Security IT.